In the previous article, we have learned how to write integration tests for different actions (Index and Create), but while we were testing the Create (POST) action, we faced a problem with AntiForgeryToken validation. We skipped that problem by commenting out that validation attribute and our test passed, but that was just a temporary solution.

In this article, we are going to solve that problem. We will learn how to extract AntiForgeryToken from the HTML response and how to use it in our tests. After fixing our problem, we will be able to test our actions that are protected with the anti-forgery validation attributes.

You can download the source code on our GitHub repository.

For the complete navigation of this series, you can visit ASP.NET Core MVC Testing.

These are the topics that we are going to cover:

Injecting AntiForgeryToken into the IserviceCollection

To start, let’s create the AntiForgeryTokenExtractor class in the EmployeesApp.IntegrationTests project, with two properties:

In this class, we are going to wrap all the logic required for extracting the anti-forgery field and cookie.

For now, we just define the field and the cookie names. In a bit, we are going to add additional methods. But for now, let’s move on to the TestingWebAppFactory class, and inject our token details in IServiceCollection.

So, let’s write our code right bellow the services.AddDbContext<EmployeeContext> part:

With this code, we add the anti-forgery service in the specified IServiceCollection with the cookie and the field names. Once we do this, we can extract those properties from the HTML response by using the same names as declared in the AntiForgeryTokenExtractor class.

Extracting the Field and Cookie from the HTML Response

With that being said, let’s go back to the AntiForgeryTokenExtractor class and add the required code for extracting the cookie first:

In our code, we fetch the value of the Set-Cookie property, from the Header of our response that contains the name of the defined cookie. After that, if that cookie doesn’t exist we throw an exception. Otherwise, we just parse its value and return it.

Now, we can add another method to extract the field:

With this method, we are using a regex expression to extract the HTML control from the htmlBody string that contains the anti-forgery field value. If the expression is successful, we return its value, otherwise, we throw an exception.

Finally, we can create a main method that will return the results of both these methods:

So, we just call both methods, collect their results and return them as a Tuple object.

That is it, we can now modify our testing methods and include AntiForgeryToken validation in the controller.

Modifying Test Methods

The first action, we are going to do is to remove a comment from the validation attribute on top of the Create action in the EmployeesController class. As soon as we finish that, we can move on to the EmployeesControllerIntegrationTests class.

We are going to modify the Create_SentWrongModel_ReturnsViewWithErrorMessages method:

So, we have to send a GET request first in order to get the response which we use to extract our anti-forgery values from. Once extracted, we assign the cookie value to the Header of our POST request and assign the field value in the formModel object.

Let’s see how those cookie and field values look like in the response.

First the cookie from the response:

Cookie value - AntiForgeryToken testing

And the field from the HTML body:

Field value - AntyForgeryToken integration testing

We can see that both the cookie and the field have the same names as we declared in the TestingWebAppFactory class.

Modifying Additional Test Method

Let’s add the same modifications to the Create_WhenPOSTExecuted_ReturnsToIndexView method:

Additionally, we have changed the method name and a single variable in this method, for better readability. All we have to do is to verify that our tests pass:

Both Integration POST tests - AntiForgeryToken testing

And they do.



In this article, we have learned:

  • How to inject an anti-forgery service in IServiceCollection
  • The way to extract the anti-forgery cookie and the anti-forgery field values from the response
  • How to modify our test methods to work with AntiForgeryToken validation

In the next article, we are going to learn about UI testing with the Selenium library.

If you have enjoyed reading this article and if you would like to receive the notifications about the freshly published .NET Core content we encourage you to subscribe to our blog.