private static bool IsResponsePayloadValid(string responseString, ResponseSecurityTokenPayload authorizationPayload) { bool isResponseValid = SecurityTokenAPI.ValidatePayloadHash(RuntimeSettingsProvider.Instance, responseString, authorizationPayload.ResponseHash); if (!isResponseValid) { OSTrace.Error("Response hash doesn't match the response. Response may have been tampered with."); } return(isResponseValid); }
protected HttpWebRequest BuildServiceAPIMethodRequest(HeContext context, string sapimName, object inputs) { var zoneSettings = DeploymentZoneResolution.ByModuleKey(ProducerModuleKey); var securityProtocol = zoneSettings.EnableHttps ? "https" : "http"; var sapimEndpoint = $"{securityProtocol}://{zoneSettings.Address}/{ProducerModuleName}/serviceapi/{UrlEncode(sapimName)}"; string httpMethod = "POST"; var headers = new Dictionary <string, string>(); headers.Add("User-Agent", "OutSystemsPlatform"); headers.Add("Content-Type", "application/json"); headers.Add("Content-Language", context.CurrentLocale); var requestPayload = new CoreServicesApiController.Payload.RequestPayload(); requestPayload.RequestKey = RuntimePlatformUtils.GetRequestTracer()?.RequestKey ?? Guid.NewGuid().ToString(); requestPayload.InputParameters = JObject.FromObject(inputs); string payloadString = JsonConvert.SerializeObject(requestPayload, Formatting.None); var stringToken = SecurityTokenAPI.GenerateJWTTokenString( settingsProvider: RuntimeSettingsProvider.Instance, consumerModuleKey: ObjectKeyUtils.DatabaseValue(ConsumerModuleKey), producerModuleKey: ObjectKeyUtils.DatabaseValue(ProducerModuleKey), userId: context.Session.UserId, tenantId: context.Session.TenantId, requestHash: SecurityTokenAPI.GeneratePayloadHash(RuntimeSettingsProvider.Instance, payloadString), requestLifetime: RuntimePlatformSettings.ServiceAPIs.RequestLifetime.GetValue() ); headers.Add(AuthorizationHeaderKey, AuthorizationTokenType + stringToken); var request = (HttpWebRequest)HttpWebRequest.Create(sapimEndpoint); request.Method = httpMethod; // set the timeout for the request request.Timeout = DefaultTimeoutInSeconds * 1000; // set headers in request foreach (var header in headers.Keys) { SetRequestHeader(request, header, headers[header]); } // set request body using (Stream requestStream = request.GetRequestStream()) { var requestBody = Encoding.UTF8.GetBytes(payloadString); requestStream.Write(requestBody, 0, requestBody.Length); } return(request); }
private IHttpActionResult GetResponseResultWithAuthentication(string value, HttpStatusCode statusCode, RequestSecurityTokenPayload authorizationPayload) { HttpResponseMessage responseMessage = new HttpResponseMessage(statusCode); var authorizationToken = GenerateJWTTokenString( settingsProvider: RuntimeSettingsProvider.Instance, consumerModuleKey: authorizationPayload.ConsumerKey, producerModuleKey: authorizationPayload.ProducerKey, responseHash: SecurityTokenAPI.GeneratePayloadHash(RuntimeSettingsProvider.Instance, value), requestLifetime: RuntimePlatformSettings.ServiceAPIs.RequestLifetime.GetValue()); responseMessage.Content = new StringContent(value, Encoding.UTF8, RestServiceHttpUtils.GetCurrentResponseContentType("application/json").MediaType); responseMessage.Headers.Add($"{AuthorizationPayloadKey}", $"Bearer {authorizationToken}"); return(this.ResponseMessage(responseMessage)); }
protected bool IsRequestValid(string requestString, string producerEspaceKey, out RequestSecurityTokenPayload payload) { payload = null; if (Request.Headers.Authorization == null || Request.Headers.Authorization.Parameter == null) { OSTrace.Error("Authorization header is null or badly formed."); return(false); } payload = SecurityTokenAPI.GetValidatedToken <RequestSecurityTokenPayload>(RuntimeSettingsProvider.Instance, Request.Headers.Authorization.Parameter); if (payload == null) { return(false); } return(ValidateProducerKey(payload.ProducerKey, producerEspaceKey) && IsRequestPayloadValid(requestString, payload)); }
protected bool IsResponseValid(HttpWebResponse response, string responseString) { ResponseSecurityTokenPayload payload = null; var authorizationHeader = response.Headers[AuthorizationHeaderKey]; if (authorizationHeader == null) { OSTrace.Error("Authorization header is null"); return(false); } var stringToken = authorizationHeader.RemoveIfStartsWith(AuthorizationTokenType); payload = SecurityTokenAPI.GetValidatedToken <ResponseSecurityTokenPayload>(RuntimeSettingsProvider.Instance, stringToken); if (payload == null) { return(false); } return(ValidateConsumerAndProducerKeys(payload.ConsumerKey, payload.ProducerKey) && IsResponsePayloadValid(responseString, payload)); }