So far I've been able to isolate that it appears related to the HttpContext.User property when a new instance of the FormsAuthenticationService is instantiated. The User is never of type SmartStorePrincipal even after I've logged in. If I cache the SignIn to a static SmartStorePrincipal and then set that on the FormsAuthenticationService constructor (highly insecure I know - this is just for testing) then it works:
private static SmartStorePrincipal _cachedPrincipal; // TESTING PURPOSES ONLY
public FormsAuthenticationService(HttpContextBase httpContext, ICustomerService customerService,
CustomerSettings customerSettings)
{
_httpContext = httpContext;
_httpContext.User = _cachedPrincipal; // TESTING PURPOSES ONLY
_customerService = customerService;
_customerSettings = customerSettings;
_expirationTimeSpan = FormsAuthentication.Timeout;
}
public virtual void SignIn(Customer customer, bool createPersistentCookie)
{
...
_httpContext.Response.Cookies.Add(cookie);
// TESTING PURPOSES ONLY
_cachedPrincipal = new SmartStorePrincipal(customer, Net.WebApi.HmacAuthentication.Scheme1);
_cachedCustomer = customer;
}
Everything works normally in production and my test domain. Since the IAuthenticationService is mapped as InstancePerRequest, what can cause the HttpContext.User property to NOT be the authenticated user after a SignIn (as that appears to be the problem)?
The other thing I've noticed is that everytime the WebWorkContext is created, even if I've logged in and there is a valid authentication ticket in the cookies, the CurrentCustomer always returns the guest customer, specifically the line customer = _authenticationService.GetAuthenticatedCustomer(); never returns the logged in user.