Do not serialize Parameters property on AuthenticationProperties (#31414)

martincostello · web-flow · commit 0984c6d784fd · 2021-03-31T23:12:55.000Z
* Do not serialize Parameters Explicitly prevent the Parameters dictionary from being included in the deserialized payload. See #31330 (comment). * Ignore props backed by Items Also ignore the properties backed by the Items dictionary to minimise the size of the serialized JSON payload. * Add ignoreLineEndingDifferences Stop tests from failing on non-Windows OSs due to different line endings.
diff --git a/src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs b/src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs
@@ -65,11 +65,13 @@ public AuthenticationProperties Clone()
         /// Collection of parameters that are passed to the authentication handler. These are not intended for
         /// serialization or persistence, only for flowing data between call sites.
         /// </summary>
+        [JsonIgnore]
         public IDictionary<string, object?> Parameters { get; }
 
         /// <summary>
         /// Gets or sets whether the authentication session is persisted across multiple requests.
         /// </summary>
+        [JsonIgnore]
         public bool IsPersistent
         {
             get => GetString(IsPersistentKey) != null;
@@ -79,6 +81,7 @@ public bool IsPersistent
         /// <summary>
         /// Gets or sets the full path or absolute URI to be used as an http redirect response value.
         /// </summary>
+        [JsonIgnore]
         public string? RedirectUri
         {
             get => GetString(RedirectUriKey);
@@ -88,6 +91,7 @@ public string? RedirectUri
         /// <summary>
         /// Gets or sets the time at which the authentication ticket was issued.
         /// </summary>
+        [JsonIgnore]
         public DateTimeOffset? IssuedUtc
         {
             get => GetDateTimeOffset(IssuedUtcKey);
@@ -97,6 +101,7 @@ public DateTimeOffset? IssuedUtc
         /// <summary>
         /// Gets or sets the time at which the authentication ticket expires.
         /// </summary>
+        [JsonIgnore]
         public DateTimeOffset? ExpiresUtc
         {
             get => GetDateTimeOffset(ExpiresUtcKey);
@@ -106,6 +111,7 @@ public DateTimeOffset? ExpiresUtc
         /// <summary>
         /// Gets or sets if refreshing the authentication session should be allowed.
         /// </summary>
+        [JsonIgnore]
         public bool? AllowRefresh
         {
             get => GetBool(RefreshKey);
diff --git a/src/Http/Authentication.Core/test/AuthenticationPropertiesTests.cs b/src/Http/Authentication.Core/test/AuthenticationPropertiesTests.cs
@@ -320,6 +320,12 @@ public void Roundtrip_Serializes_With_SystemTextJson()
             props.Parameters.Add("baz", "quux");
 
             var json = JsonSerializer.Serialize(props);
+
+            // Verify that Parameters was not serialized
+            Assert.NotNull(json);
+            Assert.DoesNotContain("baz", json);
+            Assert.DoesNotContain("quux", json);
+
             var deserialized = JsonSerializer.Deserialize<AuthenticationProperties>(json);
 
             Assert.NotNull(deserialized);
@@ -339,6 +345,50 @@ public void Roundtrip_Serializes_With_SystemTextJson()
             Assert.Equal(0, deserialized.Parameters.Count);
         }
 
+        [Fact]
+        public void Parameters_Is_Not_Deserialized_With_SystemTextJson()
+        {
+            var json = @"{""Parameters"":{""baz"":""quux""}}";
+
+            var deserialized = JsonSerializer.Deserialize<AuthenticationProperties>(json);
+
+            Assert.NotNull(deserialized);
+
+            // Ensure that parameters is not deserialized from a raw payload
+            Assert.NotNull(deserialized!.Parameters);
+            Assert.Equal(0, deserialized.Parameters.Count);
+        }
+
+        [Fact]
+        public void Serialization_Is_Minimised_With_SystemTextJson()
+        {
+            var props = new AuthenticationProperties()
+            {
+                AllowRefresh = true,
+                ExpiresUtc = new DateTimeOffset(2021, 03, 28, 13, 47, 00, TimeSpan.Zero),
+                IssuedUtc = new DateTimeOffset(2021, 03, 28, 12, 47, 00, TimeSpan.Zero),
+                IsPersistent = true,
+                RedirectUri = "/foo/bar"
+            };
+
+            props.Items.Add("foo", "bar");
+
+            var options = new JsonSerializerOptions() { WriteIndented = true }; // Indented for readability if test fails
+            var json = JsonSerializer.Serialize(props, options);
+
+            // Verify that the payload doesn't duplicate the properties backed by Items
+            Assert.Equal(@"{
+  ""Items"": {
+    "".refresh"": ""True"",
+    "".expires"": ""Sun, 28 Mar 2021 13:47:00 GMT"",
+    "".issued"": ""Sun, 28 Mar 2021 12:47:00 GMT"",
+    "".persistent"": """",
+    "".redirect"": ""/foo/bar"",
+    ""foo"": ""bar""
+  }
+}", json, ignoreLineEndingDifferences: true);
+        }
+
         public class MyAuthenticationProperties : AuthenticationProperties
         {
             public new DateTimeOffset? GetDateTimeOffset(string key)
