UiOptions in cookie - Use session cookie, add support for sign and payment (#521)

* Store one instance of the UiOptions cookie. Make it a session cookie. Delete the session cookie in auth handler callback method. 

* Create and delete UiOptions cookie for sign and payments as well.

* Return empty result to init view if we do not have a ui options cookie. Same behaviour as for the state cookie.

---------

Co-authored-by: Elin Fokine <ElinO@activesolution.se>

Author: elinohlsson

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiApiControllerBase.cs

@@ -62,15 +62,14 @@ public async Task<ActionResult> Status(BankIdUiApiStatusRequest request)
     {
         Validators.ThrowIfNullOrWhitespace(request.OrderRef, nameof(request.OrderRef));
         Validators.ThrowIfNullOrWhitespace(request.ReturnUrl, nameof(request.ReturnUrl));
-        Validators.ThrowIfNullOrWhitespace(request.UiOptions, nameof(request.UiOptions));
 
         if (!Url.IsLocalUrl(request.ReturnUrl))
         {
             throw new Exception(BankIdConstants.ErrorMessages.InvalidReturnUrl);
         }
 
         var orderRef = OrderRefProtector.Unprotect(request.OrderRef);
-        var uiOptions = ResolveProtectedUiOptions(request.UiOptions);
+        var uiOptions = ResolveProtectedUiOptions();
 
         BankIdFlowCollectResult result;
         try
@@ -92,8 +91,6 @@ public async Task<ActionResult> Status(BankIdUiApiStatusRequest request)
             case BankIdFlowCollectResultComplete complete:
             {
                 var uiResult = ConstructProtectedUiResult(orderRef.OrderRef, complete.CompletionData);
-                UiOptionsCookieManager.Delete(request.UiOptions);
-
                 return OkJsonResult(BankIdUiApiStatusResponse.Finished(request.ReturnUrl, uiResult));
             }
             case BankIdFlowCollectResultRetry retry:
@@ -102,8 +99,6 @@ public async Task<ActionResult> Status(BankIdUiApiStatusRequest request)
             }
             case BankIdFlowCollectResultFailure failure:
             {
-                UiOptionsCookieManager.Delete(request.UiOptions);
-
                 return BadRequestJsonResult(new BankIdUiApiErrorResponse(failure.StatusMessage));
             }
             default:
@@ -130,10 +125,9 @@ public ActionResult QrCode(BankIdUiApiQrCodeRequest request)
     public async Task<ActionResult> Cancel(BankIdUiApiCancelRequest request)
     {
         Validators.ThrowIfNullOrWhitespace(request.OrderRef, nameof(request.OrderRef));
-        Validators.ThrowIfNullOrWhitespace(request.UiOptions, nameof(request.UiOptions));
 
         var orderRef = OrderRefProtector.Unprotect(request.OrderRef);
-        var uiOptions = ResolveProtectedUiOptions(request.UiOptions);
+        var uiOptions = ResolveProtectedUiOptions();
 
         await BankIdFlowService.Cancel(orderRef.OrderRef, uiOptions.ToBankIdFlowOptions());
 
@@ -189,11 +183,10 @@ protected static ActionResult BadRequestJsonResult(object model)
     }
 
     /// <summary>
-    /// Resolves the UiOptions from either a GUID (stored in cookie) or the direct protected value.
+    /// Resolves the UiOptions stored in cookie and unprotects value.
     /// </summary>
-    protected BankIdUiOptions ResolveProtectedUiOptions(string protectedUiOptionsOrGuid)
+    protected BankIdUiOptions ResolveProtectedUiOptions()
     {
-        return UiOptionsCookieManager.Retrieve(protectedUiOptionsOrGuid)
-            ?? throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidUiOptions);
+        return UiOptionsCookieManager.Retrieve() ?? throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidUiOptions);
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthApiController.cs

@@ -38,17 +38,15 @@ public BankIdUiAuthApiController(
     public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankIdUiApiInitializeRequest request)
     {
         Validators.ThrowIfNullOrWhitespace(request.ReturnUrl, nameof(request.ReturnUrl));
-        Validators.ThrowIfNullOrWhitespace(request.UiOptions, nameof(request.UiOptions));
 
-        var uiOptions = ResolveProtectedUiOptions(request.UiOptions);
+        var uiOptions = ResolveProtectedUiOptions();
 
         BankIdFlowInitializeResult bankIdFlowInitializeResult;
         try
         {
             var returnRedirectUrl = Url.Action(BankIdConstants.Routes.BankIdAuthInitActionName, BankIdConstants.Routes.BankIdAuthControllerName, new
             {
-                returnUrl = request.ReturnUrl,
-                uiOptions = request.UiOptions
+                returnUrl = request.ReturnUrl
             }, protocol: Request.Scheme) ?? throw new Exception(BankIdConstants.ErrorMessages.CouldNotGetUrlFor(BankIdConstants.Routes.BankIdAuthControllerName, BankIdConstants.Routes.BankIdAuthInitActionName));
 
             bankIdFlowInitializeResult = await BankIdFlowService.InitializeAuth(uiOptions.ToBankIdFlowOptions(), returnRedirectUrl);

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthController.cs

@@ -31,8 +31,8 @@ IBankIdUiOptionsCookieManager uiOptionsCookieManager
 
     [HttpGet]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdAuthControllerPath}")]
-    public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string uiOptionsGuid)
+    public Task<ActionResult> Init(string returnUrl)
     {
-        return Initialize(returnUrl, BankIdConstants.Routes.BankIdAuthApiControllerName, uiOptionsGuid, "Init");
+        return Initialize(returnUrl, BankIdConstants.Routes.BankIdAuthApiControllerName, "Init");
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiControllerBase.cs

@@ -44,20 +44,20 @@ protected BankIdUiControllerBase(
         _uiOptionsCookieManager = uiOptionsCookieManager;
     }
 
-    protected async Task<ActionResult> Initialize(string returnUrl, string apiControllerName, string uiOptionsGuid, string viewName)
+    protected async Task<ActionResult> Initialize(string returnUrl, string apiControllerName, string viewName)
     {
         Validators.ThrowIfNullOrWhitespace(returnUrl);
-        Validators.ThrowIfNullOrWhitespace(uiOptionsGuid, BankIdConstants.QueryStringParameters.UiOptions);
 
         if (!Url.IsLocalUrl(returnUrl))
         {
             throw new ArgumentException(BankIdConstants.ErrorMessages.InvalidReturnUrl);
         }
 
-        var uiOptions = _uiOptionsCookieManager.Retrieve(uiOptionsGuid) ?? throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidUiOptions);
-        if (!HasStateCookie(uiOptions))
+        var uiOptions = _uiOptionsCookieManager.Retrieve();
+        if (uiOptions == null || !HasStateCookie(uiOptions))
         {
-            var invalidStateContext = new BankIdInvalidStateContext(uiOptions.CancelReturnUrl);
+            var cancelReturnUrl = uiOptions?.CancelReturnUrl ?? "/";
+            var invalidStateContext = new BankIdInvalidStateContext(cancelReturnUrl);
             await _bankIdInvalidStateHandler.HandleAsync(invalidStateContext);
 
             return new EmptyResult();
@@ -75,7 +75,7 @@ protected async Task<ActionResult> Initialize(string returnUrl, string apiContro
         }
         var state = _bankIdUiStateProtector.Unprotect(protectedState);
 
-        var viewModel = GetUiViewModel(returnUrl, apiControllerName, uiOptionsGuid, uiOptions, state, antiforgeryTokens);
+        var viewModel = GetUiViewModel(returnUrl, apiControllerName, uiOptions, state, antiforgeryTokens);
 
         return View(viewName, viewModel);
     }
@@ -91,7 +91,7 @@ private bool HasStateCookie(BankIdUiOptions uiOptions)
         return !string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateCookieName]);
     }
 
-    private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerName, string uiOptionsGuid, BankIdUiOptions unprotectedUiOptions, BankIdUiState uiState, AntiforgeryTokenSet antiforgeryTokens)
+    private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerName, BankIdUiOptions unprotectedUiOptions, BankIdUiState uiState, AntiforgeryTokenSet antiforgeryTokens)
     {
         Validators.ThrowIfNullOrWhitespace(antiforgeryTokens.RequestToken, nameof(antiforgeryTokens.RequestToken));
 
@@ -119,8 +119,6 @@ private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerN
 
             ReturnUrl = returnUrl,
             CancelReturnUrl = Url.Content(unprotectedUiOptions.CancelReturnUrl),
-
-            UiOptionsGuid = uiOptionsGuid
         };
 
         var localizedStartAppButtonText = _localizer["StartApp_Button"];

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiPaymentApiController.cs

@@ -44,9 +44,8 @@ public BankIdUiPaymentApiController(
     public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankIdUiApiInitializeRequest request)
     {
         Validators.ThrowIfNullOrWhitespace(request.ReturnUrl, nameof(request.ReturnUrl));
-        Validators.ThrowIfNullOrWhitespace(request.UiOptions, nameof(request.UiOptions));
 
-        var uiOptions = ResolveProtectedUiOptions(request.UiOptions);
+        var uiOptions = ResolveProtectedUiOptions();
 
         var state = GetStateFromCookie(uiOptions);
         if(state == null)
@@ -59,8 +58,7 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
         {
             var returnRedirectUrl = Url.Action(BankIdConstants.Routes.BankIdPaymentInitActionName, BankIdConstants.Routes.BankIdPaymentControllerName, new
             {
-                returnUrl = request.ReturnUrl,
-                uiOptions = request.UiOptions
+                returnUrl = request.ReturnUrl
             }, protocol: Request.Scheme) ?? throw new Exception(BankIdConstants.ErrorMessages.CouldNotGetUrlFor(BankIdConstants.Routes.BankIdPaymentControllerName, BankIdConstants.Routes.BankIdPaymentInitActionName));
 
             bankIdFlowInitializeResult = await BankIdFlowService.InitializePayment(

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiPaymentController.cs

@@ -32,8 +32,8 @@ IBankIdUiOptionsCookieManager uiOptionsCookieManager
     [HttpGet]
     [AllowAnonymous]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdPaymentControllerPath}")]
-    public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string protectedUiOptions)
+    public Task<ActionResult> Init(string returnUrl)
     {
-        return Initialize(returnUrl, BankIdConstants.Routes.BankIdPaymentApiControllerName, protectedUiOptions, "Init");
+        return Initialize(returnUrl, BankIdConstants.Routes.BankIdPaymentApiControllerName, "Init");
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignApiController.cs

@@ -44,12 +44,11 @@ public BankIdUiSignApiController(
     public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankIdUiApiInitializeRequest request)
     {
         Validators.ThrowIfNullOrWhitespace(request.ReturnUrl, nameof(request.ReturnUrl));
-        Validators.ThrowIfNullOrWhitespace(request.UiOptions, nameof(request.UiOptions));
 
-        var uiOptions = ResolveProtectedUiOptions(request.UiOptions);
+        var uiOptions = ResolveProtectedUiOptions();
 
         var state = GetStateFromCookie(uiOptions);
-        if(state == null)
+        if (state == null)
         {
             throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidStateCookie);
         }
@@ -59,8 +58,7 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
         {
             var returnRedirectUrl = Url.Action(BankIdConstants.Routes.BankIdSignInitActionName, BankIdConstants.Routes.BankIdSignControllerName, new
             {
-                returnUrl = request.ReturnUrl,
-                uiOptions = request.UiOptions
+                returnUrl = request.ReturnUrl
             }, protocol: Request.Scheme) ?? throw new Exception(BankIdConstants.ErrorMessages.CouldNotGetUrlFor(BankIdConstants.Routes.BankIdSignControllerName, BankIdConstants.Routes.BankIdSignInitActionName));
 
             bankIdFlowInitializeResult = await BankIdFlowService.InitializeSign(

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignController.cs

@@ -32,8 +32,8 @@ IBankIdUiOptionsCookieManager uiOptionsCookieManager
     [HttpGet]
     [AllowAnonymous]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdSignControllerPath}")]
-    public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string protectedUiOptions)
+    public Task<ActionResult> Init(string returnUrl)
     {
-        return Initialize(returnUrl, BankIdConstants.Routes.BankIdSignApiControllerName, protectedUiOptions, "Init");
+        return Initialize(returnUrl, BankIdConstants.Routes.BankIdSignApiControllerName, "Init");
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Models/BankIdUiApiCancelRequest.cs

@@ -9,9 +9,6 @@ public BankIdUiApiCancelRequest()
 
     }
 
-    [Required]
-    public string? UiOptions { get; set; }
-
     [Required]
     public string? OrderRef { get; set; }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Models/BankIdUiApiInitializeRequest.cs

@@ -10,7 +10,4 @@ public BankIdUiApiInitializeRequest()
 
     [Required]
     public string? ReturnUrl { get; set; }
-
-    [Required]
-    public string? UiOptions { get; set; }
 }