search

gehnster / EVEStandard-Examples

Example projects on how to use the EVEStandard library
MIT License
4 stars 2 forks source link

ExpectedState vs ReturnedState error on login. #2

Closed ghost closed 3 years ago

ghost commented 3 years ago

This might be a newb mistake but when I try to run the example app I run into the error listed below. Do I need to prime ExpectedState value somehow? If I don't throw the exception and just continue on past this check login does seem to work just fine. Thanks in advance for any guidance you can provide.

EVEStandard.EVEStandardException: model parameter expected the ExpectedState to match the ReturnedState, they are actually set as: ExpectedState:  ReturnedState: 3c860642-ca65-4d6e-a0bf-2f860bf6143f
   at EVEStandard.SSO.VerifyAuthorizationAsync(Authorization model) in /Users/rebecca/src/EVEStandard/EVEStandard/SSO.cs:line 133
   at EVEStandard.ASPNETCoreSample.Controllers.AuthController.Callback(String code, String state) in /Users/rebecca/src/EVEStandard/EVEStandard-Examples/EVEStandard.ASPNETCoreSample/Controllers/AuthController.cs:line 65
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
ghost commented 3 years ago

Appears to be related to https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-5.0 ... Will update or close the issue once I have it resolved.

ghost commented 3 years ago

All is well if I set CheckConsentNeeded to false in Startup.cs on line 29. I'm happy doing as auth cookies would appear to be essential. I cano provide a PR to set this to false by default if you'd like or include the _CookieConsentPartial.cshtml partial as suggested by MaddoScientisto in this related issue.

            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => false;
gehnster commented 3 years ago

Sadly I didn't write up this repo, someone else did and I just published it. The expected and returned state is a security feature. For the example it can probably be ignored. If you look at the controller, the callback function is setting the expected state, and pulling it from the session, and also setting the returned state from the callback. If you just set both to an empty string it should work.

ghost commented 3 years ago

Hi gehnster. What I think is happening here is that the ExpectedState value can't be successfully stored in the session cookie when CheckConcentNeeded is set to true and the partial referenced in issue 1 isn't present to allow such consent to be given.

If CheckConcentNeeded is set to false all is well and the security check succeeds.

What I'd propose is to default CheckConcentNeeded to false since this cookie is essential to the functioning of the auth system generally and not used for tracking purposes.

ghost commented 3 years ago

See https://github.com/gehnster/EVEStandard-Examples/pull/3 for potential resolution to this issue.

gehnster commented 3 years ago

I'm fine doing this for the example code.