Ejemplo n.º 1
0
        private static UserBE ValidateAuthToken(string authToken, bool impersonationOnly)
        {
            var context  = DekiContext.Current;
            var token    = ParseToken(authToken);
            var instance = context.Instance;

            if (token == null)
            {
                return(null);
            }
            UserBE user;

            if (token.IsImpersonationToken)
            {
                if (ValidateImpersonationToken(context, token))
                {
                    user = string.IsNullOrEmpty(token.Username) ? UserBL.GetUserById(token.UserId) : UserBL.GetUserByName(token.Username);
                    instance.Log.InfoFormat("APIKEY impersonation token provided. Impersonating user '{0}' ({1})", user.Name, user.ID);
                    return(user);
                }
                return(null);
            }

            // only allowing impersonation tokens?
            if (impersonationOnly)
            {
                return(null);
            }

            // check timestamp
            if (token.Timestamp < DateTime.UtcNow.Subtract(instance.AuthCookieExpirationTime) && instance.AuthCookieExpirationTime.TotalSeconds > 0)
            {
                return(null);
            }

            // retrieve associated user object
            user = UserBL.GetUserById(token.UserId);
            if (user == null)
            {
                return(null);
            }

            // TODO Max: Consider logging this as an intrusion attempt.
            return(authToken == CreateAuthTokenForUser(user, token.Timestamp) ? user : null);
        }