public AntiForgeryData(AntiForgeryData token)
{
CreationDate = token.CreationDate;
Salt = token.Salt;
Username = token.Username;
Value = token.Value;
}
public AntiForgeryData(AntiForgeryData token)
{
CreationDate = token.CreationDate;
Salt = token.Salt;
Username = token.Username;
Value = token.Value;
}
public static HtmlTag AntiForgeryToken(this IFubuPage page, string salt, string path, string domain)
{
var antiForgeryService = page.Get <IAntiForgeryService>();
AntiForgeryData cookieToken = antiForgeryService.SetCookieToken(path, domain);
FormToken formToken = antiForgeryService.GetFormToken(cookieToken, salt);
return(new HiddenTag().Name(formToken.Name).Value(formToken.TokenString));
}
public virtual string Serialize(AntiForgeryData token)
{
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
{
writer.Write(token.Salt);
writer.Write(token.Value);
writer.Write(token.CreationDate.Ticks);
writer.Write(token.Username);
return _encoder.Encode(stream.ToArray());
}
}
public virtual string Serialize(AntiForgeryData token)
{
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
{
writer.Write(token.Salt);
writer.Write(token.Value);
writer.Write(token.CreationDate.Ticks);
writer.Write(token.Username);
return(_encoder.Encode(stream.ToArray()));
}
}
public FormToken GetFormToken(AntiForgeryData token, string salt)
{
var formToken = new AntiForgeryData(token)
{
Salt = salt,
Username = AntiForgeryData.GetUsername(_securityContext.CurrentUser)
};
string tokenString = _serializer.Serialize(formToken);
return(new FormToken
{
Name = _tokenProvider.GetTokenName(),
TokenString = tokenString
});
}
public FormToken GetFormToken(AntiForgeryData token, string salt)
{
var formToken = new AntiForgeryData(token)
{
Salt = salt,
Username = AntiForgeryData.GetUsername(_securityContext.CurrentUser)
};
string tokenString = _serializer.Serialize(formToken);
return new FormToken
{
Name = _tokenProvider.GetTokenName(),
TokenString = tokenString
};
}
public bool Validate(string salt)
{
var applicationPath = _fubuApplicationFiles.RootPath;
var fieldName = _tokenProvider.GetTokenName();
var cookieName = _tokenProvider.GetTokenName(applicationPath);
var cookie = _cookies.Get(cookieName);
if (cookie == null || string.IsNullOrEmpty(cookie.Value))
{
return(false);
}
var cookieToken = _serializer.Deserialize(HttpUtility.UrlDecode(cookie.Value));
var formValue = _requestData.ValuesFor(RequestDataSource.Header).Get(fieldName) as string
??
_requestData.ValuesFor(RequestDataSource.Request).Get(fieldName) as string;
if (formValue.IsEmpty())
{
return(false);
}
var formToken = _serializer.Deserialize(formValue);
if (!string.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal))
{
return(false);
}
var currentUsername = AntiForgeryData.GetUsername(Thread.CurrentPrincipal);
if (!string.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase))
{
return(false);
}
if (!string.Equals(salt ?? string.Empty, formToken.Salt, StringComparison.Ordinal))
{
return(false);
}
return(true);
}
public bool Validate(string salt)
{
var cookies = (HttpCookieCollection)_requestData.Value("Cookies");
var applicationPath = (string)_requestData.Value("ApplicationPath");
var form = (NameValueCollection)_requestData.Value("Form");
string fieldName = _tokenProvider.GetTokenName();
string cookieName = _tokenProvider.GetTokenName(applicationPath);
HttpCookie cookie = cookies[cookieName];
if (cookie == null || string.IsNullOrEmpty(cookie.Value))
{
return(false);
}
AntiForgeryData cookieToken = _serializer.Deserialize(cookie.Value);
string formValue = form[fieldName];
if (string.IsNullOrEmpty(formValue))
{
return(false);
}
AntiForgeryData formToken = _serializer.Deserialize(formValue);
if (!string.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal))
{
return(false);
}
string currentUsername = AntiForgeryData.GetUsername(_securityContext.CurrentUser);
if (!string.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase))
{
return(false);
}
if (!string.Equals(salt ?? string.Empty, formToken.Salt, StringComparison.Ordinal))
{
return(false);
}
return(true);
}
public AntiForgeryData SetCookieToken(string path, string domain)
{
var applicationPath = (string)_requestData.Value("ApplicationPath");
AntiForgeryData token = GetCookieToken();
string name = _tokenProvider.GetTokenName(applicationPath);
string cookieValue = _serializer.Serialize(token);
var newCookie = new HttpCookie(name, cookieValue)
{
HttpOnly = true, Domain = domain
};
if (!string.IsNullOrEmpty(path))
{
newCookie.Path = path;
}
_outputWriter.AppendCookie(newCookie);
return(token);
}
public AntiForgeryData SetCookieToken(string path, string domain)
{
var applicationPath = _fubuApplicationFiles.RootPath;
AntiForgeryData token = GetCookieToken();
string name = _tokenProvider.GetTokenName(applicationPath);
string cookieValue = _serializer.Serialize(token);
var newCookie = new Cookie(name, HttpUtility.UrlEncode(cookieValue))
{
HttpOnly = true, Domain = domain
};
if (!string.IsNullOrEmpty(path))
{
newCookie.Path = path;
}
_outputWriter.AppendCookie(newCookie);
return(token);
}
public AntiForgeryData GetCookieToken()
{
var applicationPath = _fubuApplicationFiles.RootPath;
string name = _tokenProvider.GetTokenName(applicationPath);
Cookie cookie = _cookies.Get(name);
AntiForgeryData cookieToken = null;
if (cookie != null)
{
try
{
cookieToken = _serializer.Deserialize(HttpUtility.UrlDecode(cookie.Value));
}
catch (FubuException)
{
// TODO -- log this. Need a generic tracing mechanism
}
}
return(cookieToken ?? _tokenProvider.GenerateToken());
}
public AntiForgeryData GetCookieToken()
{
var cookies = (HttpCookieCollection)_requestData.Value("Cookies");
var applicationPath = (string)_requestData.Value("ApplicationPath");
string name = _tokenProvider.GetTokenName(applicationPath);
HttpCookie cookie = cookies[name];
AntiForgeryData cookieToken = null;
if (cookie != null)
{
try
{
cookieToken = _serializer.Deserialize(cookie.Value);
}
catch (FubuException)
{
//TODO: Log this?
}
}
return(cookieToken ?? _tokenProvider.GenerateToken());
}