// The algorithm is defined in spec: Hex_encoded(HMAC_SHA256(access-key, connection-id)) public bool ValidateSignature(HttpRequestMessage request, string accessToken) { if (!_validateSignature) { return(true); } if (!string.IsNullOrEmpty(accessToken) && request.Headers.TryGetValues(Constants.AsrsSignature, out var values)) { var signatures = SignalRTriggerUtils.GetSignatureList(values.FirstOrDefault()); if (signatures == null) { return(false); } using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(accessToken))) { var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(request.Headers.GetValues(Constants.AsrsConnectionIdHeader).First())); var hash = "sha256=" + BitConverter.ToString(hashBytes).Replace("-", ""); return(signatures.Contains(hash, StringComparer.OrdinalIgnoreCase)); } } return(false); }
// The algorithm is defined in spec: Hex_encoded(HMAC_SHA256(access-key, connection-id)) public bool ValidateSignature(HttpRequestMessage request, AccessKey[] accessKeys) { if (!_validateSignature) { return(true); } if (accessKeys is null) { throw new ArgumentNullException(nameof(accessKeys)); } foreach (var accessKey in accessKeys) { // Skip validation for aad access key. if (accessKey is AadAccessKey) { return(true); } var accessToken = accessKey.Value; if (!string.IsNullOrEmpty(accessToken) && request.Headers.TryGetValues(Constants.AsrsSignature, out var values)) { var signatures = SignalRTriggerUtils.GetSignatureList(values.FirstOrDefault()); if (signatures == null) { continue; } using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(accessToken))) { var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(request.Headers.GetValues(Constants.AsrsConnectionIdHeader).First())); var hash = "sha256=" + BitConverter.ToString(hashBytes).Replace("-", ""); if (signatures.Contains(hash, StringComparer.OrdinalIgnoreCase)) { return(true); } else { continue; } } } } return(false); }