private async Task AuthorizeQueryRequest(string accessToken) { var authenticationSignature = Request.Headers[ChalkableAuthorization.AuthenticationHeaderName]; if (string.IsNullOrWhiteSpace(authenticationSignature)) throw new ChalkableApiException("Security error. Missing token"); authenticationSignature = authenticationSignature.Replace($"{ChalkableAuthorization.AuthenticationSignature}:", "").Trim(); var identityParams = GetQueryIdentityParams(); await ChalkableAuthorization.AuthorizeQueryRequest(authenticationSignature, identityParams, accessToken); }
public virtual async Task<ActionResult> Index(string mode, string token, string apiRoot, int? announcementApplicationId, int? studentId, int? announcementId, int? announcementType, int? attributeId, int? start, int? count, string contentId) { if (string.IsNullOrWhiteSpace(apiRoot)) return new EmptyResult(); ChalkableAuthorization = ChalkableAuthorization ?? new ChalkableAuthorization(apiRoot); if (ChalkableAuthorization.ApiRoot != apiRoot) ChalkableAuthorization = new ChalkableAuthorization(apiRoot); var standards = StandardInfo.FromQuery(Request.Params, HttpContext.Server.UrlDecode).ToList(); if (string.IsNullOrWhiteSpace(token)) return new EmptyResult(); if (IsChalkableCallBack(mode)) { try { await AuthorizeQueryRequest(token); switch (mode) { case Settings.CONTENT_QUERY: return ChlkJsonResult(GetApplicationContents(standards, start, count), true); case Settings.ANNOUNCEMENT_APPLICATION_SUBMIT: case Settings.ANNOUNCEMENT_APPLICATION_REMOVE: HandleChalkableNotification(mode, announcementApplicationId, announcementType); return ChlkJsonResult(true, true); default: throw new Exception($"Unknown mode \"{mode}\""); } } catch (Exception ex) { return ChlkExceptionJsonResult(ex); } } await ChalkableAuthorization.AuthorizeAsync(token); if (string.IsNullOrWhiteSpace(mode)) mode = Settings.MY_VIEW_MODE; CurrentUser = await GetCurrentUser(mode); return await ResolveAction(mode, announcementApplicationId, studentId, announcementId, announcementType, attributeId, StandardInfo.FromQuery(Request.Params, HttpContext.Server.UrlDecode), contentId); }
public static bool AuthenticateByToken(RequestContext requestContext, IApplicationService appService, out AuthorizationUserInfo authAppInfo, out Application app) { authAppInfo = null; app = null; var authToken = GetTokenFromAuthorizationHeader(requestContext.HttpContext.Request); if (string.IsNullOrWhiteSpace(authToken)) { return(false); } TokenAuthenticationInfo info = null; try { var infoJson = Encoding.UTF8.GetString(Convert.FromBase64String(authToken.Trim())); info = JsonConvert.DeserializeObject <TokenAuthenticationInfo>(infoJson); } catch { // ignore } if (string.IsNullOrWhiteSpace(info?.AppToken)) { throw new ChalkableSecurityException("Invalid auth token"); } var ts = ChalkableAuthorization.DateTimeToUnixTimestamp(DateTime.UtcNow.AddMinutes(-5)); if (ts > info.Timestamp) { throw new ChalkableSecurityException("Auth token has expired"); } try { var authInfo = EncryptionTools.AesDecrypt(info.AppToken, Chalkable.Common.Settings.AesSecretKey); authAppInfo = AuthorizationUserInfo.FromString(authInfo); } catch (Exception) { throw new ChalkableSecurityException("Invalid auth app token"); } app = appService.GetApplicationById(authAppInfo.ApplicationId); if (app == null) { throw new ChalkableSecurityException("Invalid auth app token"); } var hash = ChalkableAuthorization.ComputeSignature(requestContext.HttpContext.Request.HttpMethod, requestContext.HttpContext.Request.Url , requestContext.HttpContext.Request.ContentLength, info.Timestamp, info.AppToken, app.SecretKey); if (string.CompareOrdinal(hash, info.Signature) != 0) { throw new ChalkableSecurityException("Auth token has invalid signature"); } return(true); }