Update OpenIddictMessage.ToString() to redact custom parameters whose name ends with "_token"

1 year ago · 11666c41bd
5 changed files with 74 additions and 63 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -117,6 +117,12 @@ jobs:
    - name: Setup .NET
      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0

+    # Note: the dotnet-validate tool requires .NET 6.0, which is no longer installed by default.
+    - name: Setup .NET
+      uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+      with:
+        dotnet-version: '6.0.x'
+
    - name: Validate NuGet packages
      shell: pwsh
      run: |
--- a/shared/OpenIddict.Extensions/OpenIddictHelpers.cs
+++ b/shared/OpenIddict.Extensions/OpenIddictHelpers.cs
@ -434,7 +434,7 @@ internal static class OpenIddictHelpers
        }

        return query.TrimStart(Separators.QuestionMark[0])
-            .Split(new[] { Separators.Ampersand[0], Separators.Semicolon[0] }, StringSplitOptions.RemoveEmptyEntries)
+            .Split([Separators.Ampersand[0], Separators.Semicolon[0]], StringSplitOptions.RemoveEmptyEntries)
            .Select(static parameter => parameter.Split(Separators.EqualsSign, StringSplitOptions.RemoveEmptyEntries))
            .Select(static parts => (
                Key: parts[0] is string key ? Uri.UnescapeDataString(key) : null,
@ -458,7 +458,7 @@ internal static class OpenIddictHelpers
        }

        return fragment.TrimStart(Separators.Hash[0])
-            .Split(new[] { Separators.Ampersand[0], Separators.Semicolon[0] }, StringSplitOptions.RemoveEmptyEntries)
+            .Split([Separators.Ampersand[0], Separators.Semicolon[0]], StringSplitOptions.RemoveEmptyEntries)
            .Select(static parameter => parameter.Split(Separators.EqualsSign, StringSplitOptions.RemoveEmptyEntries))
            .Select(static parts => (
                Key: parts[0] is string key ? Uri.UnescapeDataString(key) : null,
--- a/src/OpenIddict.Abstractions/Primitives/OpenIddictMessage.cs
+++ b/src/OpenIddict.Abstractions/Primitives/OpenIddictMessage.cs
@ -432,6 +432,7 @@ public class OpenIddictMessage
                case OpenIddictConstants.Parameters.Password:
                case OpenIddictConstants.Parameters.RefreshToken:
                case OpenIddictConstants.Parameters.Token:
+                case { Length: > 6 } name when name.EndsWith("_token", StringComparison.OrdinalIgnoreCase):
                    writer.WriteStringValue("[redacted]");
                    continue;
            }
--- a/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictMessageTests.cs
+++ b/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictMessageTests.cs
@ -36,11 +36,11 @@ public class OpenIddictMessageTests
        // Arrange, act and assert
        var exception = Assert.Throws<ArgumentException>(delegate
        {
-            return new OpenIddictMessage(new[]
-            {
+            return new OpenIddictMessage(
+            [
                new KeyValuePair<string, OpenIddictParameter>("parameter", "Fabrikam"),
                new KeyValuePair<string, OpenIddictParameter>("parameter", "Contoso")
-            });
+            ]);
        });

        Assert.Equal("name", exception.ParamName);
@ -51,10 +51,10 @@ public class OpenIddictMessageTests
    public void Constructor_ImportsParameters()
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, OpenIddictParameter>("parameter", 42)
-        });
+        ]);

        // Assert
        Assert.Equal(42, (long) message.GetParameter("parameter"));
@ -66,10 +66,10 @@ public class OpenIddictMessageTests
    public void Constructor_IgnoresNullOrEmptyParameterNames(string name)
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, OpenIddictParameter>(name, "Fabrikam")
-        });
+        ]);

        // Assert
        Assert.Equal(0, message.Count);
@ -79,11 +79,11 @@ public class OpenIddictMessageTests
    public void Constructor_PreservesEmptyParameters()
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, OpenIddictParameter>("null-parameter", (string?) null),
            new KeyValuePair<string, OpenIddictParameter>("empty-parameter", string.Empty)
-        });
+        ]);

        // Assert
        Assert.Equal(2, message.Count);
@ -93,11 +93,11 @@ public class OpenIddictMessageTests
    public void Constructor_CombinesDuplicateParameters()
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, string?>("parameter", "Fabrikam"),
            new KeyValuePair<string, string?>("parameter", "Contoso")
-        });
+        ]);

        // Assert
        Assert.Equal(1, message.Count);
@ -108,10 +108,10 @@ public class OpenIddictMessageTests
    public void Constructor_SupportsMultiValuedParameters()
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, string?[]?>("parameter", ["Fabrikam", "Contoso"])
-        });
+        ]);

        // Assert
        Assert.Equal(1, message.Count);
@ -122,10 +122,10 @@ public class OpenIddictMessageTests
    public void Constructor_ExtractsSingleValuedParameters()
    {
        // Arrange and act
-        var message = new OpenIddictMessage(new[]
-        {
+        var message = new OpenIddictMessage(
+        [
            new KeyValuePair<string, string?[]?>("parameter", ["Fabrikam"])
-        });
+        ]);

        // Assert
        Assert.Equal(1, message.Count);
@ -453,17 +453,20 @@ public class OpenIddictMessageTests
    public void ToString_ReturnsJsonRepresentation()
    {
        // Arrange
-        var message = JsonSerializer.Deserialize<OpenIddictMessage>(@"{
-  ""redirect_uris"": [
-    ""https://client.example.org/callback"",
-    ""https://client.example.org/callback2""
-  ],
-  ""client_name"": ""My Example Client"",
-  ""token_endpoint_auth_method"": ""client_secret_basic"",
-  ""logo_uri"": ""https://client.example.org/logo.png"",
-  ""jwks_uri"": ""https://client.example.org/my_public_keys.jwks"",
-  ""example_extension_parameter"": ""example_value""
-}")!;
+        var message = JsonSerializer.Deserialize<OpenIddictMessage>($$"""
+            {
+              "redirect_uris": [
+                "https://client.example.org/callback",
+                "https://client.example.org/callback2"
+              ],
+              "client_name": "My Example Client",
+              "token_endpoint_auth_method": "client_secret_basic",
+              "logo_uri": "https://client.example.org/logo.png",
+              "jwks_uri": "https://client.example.org/my_public_keys.jwks",
+              "example_extension_parameter": "example_value",
+              "_token": "value"
+            }
+            """)!;

        var options = new JsonSerializerOptions
        {
@ -486,6 +489,7 @@ public class OpenIddictMessageTests
    [InlineData(Parameters.Password)]
    [InlineData(Parameters.RefreshToken)]
    [InlineData(Parameters.Token)]
+    [InlineData("custom_token")]
    public void ToString_ExcludesSensitiveParameters(string parameter)
    {
        // Arrange
--- a/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictParameterTests.cs
+++ b/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictParameterTests.cs
@ -60,11 +60,11 @@ public class OpenIddictParameterTests
    public void Count_ReturnsExpectedValueForArray()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.Equal(2, parameter.Count);
@ -477,12 +477,12 @@ public class OpenIddictParameterTests
    {
        // Arrange, act and assert
        Assert.Equal(
-            new OpenIddictParameter(new string[] { "Fabrikam", "Contoso" }).GetHashCode(),
-            new OpenIddictParameter(new string[] { "Fabrikam", "Contoso" }).GetHashCode());
+            new OpenIddictParameter(["Fabrikam", "Contoso"]).GetHashCode(),
+            new OpenIddictParameter(["Fabrikam", "Contoso"]).GetHashCode());

        Assert.NotEqual(
-            new OpenIddictParameter(new string[] { "Fabrikam", "Contoso" }).GetHashCode(),
-            new OpenIddictParameter(new string[] { "Contoso", "Fabrikam" }).GetHashCode());
+            new OpenIddictParameter(["Fabrikam", "Contoso"]).GetHashCode(),
+            new OpenIddictParameter(["Contoso", "Fabrikam"]).GetHashCode());
    }

    [Fact]
@ -623,11 +623,11 @@ public class OpenIddictParameterTests
    public void GetNamedParameter_ReturnsNullForArrays()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.Null(parameter.GetNamedParameter("Fabrikam"));
@ -720,11 +720,11 @@ public class OpenIddictParameterTests
    public void GetUnnamedParameter_ReturnsNullForOutOfRangeArrayIndex()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.Null(parameter.GetUnnamedParameter(2));
@ -734,11 +734,11 @@ public class OpenIddictParameterTests
    public void GetUnnamedParameter_ReturnsExpectedNodeForArray()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.Equal("Fabrikam", (string?) parameter.GetUnnamedParameter(0));
@ -1118,7 +1118,7 @@ public class OpenIddictParameterTests
        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter(42)));
        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter((long?) 42)));
        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter("Fabrikam")));
-        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter(new[] { "Fabrikam" })));
+        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter(["Fabrikam"])));

        Assert.False(OpenIddictParameter.IsNullOrEmpty(new OpenIddictParameter(
            JsonSerializer.Deserialize<JsonElement>(@"[""Fabrikam""]"))));
@ -1188,11 +1188,11 @@ public class OpenIddictParameterTests
    public void ToString_ReturnsSimpleRepresentationForArrays()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.Equal("Fabrikam, Contoso", parameter.ToString());
@ -1325,11 +1325,11 @@ public class OpenIddictParameterTests
    public void TryGetNamedParameter_ReturnsFalseForArrays()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.False(parameter.TryGetNamedParameter("Fabrikam", out var value));
@ -1429,11 +1429,11 @@ public class OpenIddictParameterTests
    public void GetParameter_ReturnsFalseForOutOfRangeArrayIndex()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.False(parameter.TryGetUnnamedParameter(2, out var value));
@ -1444,11 +1444,11 @@ public class OpenIddictParameterTests
    public void TryGetUnnamedParameter_ReturnsExpectedNodeForArray()
    {
        // Arrange
-        var parameter = new OpenIddictParameter(new[]
-        {
+        var parameter = new OpenIddictParameter(
+        [
            "Fabrikam",
            "Contoso"
-        });
+        ]);

        // Act and assert
        Assert.True(parameter.TryGetUnnamedParameter(0, out var value));