public ActionResult ChangePassword(string id, string old, string pwd, string pwd2)
{
string data = AuthernUtil.CallServerApi("/Api/ChangePassword", new Dictionary <string, string>()
{
{ nameof(id), id },
{ nameof(old), old },
{ nameof(pwd), pwd },
{ nameof(pwd2), pwd2 }
});
return(Content(data));
}
/// <summary>
/// 验证权限
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var request = filterContext.HttpContext.Request;
var session = filterContext.HttpContext.Session;
//如果存在身份信息
if (Common.CurrentUser == null)
{
if (Code == AuthCodeEnum.Public)
{
return;
}
string reqToken = request["Token"];
string ticket = request["Ticket"];
Cache cache = HttpContext.Current.Cache;
//每次刷新页面的时候首先删除Token
if (string.IsNullOrEmpty(reqToken) || string.IsNullOrEmpty(ticket))
{
cache.Remove(ConstantHelper.TOKEN_KEY);
}
//没有获取到Token或者Token验证不通过或者没有取到从P回调的ticket 都进行再次请求P
TokenModel tokenModel = cache.Get(ConstantHelper.TOKEN_KEY) == null?null:(TokenModel)cache.Get(ConstantHelper.TOKEN_KEY);
if (string.IsNullOrEmpty(reqToken) || tokenModel == null || tokenModel.Token != reqToken ||
string.IsNullOrEmpty(ticket))
{
DateTime timestamp = DateTime.Now;
string returnUrl = request.Url.AbsoluteUri;
tokenModel = new TokenModel
{
TimeStamp = timestamp,
Token = AuthernUtil.CreateToken(timestamp)
};
//Token加入缓存中,设计过期时间为20分钟
cache.Add(ConstantHelper.TOKEN_KEY, tokenModel, null, DateTime.Now.AddMinutes(20), Cache.NoSlidingExpiration, CacheItemPriority.Default, null);
filterContext.Result = new ContentResult
{
Content = GetAuthernScript(AuthernUtil.GetAutherUrl(tokenModel.Token, timestamp), returnUrl)
};
return;
}
LoginService service = new LoginService();
var userinfo = service.GetUserInfo(ticket);
session[ConstantHelper.USER_SESSION_KEY] = userinfo;
//验证通过,cache中去掉Token,保证每个token只能使用一次
cache.Remove(ConstantHelper.TOKEN_KEY);
}
}
public ActionResult LogOut()
{
AuthernUtil.Logout();
return(Content(LoginService.Logout("http://www.baidu.com")));
}
/// <summary>
/// 验证令牌
/// </summary>
/// <param name="token">令牌</param>
/// <param name="timestamp">时间戳</param>
/// <returns></returns>
public bool AuthernVertify(string token, DateTime timestamp)
{
return(AuthernUtil.CreateToken(timestamp) == token);
}
/// <summary> /// 验证令牌 /// </summary> /// <param name="token">令牌</param> /// <param name="timestamp">时间戳</param> /// <returns></returns> public static bool AuthernVertify(string token, DateTime timestamp) => AuthernUtil.CreateToken(timestamp) == token;
/// <summary>
/// 验证权限
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(AllowAnonymousAttribute), true).Length > 0)
{
filterContext.HttpContext.SkipAuthorization = true;
return;
}
if (Code is AuthCodeEnum.Login)
{
var request = filterContext.HttpContext.Request;
var session = filterContext.HttpContext.Session;
//如果不存在身份信息
if (AuthernUtil.CurrentUser == null)
{
string reqToken = request["token"];
string ticket = request["ticket"] ?? request.Headers["Authorization"];
Cache cache = HttpContext.Current.Cache;
//每次刷新页面的时候首先删除Token
if (string.IsNullOrEmpty(reqToken) || string.IsNullOrEmpty(ticket))
{
cache.Remove(Constants.TOKEN_KEY);
}
//没有获取到Token或者Token验证不通过或者没有取到从P回调的ticket 都进行再次请求P
TokenModel tokenModel = cache.Get(Constants.TOKEN_KEY) == null ? null : (TokenModel)cache.Get(Constants.TOKEN_KEY);
if (string.IsNullOrEmpty(reqToken) || tokenModel == null || tokenModel.Token != reqToken || string.IsNullOrEmpty(ticket))
{
DateTime timestamp = DateTime.Now;
string returnUrl = request.Url.AbsoluteUri;
tokenModel = new TokenModel {
TimeStamp = timestamp, Token = AuthernUtil.CreateToken(timestamp)
};
//Token加入缓存中,设计过期时间为20分钟,这里为了方便设置Token的过期时间,所以使用Cache来存取Token,设定Token的失效时间为20分钟,当验证成功则从cache中移除Token。
cache.Add(Constants.TOKEN_KEY, tokenModel, null, DateTime.Now.AddMinutes(20), Cache.NoSlidingExpiration, CacheItemPriority.Default, null);
filterContext.Result = new ContentResult {
Content = GetAuthernScript(AuthernUtil.GetAuthorityUrl(tokenModel.Token, timestamp), returnUrl)
};
return;
}
session.SetByRedis(LoginService.GetUserInfo(ticket), Constants.USER_SESSION_KEY);
//验证通过,cache中去掉Token,保证每个token只能使用一次
cache.Remove(Constants.TOKEN_KEY);
}
}
else if (Code is AuthCodeEnum.HashCheck)
{
var sec = DateTime.Now.GetTotalSeconds(); //获取当前的时间戳
var isGet = filterContext.RequestContext.HttpContext.Request.HttpMethod.ToLower().Equals("get"); //判断请求方式
var time = isGet ? filterContext.HttpContext.Request["time"] ?? String.Empty : filterContext.Controller.ValueProvider.GetValue("time").AttemptedValue; //获取请求参数带过来的时间戳
var hash = isGet ? filterContext.HttpContext.Request["hash"] ?? String.Empty : filterContext.Controller.ValueProvider.GetValue("hash").AttemptedValue; //获取请求参数的hash值
if (string.IsNullOrEmpty(time) || string.IsNullOrEmpty(hash)) //先判空,若空则截断本次请求
{
filterContext.Result = new JsonResult()
{
Data = new { Success = false, Message = "URL参数不完整!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json"
};
}
else if (sec - time.ToInt32() > 43200) //然后时效性检查,URL在12h内有效,若超时,则截断本次请求
{
filterContext.Result = new JsonResult()
{
Data = new { Success = false, Message = "该URL已经失效!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json"
};
}
else //最后URL有效的执行逻辑
{
string salt = ConfigurationManager.AppSettings["encryptSalt"] ?? "masuit".DesEncrypt(); //获取加密盐
string hash2 = (time + salt).MDString(); //将请求参数的时间戳与加密盐一起进行hash
if (!hash.Equals(hash2, StringComparison.InvariantCultureIgnoreCase)) //对比服务器计算的hash与请求参数带过来的hash是否一致,忽略大小写
{
//如果不一致,也截断本次请求
filterContext.Result = new JsonResult()
{
Data = new { Success = false, Message = "URL无效!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json"
};
}
}
//如果hash一致,则放行
}
}
