Example #1
0
        /// <summary>
        /// Perform validation using all QS or form params and load 
        /// APIKEY etc from the headers collection.
        /// Check this class next year..
        /// </summary>
        /// <param name="request"></param>
        /// <param name="allowedHttpMethods"></param>
        /// <returns></returns>
        public static RESTAuthenticator AuthenticateByHeaders(HttpRequest request, string[] allowedHttpMethods)
        {
            RESTAuthenticator auth = new RESTAuthenticator();

            string xApiKey = request.Headers["X-ApiKey"];
            string xTimestamp = request.Headers["X-Timestamp"];
            string xSignature = request.Headers["X-Signature"];

            if (String.IsNullOrEmpty(xSignature) || String.IsNullOrEmpty(xApiKey) || String.IsNullOrEmpty(xTimestamp))
            {
                auth._message = "Bad Request";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }

            if (!isAllowedHttpMethod(request.HttpMethod, allowedHttpMethods))
            {
                auth._message = "Method Not Allowed";
                auth._statusCode = HttpStatusCode.MethodNotAllowed;
                return auth;
            }

            #region Validate Timestamp
            // Get timestamp as DateTime and validate:
            DateTime remoteTimestamp = new DateTime(1970, 1, 1, 1, 1, 1, DateTimeKind.Utc);
            DateTime.TryParse(xTimestamp, out remoteTimestamp);
            if (!isValidTimestamp(remoteTimestamp.ToUniversalTime(), 60 * 15))
            {
                // Expired timestamp parameter.
                auth._message = "Timestamp invalid or expired";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }
            #endregion

            // Check if the API KEY and secret are OK
            String secret = GetSecretKey(xApiKey);
            if (String.IsNullOrEmpty(secret))
            {
                auth._message = "Invalid API key: " + xApiKey;
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }

            if (! isValidResourceSignature(request, secret, xSignature))
            {
                auth._message = "Invalid signature";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }

            // Passed all tests
            auth._message = "OK";
            auth._statusCode = HttpStatusCode.OK;
            return auth;
        }
Example #2
0
        /// <summary>
        /// Authenticates a Request and returns the status object.
        /// </summary>
        /// <param name="request">The request from which to get parameters.</param>
        /// <param name="allowedHttpMethods">The valid methods for this operation. Array can contain DELETE, GET, HEAD, PUT, POST</param>
        /// <param name="reqParams">An array of parameter names that must exist in the request.</param>
        /// <param name="apiKeyParamName">The name of the parameter that contains the Account identifier.</param>
        /// <param name="signatureParamName">The name of the parameter that contains the signed request.</param>
        /// <param name="timestampParamName">The name of the parameter that contains the timestamp in UTC format</param>
        /// <returns></returns>
        public static RESTAuthenticator AuthenticateRequest(HttpRequest request, string[] allowedHttpMethods, string[] reqParams, string apiKeyParamName, string signatureParamName, string timestampParamName)
        {
            RESTAuthenticator auth = new RESTAuthenticator();

            #region Validate Timestamp
            // Validate Timestamp
            // TODO Refactor this check to validate against Pragmatic paradigm
            // Exit if request missing timestamp param
            if (String.IsNullOrEmpty(request[timestampParamName]))
            {
                // Missing timestamp parameter.
                auth._message = "Missing Timestamp parameter";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }
            // Validate Timestamp
            // Has timestamp parameter.
            // Get timestamp as DateTime and validate:
            DateTime remoteTimestamp = new DateTime(1970, 1, 1, 1, 1, 1, DateTimeKind.Utc);
            DateTime.TryParse(request[timestampParamName], out remoteTimestamp);
            if (!isValidTimestamp(remoteTimestamp.ToUniversalTime(), 60 * 15))
            {
                // Expired timestamp parameter.
                auth._message = "Timestamp invalid or expired";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }
            #endregion

            #region Validate HTTPMethod
            // Validate HTTPMethod
            if ( !isAllowedHttpMethod(request.HttpMethod, allowedHttpMethods) )
            {
                auth._message = "Method Not Allowed";
                auth._statusCode = HttpStatusCode.MethodNotAllowed;
                return auth;
            }
            #endregion

            #region Validate parameters
            if (missingRequiredParams(request, reqParams))
            {
                // Missing required parameter.
                auth._message = "Missing required parameters";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }
            #endregion

            #region Validate signature
            string secretKey = GetSecretKey(request[apiKeyParamName]);
            string signature = request[signatureParamName];
            if (!isValidSignature(request, secretKey, signature, reqParams))
            {
                auth._message = "Invalid signature";
                auth._statusCode = HttpStatusCode.BadRequest;
                return auth;
            }
            #endregion

            // If all tests passed set and return OK response
            auth._message = "OK";
            auth._statusCode = HttpStatusCode.OK;
            return auth;
        }