protected virtual HmacResult IsAuthenticated(
HttpActionContext actionContext,
IDependencyScope dependencyScope,
WebApiControllingCacheData controllingData,
DateTime utcNow,
out Customer customer)
{
customer = null;
var request = HttpContext.Current.Request;
var authorization = actionContext.Request.Headers.Authorization;
if (request == null)
{
return(HmacResult.FailedForUnknownReason);
}
if (controllingData.ApiUnavailable)
{
return(HmacResult.ApiUnavailable);
}
if (authorization == null || authorization.Scheme.IsEmpty() || authorization.Parameter.IsEmpty() || (authorization.Scheme.CompareTo("Basic") != 0) || !actionContext.Request.Headers.Contains("CustomerGUID"))
{
return(HmacResult.InvalidAuthorizationHeader);
}
string tokenUsername = ValidateToken(authorization.Parameter);
if (tokenUsername == null)
{
return(HmacResult.UserUnknown);
}
var GUID = actionContext.Request.Headers.GetValues("CustomerGuid").FirstOrDefault();
if (GUID == null)
{
return(HmacResult.UserUnknown);
}
customer = GetCustomerByGuId(dependencyScope, GUID);
if (customer == null)
{
return(HmacResult.UserUnknown);
}
if (!HasPermission(dependencyScope, customer))
{
return(HmacResult.UserHasNoPermission);
}
if (customer.Email.Equals(tokenUsername))
{
return(HmacResult.Success);
}
else
{
return(HmacResult.UserUnknown);
}
}
protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out Customer customer)
{
customer = null;
var request = HttpContext.Current.Request;
DateTime headDateTime;
if (request == null)
{
return(HmacResult.FailedForUnknownReason);
}
if (cacheControllingData.ApiUnavailable)
{
return(HmacResult.ApiUnavailable);
}
string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
string headTimestamp = request.Headers[WebApiGlobal.Header.Date];
string headPublicKey = request.Headers[WebApiGlobal.Header.PublicKey];
string scheme = actionContext.Request.Headers.Authorization.Scheme;
string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter;
if (string.IsNullOrWhiteSpace(headPublicKey))
{
return(HmacResult.UserInvalid);
}
if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer))
{
return(HmacResult.InvalidAuthorizationHeader);
}
if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
{
return(HmacResult.InvalidTimestamp);
}
int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod);
if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
{
return(HmacResult.TimestampOutOfPeriod);
}
var cacheUserData = WebApiCachingUserData.Data();
var apiUser = cacheUserData.FirstOrDefault(x => x.PublicKey == headPublicKey);
if (apiUser == null)
{
return(HmacResult.UserUnknown);
}
if (!apiUser.Enabled)
{
return(HmacResult.UserDisabled);
}
if (!cacheControllingData.NoRequestTimestampValidation && apiUser.LastRequest.HasValue && headDateTime <= apiUser.LastRequest.Value)
{
return(HmacResult.TimestampOlderThanLastRequest);
}
var context = new WebApiRequestContext
{
HttpMethod = request.HttpMethod,
HttpAcceptType = request.Headers["Accept"],
PublicKey = headPublicKey,
SecretKey = apiUser.SecretKey,
Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
};
string contentMd5 = CreateContentMd5Hash(actionContext.Request);
if (headContentMd5.HasValue() && headContentMd5 != contentMd5)
{
return(HmacResult.ContentMd5NotMatching);
}
string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);
if (string.IsNullOrEmpty(messageRepresentation))
{
return(HmacResult.MissingMessageRepresentationParameter);
}
string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);
if (signatureProvider != signatureConsumer)
{
if (cacheControllingData.AllowEmptyMd5Hash)
{
messageRepresentation = _hmac.CreateMessageRepresentation(context, null, headTimestamp);
signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);
if (signatureProvider != signatureConsumer)
{
return(HmacResult.InvalidSignature);
}
}
else
{
return(HmacResult.InvalidSignature);
}
}
customer = GetCustomer(apiUser.CustomerId);
if (customer == null)
{
return(HmacResult.UserUnknown);
}
if (!customer.Active || customer.Deleted)
{
return(HmacResult.UserIsInactive);
}
if (!HasPermission(actionContext, customer))
{
return(HmacResult.UserHasNoPermission);
}
//var headers = HttpContext.Current.Response.Headers;
//headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : "");
apiUser.LastRequest = headDateTime;
return(HmacResult.Success);
}
protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out Customer customer)
{
customer = null;
var request = HttpContext.Current.Request;
DateTime headDateTime;
if (request == null)
return HmacResult.FailedForUnknownReason;
if (cacheControllingData.ApiUnavailable)
return HmacResult.ApiUnavailable;
string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
string headTimestamp = request.Headers[WebApiGlobal.Header.Date];
string headPublicKey = request.Headers[WebApiGlobal.Header.PublicKey];
string scheme = actionContext.Request.Headers.Authorization.Scheme;
string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter;
if (string.IsNullOrWhiteSpace(headPublicKey))
return HmacResult.UserInvalid;
if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer))
return HmacResult.InvalidAuthorizationHeader;
if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
return HmacResult.InvalidTimestamp;
int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod);
if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
return HmacResult.TimestampOutOfPeriod;
var cacheUserData = WebApiCaching.UserData();
var apiUser = cacheUserData.FirstOrDefault(x => x.PublicKey == headPublicKey);
if (apiUser == null)
return HmacResult.UserUnknown;
if (!apiUser.Enabled)
return HmacResult.UserDisabled;
if (apiUser.LastRequest.HasValue && headDateTime <= apiUser.LastRequest.Value)
return HmacResult.TimestampOlderThanLastRequest;
var context = new WebApiRequestContext()
{
HttpMethod = request.HttpMethod,
HttpAcceptType = request.Headers["Accept"],
PublicKey = headPublicKey,
SecretKey = apiUser.SecretKey,
Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
};
string contentMd5 = CreateContentMd5Hash(actionContext.Request);
if (headContentMd5.HasValue() && headContentMd5 != contentMd5)
return HmacResult.ContentMd5NotMatching;
string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);
if (string.IsNullOrEmpty(messageRepresentation))
return HmacResult.MissingMessageRepresentationParameter;
string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);
if (signatureProvider != signatureConsumer)
return HmacResult.InvalidSignature;
customer = GetCustomer(apiUser.CustomerId);
if (customer == null)
return HmacResult.UserUnknown;
if (!HasPermission(actionContext, customer))
return HmacResult.UserHasNoPermission;
//var headers = HttpContext.Current.Response.Headers;
//headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : "");
apiUser.LastRequest = now;
return HmacResult.Success;
}
