Skip to content

Commit b9563be

Browse files
elinohlssonElin Fokine
elinohlsson
and
Elin Fokine
authored
Truncate web.useragent sent to BankID in Auth/Sign/Payment API call. (#531)
* Truncate web.useragent sent to BankID in Auth/Sign/Payment API call, if the value exceeds the max length of 256 characters. * Added test for truncating user agent string. --------- Co-authored-by: Elin Fokine <ElinO@activesolution.se>
1 parent a3b7d5a commit b9563be

3 files changed

Lines changed: 48 additions & 0 deletions

File tree

src/ActiveLogin.Authentication.BankId.Api/BankIdApiLimits.cs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
namespace ActiveLogin.Authentication.BankId.Api;
2+
3+
public static class BankIdApiLimits
4+
{
5+
/// <summary>
6+
/// Max length for web.userAgent used in Auth/Sign/Payment as defined by the BankID API.
7+
/// </summary>
8+
public const int UserAgentMaxLength = 256;
9+
}

src/ActiveLogin.Authentication.BankId.AspNetCore/UserContext/Device/Resolvers/BankIdDefaultEndUserWebDeviceDataResolver.cs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@ private bool TryGetWebDeviceParameters(out DeviceDataWeb? parameters)
4242
return false;
4343
}
4444

45+
userAgent = TruncateUserAgent(userAgent);
46+
4547
parameters = new DeviceDataWeb(
4648
referringDomain: referringDomain,
4749
userAgent: userAgent,
@@ -100,4 +102,11 @@ private bool TryGetHeader(string headerName, out string headerValue)
100102
return true;
101103
}
102104

105+
private static string TruncateUserAgent(string userAgent)
106+
{
107+
return userAgent.Length > BankIdApiLimits.UserAgentMaxLength
108+
? userAgent[..BankIdApiLimits.UserAgentMaxLength]
109+
: userAgent;
110+
}
111+
103112
}

test/ActiveLogin.Authentication.BankId.AspNetCore.Test/UserContext/Device/Resolvers/BankIdDefaultEndUserWebDeviceDataResolver_Tests.cs

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,4 +102,34 @@ public void GetDeviceData_Returns_CreatedDeviceIdentifier()
102102
Assert.Equal(createdIdentifier, data.DeviceIdentifier);
103103
}
104104

105+
[Fact]
106+
public void GetDeviceData_Truncates_UserAgent_When_Exceeding_MaxLength()
107+
{
108+
// Arrange
109+
const string UserAgent330Characters =
110+
"User-Agent: Mozilla/5.0 (Linux; Android 12; 2206122SC Build/SKQ1.220303.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 " +
111+
"Chrome/86.0.4240.99 XWEB/4343 MMWEBSDK/20221011 Mobile Safari/537.36 MMWEBID/5638 MicroMessenger/8.0.30.2260(0x28001E3B) WeChat/arm64 " +
112+
"Weixin NetType/WIFI Language/en ABI/arm64 MiniProgramEnv/android";
113+
114+
const string UserAgent256Characters =
115+
"User-Agent: Mozilla/5.0 (Linux; Android 12; 2206122SC Build/SKQ1.220303.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 " +
116+
"Chrome/86.0.4240.99 XWEB/4343 MMWEBSDK/20221011 Mobile Safari/537.36 MMWEBID/5638 MicroMessenger/8.0.30.2260(0x28001E3B) WeC";
117+
118+
var (sut, createdIdentifier) = CreateSut(
119+
userAgent: UserAgent330Characters,
120+
referer: _defaultReferer,
121+
deviceIdentifier: _defaultDeviceIdentifier);
122+
123+
// Act
124+
var data = sut.GetDeviceData() as DeviceDataWeb;
125+
126+
// Assert
127+
Assert.NotNull(data);
128+
Assert.Equal("example.se", data.ReferringDomain);
129+
Assert.Equal(createdIdentifier, data.DeviceIdentifier);
130+
131+
Assert.NotNull(data.UserAgent);
132+
Assert.Equal(256, data.UserAgent.Length);
133+
Assert.Equal(UserAgent256Characters,data.UserAgent);
134+
}
105135
}

0 commit comments

Comments
 (0)