Redirect to homepage if login page is requested when token auth is not enabled (#5123)

* Redirect to homepage if login page is requested when token auth is not enabled

* add ValidateTokenMiddleware tests

* fix test names

* remove nsubstitute

* remove unsecured testing changes

* Update src/Aspire.Dashboard/Model/ValidateTokenMiddleware.cs

---------

Co-authored-by: James Newton-King <[email protected]>

Author: adamint

Directory.Packages.props

@@ -57,6 +57,7 @@
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="$(MicrosoftAspNetCoreOpenApiPackageVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.OutputCaching.StackExchangeRedis" Version="$(MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion)" />
+    <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="$(MicrosoftAspNetCoreTestHostPackageVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="$(MicrosoftExtensionsCachingStackExchangeRedisPackageVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore" Version="$(MicrosoftExtensionsDiagnosticsHealthChecksEntityFrameworkCorePackageVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="$(MicrosoftExtensionsDiagnosticsHealthChecksPackageVersion)" />

eng/Versions.props

@@ -49,6 +49,7 @@
     <MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>8.0.7</MicrosoftAspNetCoreAuthenticationOpenIdConnectPackageVersion>
     <MicrosoftAspNetCoreOpenApiPackageVersion>8.0.7</MicrosoftAspNetCoreOpenApiPackageVersion>
     <MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>8.0.7</MicrosoftAspNetCoreOutputCachingStackExchangeRedisPackageVersion>
+    <MicrosoftAspNetCoreTestHostPackageVersion>8.0.7</MicrosoftAspNetCoreTestHostPackageVersion>
     <MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>8.0.7</MicrosoftExtensionsCachingStackExchangeRedisPackageVersion>
     <MicrosoftExtensionsDiagnosticsHealthChecksEntityFrameworkCorePackageVersion>8.0.7</MicrosoftExtensionsDiagnosticsHealthChecksEntityFrameworkCorePackageVersion>
     <MicrosoftExtensionsDiagnosticsHealthChecksPackageVersion>8.0.7</MicrosoftExtensionsDiagnosticsHealthChecksPackageVersion>

src/Aspire.Dashboard/Model/ValidateTokenMiddleware.cs

@@ -26,22 +26,21 @@ public ValidateTokenMiddleware(RequestDelegate next, IOptionsMonitor<DashboardOp
 
     public async Task InvokeAsync(HttpContext context)
     {
-        if (context.Request.Path.Equals("/login", StringComparisons.UrlPath) && context.Request.Query.TryGetValue("t", out var value))
+        if (context.Request.Path.Equals("/login", StringComparisons.UrlPath))
         {
-            if (_options.CurrentValue.Frontend.AuthMode == FrontendAuthMode.BrowserToken)
+            if (_options.CurrentValue.Frontend.AuthMode != FrontendAuthMode.BrowserToken)
+            {
+                _logger.LogDebug($"Request to validate token URL but auth mode isn't set to {FrontendAuthMode.BrowserToken}.");
+
+                RedirectAfterValidation(context);
+            }
+            else if (context.Request.Query.TryGetValue("t", out var value) && _options.CurrentValue.Frontend.AuthMode == FrontendAuthMode.BrowserToken)
             {
                 var dashboardOptions = context.RequestServices.GetRequiredService<IOptionsMonitor<DashboardOptions>>();
                 if (await TryAuthenticateAsync(value.ToString(), context, dashboardOptions).ConfigureAwait(false))
                 {
                     // Success. Redirect to the app.
-                    if (context.Request.Query.TryGetValue("returnUrl", out var returnUrl))
-                    {
-                        context.Response.Redirect(returnUrl.ToString());
-                    }
-                    else
-                    {
-                        context.Response.Redirect(DashboardUrls.ResourcesUrl());
-                    }
+                    RedirectAfterValidation(context);
                 }
                 else
                 {
@@ -62,15 +61,23 @@ public async Task InvokeAsync(HttpContext context)
 
                 return;
             }
-            else
-            {
-                _logger.LogDebug($"Request to validate token URL but auth mode isn't set to {FrontendAuthMode.BrowserToken}.");
-            }
         }
 
         await _next(context).ConfigureAwait(false);
     }
 
+    private static void RedirectAfterValidation(HttpContext context)
+    {
+        if (context.Request.Query.TryGetValue("returnUrl", out var returnUrl))
+        {
+            context.Response.Redirect(returnUrl.ToString());
+        }
+        else
+        {
+            context.Response.Redirect(DashboardUrls.ResourcesUrl());
+        }
+    }
+
     public static async Task<bool> TryAuthenticateAsync(string incomingBrowserToken, HttpContext httpContext, IOptionsMonitor<DashboardOptions> dashboardOptions)
     {
         if (string.IsNullOrEmpty(incomingBrowserToken) || dashboardOptions.CurrentValue.Frontend.GetBrowserTokenBytes() is not { } expectedBrowserTokenBytes)

tests/Aspire.Dashboard.Tests/Aspire.Dashboard.Tests.csproj

@@ -15,6 +15,7 @@
   <ItemGroup>
     <PackageReference Include="Grpc.Tools" />
     <PackageReference Include="Microsoft.DotNet.XUnitExtensions" />
+    <PackageReference Include="Microsoft.AspNetCore.TestHost" />
 
     <ProjectReference Include="..\..\src\Aspire.Dashboard\Aspire.Dashboard.csproj" />
 

tests/Aspire.Dashboard.Tests/Middleware/ValidateTokenMiddlewareTests.cs

@@ -0,0 +1,96 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Aspire.Dashboard.Configuration;
+using Aspire.Dashboard.Model;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Xunit;
+
+namespace Aspire.Dashboard.Tests.Middleware;
+
+public class ValidateTokenMiddlewareTests
+{
+    [Fact]
+    public async Task ValidateToken_NotBrowserTokenAuth_RedirectedToHomepage()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.Unsecured, string.Empty);
+        var response = await host.GetTestClient().GetAsync("/login?t=test");
+        Assert.Equal("/", response.Headers.Location?.OriginalString);
+    }
+
+    [Fact]
+    public async Task ValidateToken_NotBrowserTokenAuth_RedirectedToReturnUrl()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.Unsecured, string.Empty);
+        var response = await host.GetTestClient().GetAsync("/login?t=test&returnUrl=/test");
+        Assert.Equal("/test", response.Headers.Location?.OriginalString);
+    }
+
+    [Fact]
+    public async Task ValidateToken_BrowserTokenAuth_WrongToken_RedirectsToLogin()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.BrowserToken, "token");
+        var response = await host.GetTestClient().GetAsync("/login?t=wrong");
+        Assert.Equal("/login", response.Headers.Location?.OriginalString);
+    }
+
+    [Fact]
+    public async Task ValidateToken_BrowserTokenAuth_WrongToken_RedirectsToLogin_WithReturnUrl()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.BrowserToken, "token");
+        var response = await host.GetTestClient().GetAsync("/login?t=wrong&returnUrl=/test");
+        Assert.Equal("/login?returnUrl=%2ftest", response.Headers.Location?.OriginalString);
+    }
+
+    [Fact]
+    public async Task ValidateToken_BrowserTokenAuth_RightToken_RedirectsToHome()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.BrowserToken, "token");
+        var response = await host.GetTestClient().GetAsync("/login?t=token");
+        Assert.Equal("/", response.Headers.Location?.OriginalString);
+    }
+
+    [Fact]
+    public async Task ValidateToken_BrowserTokenAuth_RightToken_RedirectsToReturnUrl()
+    {
+        using var host = await SetUpHostAsync(FrontendAuthMode.BrowserToken, "token");
+        var response = await host.GetTestClient().GetAsync("/login?t=token&returnUrl=/test");
+        Assert.Equal("/test", response.Headers.Location?.OriginalString);
+    }
+
+    private static async Task<IHost> SetUpHostAsync(FrontendAuthMode authMode, string expectedToken)
+    {
+        return await new HostBuilder()
+            .ConfigureWebHost(webBuilder =>
+            {
+                webBuilder
+                    .UseTestServer()
+                    .ConfigureServices(services =>
+                    {
+                        services.AddRouting();
+                        services.AddAuthentication().AddCookie();
+
+                        services.Configure<DashboardOptions>(o =>
+                        {
+                            o.Frontend = new FrontendOptions
+                            {
+                                AuthMode = authMode,
+                                BrowserToken = expectedToken,
+                                EndpointUrls = "http://localhost/" // required for TryParseOptions
+                            };
+
+                            Assert.True(o.Frontend.TryParseOptions(out _));
+                        });
+                    })
+                    .Configure(app =>
+                    {
+                        app.UseMiddleware<ValidateTokenMiddleware>();
+                    });
+            })
+            .StartAsync();
+    }
+}