Ensure multi-cookie headers are joined with ; instead of ,

mjrousos · mjrousos · commit b2629efdc661 · 2022-10-14T11:15:13.000-04:00
Fixes #228
diff --git a/src/Microsoft.AspNetCore.SystemWebAdapters.CoreServices/Authentication/RemoteAppAuthenticationService.cs b/src/Microsoft.AspNetCore.SystemWebAdapters.CoreServices/Authentication/RemoteAppAuthenticationService.cs
@@ -13,6 +13,7 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Net.Http.Headers;
 
 namespace Microsoft.AspNetCore.SystemWebAdapters.Authentication;
 
@@ -97,7 +98,7 @@ public async Task<RemoteAppAuthenticationResult> AuthenticateAsync(HttpRequest o
     }
 
     // Add configured headers to the request, or all headers if none in particular are specified
-    private static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest originalRequest, HttpRequestMessage authRequest)
+    internal static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest originalRequest, HttpRequestMessage authRequest)
     {
         // Add x-forwarded headers so that the authenticate API will know which host the HTTP request was addressed to originally.
         // These headers are also used by result processors - to fix-up redirect responses, for example, to redirect back to the
@@ -118,6 +119,14 @@ private static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest
 
         foreach (var headerName in headerNames)
         {
+            // HttpClient wrongly uses comma (",") instead of semi-colon (";") as a separator for Cookie headers.
+            // To mitigate this, we concatenate them manually and put them back as a single header value.
+            if (string.Equals(headerName, HeaderNames.Cookie, StringComparison.OrdinalIgnoreCase))
+            {
+                authRequest.Headers.Add(headerName, string.Join("; ", originalRequest.Headers[headerName].ToArray()));
+                continue;
+            }
+
             authRequest.Headers.Add(headerName, originalRequest.Headers[headerName].ToArray());
         }
     }
diff --git a/test/Microsoft.AspNetCore.SystemWebAdapters.CoreServices.Tests/Authentication/RemoteAppAuthenticationServiceTests.cs b/test/Microsoft.AspNetCore.SystemWebAdapters.CoreServices.Tests/Authentication/RemoteAppAuthenticationServiceTests.cs
@@ -0,0 +1,65 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Primitives;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.SystemWebAdapters.Authentication.Tests;
+
+public class RemoteAppAuthenticationServiceTests
+{
+    [Theory]
+    [MemberData(nameof(GetHeadersForConcatenation))]
+    public void AddHeadersConcatenation(Dictionary<string, StringValues> originalHeaders, Dictionary<string, StringValues> resultHeaders)
+    {
+        var originalRequest = new Mock<HttpRequestCore>();
+        originalRequest.Setup(r => r.Headers).Returns(new HeaderDictionary(originalHeaders));
+        originalRequest.Setup(r => r.Scheme).Returns("scheme");
+        originalRequest.Setup(r => r.Host).Returns(new HostString("host"));
+
+        // Add additional headers that are added to the original request's headers
+        resultHeaders.Add(AuthenticationConstants.ForwardedHostHeaderName, "host");
+        resultHeaders.Add(AuthenticationConstants.ForwardedProtoHeaderName, "scheme");
+        resultHeaders.Add(AuthenticationConstants.MigrationAuthenticateRequestHeaderName, "true");
+
+        var authRequest = new HttpRequestMessage();
+
+        RemoteAppAuthenticationService.AddHeaders(originalHeaders.Keys, originalRequest.Object, authRequest);
+
+        Assert.Collection(
+            authRequest.Headers.OrderBy(h => h.Key).Select(h => KeyValuePair.Create(h.Key, new StringValues(h.Value.ToArray()))),
+            resultHeaders.OrderBy(h => h.Key).Select<KeyValuePair<string, StringValues>, Action<KeyValuePair<string, StringValues>>>(
+                expected => (actual =>
+                {
+                    Assert.Equal(expected.Key, actual.Key);
+                    Assert.Equal(expected.Value, actual.Value);
+                })).ToArray());
+    }
+
+    public static IEnumerable<object[]> GetHeadersForConcatenation()
+    {
+        // Trivial positive case
+        yield return new object[]
+        {
+            new Dictionary<string, StringValues>(){ { "A", new StringValues("1") } },
+            new Dictionary<string, StringValues>(){ { "A", new StringValues("1") } }
+        };
+
+        // Multi-header case
+        yield return new object[]
+        {
+            new Dictionary<string, StringValues>(){ { "A", new StringValues(new[] { "1", "2" }) } },
+            new Dictionary<string, StringValues>(){ { "A", new StringValues(new[] { "1", "2" }) } }
+        };
+
+        // Multi-cookie case
+        yield return new object[]
+        {
+            new Dictionary<string, StringValues>(){ { "Cookie", new StringValues(new[] { "1", "2" }) } },
+            new Dictionary<string, StringValues>(){ { "Cookie", new StringValues(new[] { "1; 2" }) } }
+        };
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`using Microsoft.AspNetCore.Http.Extensions;`
`14`	`14`	`using Microsoft.Extensions.Logging;`
`15`	`15`	`using Microsoft.Extensions.Options;`
	`16`	`+using Microsoft.Net.Http.Headers;`
`16`	`17`
`17`	`18`	`namespace Microsoft.AspNetCore.SystemWebAdapters.Authentication;`
`18`	`19`
`@@ -97,7 +98,7 @@ public async Task<RemoteAppAuthenticationResult> AuthenticateAsync(HttpRequest o`
`97`	`98`	`}`
`98`	`99`
`99`	`100`	`// Add configured headers to the request, or all headers if none in particular are specified`
`100`		`- private static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest originalRequest, HttpRequestMessage authRequest)`
	`101`	`+ internal static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest originalRequest, HttpRequestMessage authRequest)`
`101`	`102`	`{`
`102`	`103`	`// Add x-forwarded headers so that the authenticate API will know which host the HTTP request was addressed to originally.`
`103`	`104`	`// These headers are also used by result processors - to fix-up redirect responses, for example, to redirect back to the`
`@@ -118,6 +119,14 @@ private static void AddHeaders(IEnumerable<string> headersToForward, HttpRequest`
`118`	`119`
`119`	`120`	`foreach (var headerName in headerNames)`
`120`	`121`	`{`
	`122`	`+ // HttpClient wrongly uses comma (",") instead of semi-colon (";") as a separator for Cookie headers.`
	`123`	`+ // To mitigate this, we concatenate them manually and put them back as a single header value.`
	`124`	`+ if (string.Equals(headerName, HeaderNames.Cookie, StringComparison.OrdinalIgnoreCase))`
	`125`	`+ {`
	`126`	`+ authRequest.Headers.Add(headerName, string.Join("; ", originalRequest.Headers[headerName].ToArray()));`
	`127`	`+ continue;`
	`128`	`+ }`
	`129`	`+`
`121`	`130`	`authRequest.Headers.Add(headerName, originalRequest.Headers[headerName].ToArray());`
`122`	`131`	`}`
`123`	`132`	`}`