private static bool IsResponsePayloadValid(string responseString, ResponseSecurityTokenPayload authorizationPayload)
{
bool isResponseValid = SecurityTokenAPI.ValidatePayloadHash(RuntimeSettingsProvider.Instance, responseString, authorizationPayload.ResponseHash);
if (!isResponseValid)
{
OSTrace.Error("Response hash doesn't match the response. Response may have been tampered with.");
}
return(isResponseValid);
}
protected HttpWebRequest BuildServiceAPIMethodRequest(HeContext context, string sapimName, object inputs)
{
var zoneSettings = DeploymentZoneResolution.ByModuleKey(ProducerModuleKey);
var securityProtocol = zoneSettings.EnableHttps ? "https" : "http";
var sapimEndpoint = $"{securityProtocol}://{zoneSettings.Address}/{ProducerModuleName}/serviceapi/{UrlEncode(sapimName)}";
string httpMethod = "POST";
var headers = new Dictionary <string, string>();
headers.Add("User-Agent", "OutSystemsPlatform");
headers.Add("Content-Type", "application/json");
headers.Add("Content-Language", context.CurrentLocale);
var requestPayload = new CoreServicesApiController.Payload.RequestPayload();
requestPayload.RequestKey = RuntimePlatformUtils.GetRequestTracer()?.RequestKey ?? Guid.NewGuid().ToString();
requestPayload.InputParameters = JObject.FromObject(inputs);
string payloadString = JsonConvert.SerializeObject(requestPayload, Formatting.None);
var stringToken = SecurityTokenAPI.GenerateJWTTokenString(
settingsProvider: RuntimeSettingsProvider.Instance,
consumerModuleKey: ObjectKeyUtils.DatabaseValue(ConsumerModuleKey),
producerModuleKey: ObjectKeyUtils.DatabaseValue(ProducerModuleKey),
userId: context.Session.UserId,
tenantId: context.Session.TenantId,
requestHash: SecurityTokenAPI.GeneratePayloadHash(RuntimeSettingsProvider.Instance, payloadString),
requestLifetime: RuntimePlatformSettings.ServiceAPIs.RequestLifetime.GetValue()
);
headers.Add(AuthorizationHeaderKey, AuthorizationTokenType + stringToken);
var request = (HttpWebRequest)HttpWebRequest.Create(sapimEndpoint);
request.Method = httpMethod;
// set the timeout for the request
request.Timeout = DefaultTimeoutInSeconds * 1000;
// set headers in request
foreach (var header in headers.Keys)
{
SetRequestHeader(request, header, headers[header]);
}
// set request body
using (Stream requestStream = request.GetRequestStream()) {
var requestBody = Encoding.UTF8.GetBytes(payloadString);
requestStream.Write(requestBody, 0, requestBody.Length);
}
return(request);
}
private IHttpActionResult GetResponseResultWithAuthentication(string value, HttpStatusCode statusCode, RequestSecurityTokenPayload authorizationPayload)
{
HttpResponseMessage responseMessage = new HttpResponseMessage(statusCode);
var authorizationToken = GenerateJWTTokenString(
settingsProvider: RuntimeSettingsProvider.Instance,
consumerModuleKey: authorizationPayload.ConsumerKey,
producerModuleKey: authorizationPayload.ProducerKey,
responseHash: SecurityTokenAPI.GeneratePayloadHash(RuntimeSettingsProvider.Instance, value),
requestLifetime: RuntimePlatformSettings.ServiceAPIs.RequestLifetime.GetValue());
responseMessage.Content = new StringContent(value, Encoding.UTF8, RestServiceHttpUtils.GetCurrentResponseContentType("application/json").MediaType);
responseMessage.Headers.Add($"{AuthorizationPayloadKey}", $"Bearer {authorizationToken}");
return(this.ResponseMessage(responseMessage));
}
protected bool IsRequestValid(string requestString, string producerEspaceKey, out RequestSecurityTokenPayload payload)
{
payload = null;
if (Request.Headers.Authorization == null || Request.Headers.Authorization.Parameter == null)
{
OSTrace.Error("Authorization header is null or badly formed.");
return(false);
}
payload = SecurityTokenAPI.GetValidatedToken <RequestSecurityTokenPayload>(RuntimeSettingsProvider.Instance, Request.Headers.Authorization.Parameter);
if (payload == null)
{
return(false);
}
return(ValidateProducerKey(payload.ProducerKey, producerEspaceKey) &&
IsRequestPayloadValid(requestString, payload));
}
protected bool IsResponseValid(HttpWebResponse response, string responseString)
{
ResponseSecurityTokenPayload payload = null;
var authorizationHeader = response.Headers[AuthorizationHeaderKey];
if (authorizationHeader == null)
{
OSTrace.Error("Authorization header is null");
return(false);
}
var stringToken = authorizationHeader.RemoveIfStartsWith(AuthorizationTokenType);
payload = SecurityTokenAPI.GetValidatedToken <ResponseSecurityTokenPayload>(RuntimeSettingsProvider.Instance, stringToken);
if (payload == null)
{
return(false);
}
return(ValidateConsumerAndProducerKeys(payload.ConsumerKey, payload.ProducerKey) &&
IsResponsePayloadValid(responseString, payload));
}
