diff --git a/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs b/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs index fe96b9720..f5d11dcec 100644 --- a/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs +++ b/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs @@ -96,8 +96,7 @@ namespace Squidex.Web.Pipeline { var app = CreateApp(appName, appClient: "client1"); - user.AddClaim(new Claim(OpenIdClaims.ClientId, "client1")); - user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app")); + user.AddClaim(new Claim(OpenIdClaims.ClientId, $"{appName}:client1")); A.CallTo(() => appProvider.GetAppAsync(appName)) .Returns(app); @@ -114,7 +113,7 @@ namespace Squidex.Web.Pipeline { var app = CreateApp(appName); - user.AddClaim(new Claim(OpenIdClaims.ClientId, "client1")); + user.AddClaim(new Claim(OpenIdClaims.ClientId, $"{appName}:client1")); user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app")); actionContext.ActionDescriptor.EndpointMetadata.Add(new AllowAnonymousAttribute()); @@ -134,7 +133,7 @@ namespace Squidex.Web.Pipeline { var app = CreateApp(appName); - user.AddClaim(new Claim(OpenIdClaims.ClientId, "client1")); + user.AddClaim(new Claim(OpenIdClaims.ClientId, $"{appName}:client1")); user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app")); A.CallTo(() => appProvider.GetAppAsync(appName)) @@ -146,6 +145,22 @@ namespace Squidex.Web.Pipeline Assert.False(isNextCalled); } + [Fact] + public async Task Should_return_not_found_if_client_is_from_another_app() + { + var app = CreateApp(appName, appClient: "client1"); + + user.AddClaim(new Claim(OpenIdClaims.ClientId, "other:client1")); + + A.CallTo(() => appProvider.GetAppAsync(appName)) + .Returns(app); + + await sut.OnActionExecutionAsync(actionExecutingContext, next); + + Assert.IsType(actionExecutingContext.Result); + Assert.False(isNextCalled); + } + [Fact] public async Task Should_do_nothing_if_parameter_not_set() {