From ea41d9063b49f8c5616e57ec3bc7cfa239b46e44 Mon Sep 17 00:00:00 2001 From: Benjamin Krug Date: Thu, 11 Jun 2026 14:57:47 -0400 Subject: [PATCH 1/3] Add failing test --- test/Falco.Tests/RequestTests.fs | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/test/Falco.Tests/RequestTests.fs b/test/Falco.Tests/RequestTests.fs index 9fcc5a9..9fdf630 100644 --- a/test/Falco.Tests/RequestTests.fs +++ b/test/Falco.Tests/RequestTests.fs @@ -464,7 +464,7 @@ let ``Request.ifAuthenticated should allow authenticated users`` () = [] -let ``Request.ifNotAuthenticated should block authenticated users`` () = +let ``Request.ifNotAuthenticated should block non-authenticated users`` () = let ctx = getHttpContextWriteable false let mutable visited = false @@ -507,3 +507,18 @@ let ``Request.ifAuthenticatedInRole should block users not in role`` () = do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx visited |> should equal false } + +[] +let ``UniqueTestNameGuid: 2ba53dd9-ba2b-4bd0-8009-f7fa34cabd03; Request.ifAuthenticatedInRole should block non-authenticated users`` () = + let ctx = getHttpContextWriteable false + + let mutable visited = false + + let handle : HttpHandler = fun ctx -> + visited <- true + Response.ofEmpty ctx + + task { + do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx + visited |> should equal false + } From c87a109ea4ba055c90479a9a4f4384b4c589b52b Mon Sep 17 00:00:00 2001 From: Benjamin Krug Date: Thu, 11 Jun 2026 15:02:02 -0400 Subject: [PATCH 2/3] Resolve null reference error --- src/Falco/Request.fs | 6 +++--- test/Falco.Tests/RequestTests.fs | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Falco/Request.fs b/src/Falco/Request.fs index dbb8736..8d6b232 100644 --- a/src/Falco/Request.fs +++ b/src/Falco/Request.fs @@ -398,9 +398,9 @@ let ifAuthenticatedInRole (roles : string seq) (handleOk : HttpHandler) : HttpHandler = authenticate authScheme (fun authenticateResult ctx -> - let isInRole = Seq.exists authenticateResult.Principal.IsInRole roles - match authenticateResult.Succeeded, isInRole with - | true, true -> + let isInRole = authenticateResult.Succeeded && Seq.exists authenticateResult.Principal.IsInRole roles + match isInRole with + | true -> handleOk ctx | _ -> ctx.ForbidAsync()) diff --git a/test/Falco.Tests/RequestTests.fs b/test/Falco.Tests/RequestTests.fs index 9fdf630..dbfdc81 100644 --- a/test/Falco.Tests/RequestTests.fs +++ b/test/Falco.Tests/RequestTests.fs @@ -509,7 +509,7 @@ let ``Request.ifAuthenticatedInRole should block users not in role`` () = } [] -let ``UniqueTestNameGuid: 2ba53dd9-ba2b-4bd0-8009-f7fa34cabd03; Request.ifAuthenticatedInRole should block non-authenticated users`` () = +let ``Request.ifAuthenticatedInRole should block non-authenticated users`` () = let ctx = getHttpContextWriteable false let mutable visited = false From 224bf2414c9ed988b5c13fb6e2779a7236f16337 Mon Sep 17 00:00:00 2001 From: Benjamin Krug Date: Thu, 11 Jun 2026 15:09:18 -0400 Subject: [PATCH 3/3] Add success-case test --- test/Falco.Tests/RequestTests.fs | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/test/Falco.Tests/RequestTests.fs b/test/Falco.Tests/RequestTests.fs index dbfdc81..b6479c2 100644 --- a/test/Falco.Tests/RequestTests.fs +++ b/test/Falco.Tests/RequestTests.fs @@ -464,7 +464,7 @@ let ``Request.ifAuthenticated should allow authenticated users`` () = [] -let ``Request.ifNotAuthenticated should block non-authenticated users`` () = +let ``Request.ifNotAuthenticated should block authenticated users`` () = let ctx = getHttpContextWriteable false let mutable visited = false @@ -493,6 +493,28 @@ let ``Request.ifAuthenticatedInRole should allow users in correct role`` () = visited |> should equal true } +[] +let ``Request.ifAuthenticatedInRole should allow users who have one of the required roles, but not all`` () = + let ctx = getHttpContextWriteable true + + let mutable visited = false + + let handle : HttpHandler = fun ctx -> + visited <- true + Response.ofEmpty ctx + + task { + let roleTheUserHas = Common.AuthRoles[0]; + let acceptableRoles = + seq { + "roleTheUserDoesNotHave"; + roleTheUserHas; + "anotherRoleTheUserDoeNotHave"; + } + do! Request.ifAuthenticatedInRole AuthScheme acceptableRoles handle ctx + visited |> should equal true + } + [] let ``Request.ifAuthenticatedInRole should block users not in role`` () = let ctx = getHttpContextWriteable true @@ -521,4 +543,4 @@ let ``Request.ifAuthenticatedInRole should block non-authenticated users`` () = task { do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx visited |> should equal false - } + } \ No newline at end of file