public bool TryAuthorize(RavenBaseApiController controller, out HttpResponseMessage msg)
{
var requestUrl = controller.GetRequestUrl();
if (NeverSecret.IsNeverSecretUrl(requestUrl))
{
msg = controller.GetEmptyMessage();
return true;
}
//CORS pre-flight (ignore creds if using cors).
if (!String.IsNullOrEmpty(Settings.AccessControlAllowOrigin) && controller.InnerRequest.Method.Method == "OPTIONS")
{
msg = controller.GetEmptyMessage();
return true;
}
var oneTimeToken = controller.GetHeader("Single-Use-Auth-Token");
if (string.IsNullOrEmpty(oneTimeToken) == false)
{
return TryAuthorizeSingleUseAuthToken(controller, oneTimeToken, out msg);
}
var authHeader = controller.GetHeader("Authorization");
var hasApiKey = "True".Equals(controller.GetHeader("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");
if (hasApiKey || hasOAuthTokenInCookie ||
string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
{
return oAuthRequestAuthorizer.TryAuthorize(controller, hasApiKey, IgnoreDb.Urls.Contains(requestUrl), out msg);
}
return windowsRequestAuthorizer.TryAuthorize(controller, IgnoreDb.Urls.Contains(requestUrl), out msg);
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;
if (accessControlAllowOrigin.Count == 0)
{
return;
}
var originHeader = controller.GetHeader("Origin");
if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
{
return; // no need
}
bool originAllowed = accessControlAllowOrigin.Contains("*") ||
accessControlAllowOrigin.Contains(originHeader);
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
}
if (controller.InnerRequest.Method.Method != "OPTIONS")
{
return;
}
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
{
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
public bool TryAuthorize(RavenBaseApiController controller, out HttpResponseMessage msg)
{
var requestUrl = controller.GetRequestUrl();
if (NeverSecret.IsNeverSecretUrl(requestUrl))
{
msg = controller.GetEmptyMessage();
return(true);
}
//CORS pre-flight (ignore creds if using cors).
if (Settings.AccessControlAllowOrigin.Count > 0 && controller.InnerRequest.Method.Method == "OPTIONS")
{
msg = controller.GetEmptyMessage();
return(true);
}
var oneTimeToken = controller.GetHeader("Single-Use-Auth-Token");
if (string.IsNullOrEmpty(oneTimeToken))
{
oneTimeToken = controller.GetQueryStringValue("singleUseAuthToken");
}
if (string.IsNullOrEmpty(oneTimeToken) == false)
{
return(TryAuthorizeSingleUseAuthToken(controller, oneTimeToken, out msg));
}
var authHeader = controller.GetHeader("Authorization");
var hasApiKey = "True".Equals(controller.GetHeader("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");
if (hasApiKey || hasOAuthTokenInCookie ||
string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
{
return(oAuthRequestAuthorizer.TryAuthorize(controller, hasApiKey, IgnoreDb.Urls.Contains(requestUrl), out msg));
}
return(windowsRequestAuthorizer.TryAuthorize(controller, IgnoreDb.Urls.Contains(requestUrl), out msg));
}
public IPrincipal GetUser(RavenBaseApiController controller)
{
if (controller.WasAlreadyAuthorizedUsingSingleAuthToken)
{
return(controller.User);
}
var hasApiKey = "True".Equals(controller.GetQueryStringValue("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
var authHeader = controller.GetHeader("Authorization");
var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");
if (hasApiKey || hasOAuthTokenInCookie ||
string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
{
return(oAuthRequestAuthorizer.GetUser(controller, hasApiKey));
}
return(windowsRequestAuthorizer.GetUser(controller));
}
static string GetToken(RavenBaseApiController controller)
{
const string bearerPrefix = "Bearer ";
var auth = controller.GetHeader("Authorization");
if (auth == null)
{
auth = controller.GetCookie("OAuth-Token");
if (auth != null)
{
auth = Uri.UnescapeDataString(auth);
}
}
if (auth == null || auth.Length <= bearerPrefix.Length ||
!auth.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
{
return(null);
}
var token = auth.Substring(bearerPrefix.Length, auth.Length - bearerPrefix.Length);
return(token);
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;
if (accessControlAllowOrigin.Count == 0)
return;
var originHeader = controller.GetHeader("Origin");
if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
return; // no need
bool originAllowed = accessControlAllowOrigin.Contains("*") ||
accessControlAllowOrigin.Contains(originHeader);
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
}
if (controller.InnerRequest.Method.Method != "OPTIONS")
return;
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
static string GetToken(RavenBaseApiController controller)
{
const string bearerPrefix = "Bearer ";
var auth = controller.GetHeader("Authorization");
if (auth == null)
{
auth = controller.GetCookie("OAuth-Token");
if (auth != null)
auth = Uri.UnescapeDataString(auth);
}
if (auth == null || auth.Length <= bearerPrefix.Length ||
!auth.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
return null;
var token = auth.Substring(bearerPrefix.Length, auth.Length - bearerPrefix.Length);
return token;
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlAllowOrigin))
return;
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
bool originAllowed = landlord.SystemConfiguration.AccessControlAllowOrigin == "*" ||
landlord.SystemConfiguration.AccessControlAllowOrigin.Split(' ')
.Any(o => o == controller.GetHeader("Origin"));
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", controller.GetHeader("Origin"), msg);
}
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
