CODEWITHSUNDEEP
c#unit-testingforms-authenticationasp.net-mvc-4
nyxthulhu
nyxthulhu

Reputation: 9752

FormsAuthenticationTicket UserData and UnitTesting

I'm trying to do some unit testing in MVC, however some of my functions require a UserID to work (i.e. save to the database as a foreign key).

The UserID is stored in the UserData attribute of my FormsAuthenticationTicket how would I 'fake' a UserID at unit test time so that I can run unit testing with a fake user. Is this even possible?

I'm using the built in unit testing system from Microsoft.

The test code I'm planning on using is akin to 

[TestMethod]
public void EnsureAddItemAddsItems()
{
   // Arrange
   ShoppingCartController controller = new ShoppingCartController();
   // These would be populated by dummy values
   Guid itemID = Guid.Empty;
   Guid itemTypeID = Guid.Empty;

   // Act
   ViewResult result = controller.AddItem(itemTypeID, itemID);

   //Assert
   Assert.AreEqual("Your shopping cart contains 1 item(s)",result.ViewBag.Message);
}

Some sample code might look like :- 

public ActionResult AddItem(Guid itemType, Guid itemID, string returnAction)
{
    ShoppingCartViewModel oModel = new ShoppingCartViewModel();

    string szName = String.Empty;
    int price = 0;


    using (var context = new entityModel())
    {
        // This is the section I'm worries about
>>>>>>>>> Guid gUserID = this.GetCurrentUserID(); <<<<<<<<<

        var currentSession = this.CreateOrContinueCurrentCartSession(gUserID);

        var oItem = new ShoppingCartItem();
        oItem.Id = Guid.NewGuid();
        oItem.ItemId = itemID;
        oItem.ItemTypeId = itemType;
        oItem.ItemName = szName;
        oItem.ShoppingCartSessionId = currentSession.ID;
        oItem.Price = 1;
        context.ShoppingCartItems.AddObject(oItem);
        context.SaveChanges();
    }

    this.FlashInfo("Item added to shopping cart");
    ViewBag.Message(string.Format("Your shopping cart contains {0} item(s)",AnotherFunctionThatJustCountsTheValues()));
    return this.View();

}

The highlited line is where I get the userID, that function is just an extension function that does nothing complex, it just fetches the UserID which is saved as the FormsAuthenticationTicket.UserData field.

Upvotes: 0

Views: 1407

Answers (1)

Darin Dimitrov
Darin Dimitrov

Reputation: 1038770

// This is the section I'm worries about Guid gUserID = this.GetCurrentUserID();

This is because normally this section has nothing to do inside your controller action. So let's remove it, shall we? This way you will no longer have anything to worry about :-)

Let's simplify your code first because it contains too much noise. By the way you should consider putting your controller action on a diet because it's way too complicated and does too many things.

The essential part is this:

[Authorize]
public ActionResult AddItem()
{
    Guid gUserID = this.GetCurrentUserID();
    return Content(gUserID.ToString());
}

Now, that's annoying indeed because if the GetCurrentUserID method resides in your controller and attempts to read the forms authentication cookie you might suffer to unit test it in isolation.

What about if our code looked like this:

[MyAuthorize]
public ActionResult AddItem()
{
    var user = (MyUser)User;
    return Content(user.Id.ToString());
}

where MyUser is a custom principal:

public class MyUser : GenericPrincipal
{
    public MyUser(IIdentity identity, string[] roles) : base(identity, roles)
    { }

    public Guid Id { get; set; }
}

Wouldn't that be magnificent? This way the controller action has no longer to worry about cookies and tickets and stuff. That's not its responsibility.

Let's see how we can unit test it now. We pick our favorite mocking framework (Rhino Mocks in my case along with MvcContrib.TestHelper) and mock:

[TestMethod]
public void AddItem_Returns_A_Content_Result_With_The_Current_User_Id()
{
    // arrange
    var sut = new HomeController();
    var cb = new TestControllerBuilder();
    cb.InitializeController(sut);
    var user = new MyUser(new GenericIdentity("john"), null)
    {
        Id = Guid.NewGuid(),
    };
    cb.HttpContext.User = user;

    // act
    var actual = sut.AddItem();

    // assert
    actual
        .AssertResultIs<ContentResult>()
        .Content
        .Equals(user.Id.ToString());
}

So now all that's left is take a look at how the custom [MyAuthorize] attribute might look like:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            return false;
        }

        var cookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (cookie == null)
        {
            return false;
        }

        var ticket = FormsAuthentication.Decrypt(cookie.Value);
        var id = Guid.Parse(ticket.UserData);
        var identity = new GenericIdentity(ticket.Name);
        httpContext.User = new MyUser(identity, null)
        {
            Id = id
        };
        return true;
    }
}

The custom authorize attribute is responsible for reading the UserData section of the the forms authentication cookie and setting the current principal to our custom principal.

Upvotes: 4

Related Questions