protected bool CheckAuthentication(HttpRequestMessage req, string[] authorizationHeaderValues)
{
if (authorizationHeaderValues != null)
{
var appId = authorizationHeaderValues[AppIdIndex];
var incomingBase64Signature = authorizationHeaderValues[IncomingHashedSignatureIndex];
var nonce = authorizationHeaderValues[NonceIndex];
var requestTimeStamp = authorizationHeaderValues[RequestTimeStampIndex];
var requestThumbprint = new SecureRequestThumbprint
{
AppId = appId,
RequestMessage = req,
IncomingBase64Signature = incomingBase64Signature,
Nonce = nonce,
RequestTimeStamp = requestTimeStamp
};
var isValid = IsValidRequest(requestThumbprint);
if (isValid.Result)
{
return(true);
}
LogUnauthorized(requestThumbprint);
return(false);
}
LogNoHeaders();
return(false);
}
protected async Task <bool> IsValidRequest(SecureRequestThumbprint request)
{
string requestContentBase64String = "";
string requestUri = WebUtility.UrlEncode(request.RequestMessage.RequestUri.AbsoluteUri.ToLower());
string requestHttpMethod = request.RequestMessage.Method.Method;
if (!AllowedApps.ContainsKey(request.AppId))
{
return(false);
}
var sharedKey = AllowedApps[request.AppId];
if (IsReplayRequest(request.Nonce, request.RequestTimeStamp))
{
return(false);
}
byte[] hash = await ComputeHash(request.RequestMessage.Content);
if (hash != null)
{
requestContentBase64String = Convert.ToBase64String(hash);
}
string data = String.Format("{0}{1}{2}{3}{4}{5}", request.AppId, requestHttpMethod, requestUri, request.RequestTimeStamp, request.Nonce, requestContentBase64String);
var secretKeyBytes = Convert.FromBase64String(sharedKey);
byte[] signature = Encoding.UTF8.GetBytes(data);
using (HMACSHA256 hmac = new HMACSHA256(secretKeyBytes))
{
byte[] signatureBytes = hmac.ComputeHash(signature);
return(request.IncomingBase64Signature.Equals(Convert.ToBase64String(signatureBytes), StringComparison.Ordinal));
}
}
