private async Task AuthorizeQueryRequest(string accessToken)
{
var authenticationSignature = Request.Headers[ChalkableAuthorization.AuthenticationHeaderName];
if (string.IsNullOrWhiteSpace(authenticationSignature))
throw new ChalkableApiException("Security error. Missing token");
authenticationSignature = authenticationSignature.Replace($"{ChalkableAuthorization.AuthenticationSignature}:", "").Trim();
var identityParams = GetQueryIdentityParams();
await ChalkableAuthorization.AuthorizeQueryRequest(authenticationSignature, identityParams, accessToken);
}
public virtual async Task<ActionResult> Index(string mode, string token, string apiRoot, int? announcementApplicationId,
int? studentId, int? announcementId, int? announcementType, int? attributeId, int? start, int? count, string contentId)
{
if (string.IsNullOrWhiteSpace(apiRoot))
return new EmptyResult();
ChalkableAuthorization = ChalkableAuthorization ?? new ChalkableAuthorization(apiRoot);
if (ChalkableAuthorization.ApiRoot != apiRoot)
ChalkableAuthorization = new ChalkableAuthorization(apiRoot);
var standards = StandardInfo.FromQuery(Request.Params, HttpContext.Server.UrlDecode).ToList();
if (string.IsNullOrWhiteSpace(token))
return new EmptyResult();
if (IsChalkableCallBack(mode))
{
try
{
await AuthorizeQueryRequest(token);
switch (mode)
{
case Settings.CONTENT_QUERY:
return ChlkJsonResult(GetApplicationContents(standards, start, count), true);
case Settings.ANNOUNCEMENT_APPLICATION_SUBMIT:
case Settings.ANNOUNCEMENT_APPLICATION_REMOVE:
HandleChalkableNotification(mode, announcementApplicationId, announcementType);
return ChlkJsonResult(true, true);
default:
throw new Exception($"Unknown mode \"{mode}\"");
}
}
catch (Exception ex)
{
return ChlkExceptionJsonResult(ex);
}
}
await ChalkableAuthorization.AuthorizeAsync(token);
if (string.IsNullOrWhiteSpace(mode))
mode = Settings.MY_VIEW_MODE;
CurrentUser = await GetCurrentUser(mode);
return await ResolveAction(mode, announcementApplicationId, studentId, announcementId, announcementType,
attributeId, StandardInfo.FromQuery(Request.Params, HttpContext.Server.UrlDecode), contentId);
}
public static bool AuthenticateByToken(RequestContext requestContext, IApplicationService appService, out AuthorizationUserInfo authAppInfo, out Application app)
{
authAppInfo = null;
app = null;
var authToken = GetTokenFromAuthorizationHeader(requestContext.HttpContext.Request);
if (string.IsNullOrWhiteSpace(authToken))
{
return(false);
}
TokenAuthenticationInfo info = null;
try
{
var infoJson = Encoding.UTF8.GetString(Convert.FromBase64String(authToken.Trim()));
info = JsonConvert.DeserializeObject <TokenAuthenticationInfo>(infoJson);
}
catch
{
// ignore
}
if (string.IsNullOrWhiteSpace(info?.AppToken))
{
throw new ChalkableSecurityException("Invalid auth token");
}
var ts = ChalkableAuthorization.DateTimeToUnixTimestamp(DateTime.UtcNow.AddMinutes(-5));
if (ts > info.Timestamp)
{
throw new ChalkableSecurityException("Auth token has expired");
}
try
{
var authInfo = EncryptionTools.AesDecrypt(info.AppToken, Chalkable.Common.Settings.AesSecretKey);
authAppInfo = AuthorizationUserInfo.FromString(authInfo);
}
catch (Exception)
{
throw new ChalkableSecurityException("Invalid auth app token");
}
app = appService.GetApplicationById(authAppInfo.ApplicationId);
if (app == null)
{
throw new ChalkableSecurityException("Invalid auth app token");
}
var hash = ChalkableAuthorization.ComputeSignature(requestContext.HttpContext.Request.HttpMethod, requestContext.HttpContext.Request.Url
, requestContext.HttpContext.Request.ContentLength, info.Timestamp, info.AppToken, app.SecretKey);
if (string.CompareOrdinal(hash, info.Signature) != 0)
{
throw new ChalkableSecurityException("Auth token has invalid signature");
}
return(true);
}
