Update tests to bypass antiforgery via BypassAntiforgeryValidation environment; modify AntiforgeryMiddleware to disable check when set

tjementum · tjementum · commit 6b986deef14e · 2025-03-18T23:24:12.000+01:00
diff --git a/application/account-management/Tests/EndpointBaseTest.cs b/application/account-management/Tests/EndpointBaseTest.cs
@@ -105,6 +105,10 @@ protected EndpointBaseTest()
         var memberAccessToken = AccessTokenGenerator.Generate(DatabaseSeeder.Tenant1Member.Adapt<UserInfo>());
         AuthenticatedMemberHttpClient = _webApplicationFactory.CreateClient();
         AuthenticatedMemberHttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", memberAccessToken);
+
+        // Set the environment variable to bypass antiforgery validation on the server. ASP.NET uses a cryptographic
+        // double-submit pattern that encrypts the user's ClaimUid in the token, which is complex to replicate in tests
+        Environment.SetEnvironmentVariable("BypassAntiforgeryValidation", "true");
     }
 
     protected SqliteConnection Connection { get; }
diff --git a/application/back-office/Tests/EndpointBaseTest.cs b/application/back-office/Tests/EndpointBaseTest.cs
@@ -105,6 +105,10 @@ protected EndpointBaseTest()
         var memberAccessToken = AccessTokenGenerator.Generate(DatabaseSeeder.Tenant1Member.Adapt<UserInfo>());
         AuthenticatedMemberHttpClient = _webApplicationFactory.CreateClient();
         AuthenticatedMemberHttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", memberAccessToken);
+
+        // Set the environment variable to bypass antiforgery validation on the server. ASP.NET uses a cryptographic
+        // double-submit pattern that encrypts the user's ClaimUid in the token, which is complex to replicate in tests
+        Environment.SetEnvironmentVariable("BypassAntiforgeryValidation", "true");
     }
 
     protected SqliteConnection Connection { get; }
diff --git a/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs b/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs
@@ -14,6 +14,13 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
             return;
         }
 
+        if (bool.TryParse(Environment.GetEnvironmentVariable("BypassAntiforgeryValidation"), out _))
+        {
+            logger.LogDebug("Bypassing antiforgery validation due to environment variable setting");
+            await next(context);
+            return;
+        }
+
         if (!await antiforgery.IsRequestValidAsync(context))
         {
             var traceId = Activity.Current?.Id ?? context.TraceIdentifier;

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,13 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)`
`14`	`14`	`return;`
`15`	`15`	`}`
`16`	`16`
	`17`	`+ if (bool.TryParse(Environment.GetEnvironmentVariable("BypassAntiforgeryValidation"), out _))`
	`18`	`+ {`
	`19`	`+ logger.LogDebug("Bypassing antiforgery validation due to environment variable setting");`
	`20`	`+ await next(context);`
	`21`	`+ return;`
	`22`	`+ }`
	`23`	`+`
`17`	`24`	`if (!await antiforgery.IsRequestValidAsync(context))`
`18`	`25`	`{`
`19`	`26`	`var traceId = Activity.Current?.Id ?? context.TraceIdentifier;`