public bool TryAuthorize(RavenBaseApiController controller, out HttpResponseMessage msg)
		{
			var requestUrl = controller.GetRequestUrl();
			if (NeverSecret.IsNeverSecretUrl(requestUrl))
			{
				msg = controller.GetEmptyMessage();
				return true;
			}

			//CORS pre-flight (ignore creds if using cors).
			if (!String.IsNullOrEmpty(Settings.AccessControlAllowOrigin) && controller.InnerRequest.Method.Method == "OPTIONS")
			{
				msg = controller.GetEmptyMessage();
				return true;
			}

			var oneTimeToken = controller.GetHeader("Single-Use-Auth-Token");
			if (string.IsNullOrEmpty(oneTimeToken) == false)
			{
				return TryAuthorizeSingleUseAuthToken(controller, oneTimeToken, out msg);
			}

			var authHeader = controller.GetHeader("Authorization");
			var hasApiKey = "True".Equals(controller.GetHeader("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
			var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");
			if (hasApiKey || hasOAuthTokenInCookie ||
				string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
			{
				return oAuthRequestAuthorizer.TryAuthorize(controller, hasApiKey, IgnoreDb.Urls.Contains(requestUrl), out msg);
			}
			return windowsRequestAuthorizer.TryAuthorize(controller, IgnoreDb.Urls.Contains(requestUrl), out msg);
		}
Exemple #2
0
        // Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
        public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
        {
            var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;

            if (accessControlAllowOrigin.Count == 0)
            {
                return;
            }

            var originHeader = controller.GetHeader("Origin");

            if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
            {
                return; // no need
            }
            bool originAllowed = accessControlAllowOrigin.Contains("*") ||
                                 accessControlAllowOrigin.Contains(originHeader);

            if (originAllowed)
            {
                controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
            }
            if (controller.InnerRequest.Method.Method != "OPTIONS")
            {
                return;
            }

            controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
            controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
            controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
            if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
            {
                // allow whatever headers are being requested
                var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
                if (hdr != null)
                {
                    controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
                }
            }
            else
            {
                controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
            }
        }
        public bool TryAuthorize(RavenBaseApiController controller, out HttpResponseMessage msg)
        {
            var requestUrl = controller.GetRequestUrl();

            if (NeverSecret.IsNeverSecretUrl(requestUrl))
            {
                msg = controller.GetEmptyMessage();
                return(true);
            }

            //CORS pre-flight (ignore creds if using cors).
            if (Settings.AccessControlAllowOrigin.Count > 0 && controller.InnerRequest.Method.Method == "OPTIONS")
            {
                msg = controller.GetEmptyMessage();
                return(true);
            }

            var oneTimeToken = controller.GetHeader("Single-Use-Auth-Token");

            if (string.IsNullOrEmpty(oneTimeToken))
            {
                oneTimeToken = controller.GetQueryStringValue("singleUseAuthToken");
            }

            if (string.IsNullOrEmpty(oneTimeToken) == false)
            {
                return(TryAuthorizeSingleUseAuthToken(controller, oneTimeToken, out msg));
            }

            var authHeader            = controller.GetHeader("Authorization");
            var hasApiKey             = "True".Equals(controller.GetHeader("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
            var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");

            if (hasApiKey || hasOAuthTokenInCookie ||
                string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
            {
                return(oAuthRequestAuthorizer.TryAuthorize(controller, hasApiKey, IgnoreDb.Urls.Contains(requestUrl), out msg));
            }
            return(windowsRequestAuthorizer.TryAuthorize(controller, IgnoreDb.Urls.Contains(requestUrl), out msg));
        }
Exemple #4
0
        public IPrincipal GetUser(RavenBaseApiController controller)
        {
            if (controller.WasAlreadyAuthorizedUsingSingleAuthToken)
            {
                return(controller.User);
            }

            var hasApiKey             = "True".Equals(controller.GetQueryStringValue("Has-Api-Key"), StringComparison.CurrentCultureIgnoreCase);
            var authHeader            = controller.GetHeader("Authorization");
            var hasOAuthTokenInCookie = controller.HasCookie("OAuth-Token");

            if (hasApiKey || hasOAuthTokenInCookie ||
                string.IsNullOrEmpty(authHeader) == false && authHeader.StartsWith("Bearer "))
            {
                return(oAuthRequestAuthorizer.GetUser(controller, hasApiKey));
            }
            return(windowsRequestAuthorizer.GetUser(controller));
        }
Exemple #5
0
        static string GetToken(RavenBaseApiController controller)
        {
            const string bearerPrefix = "Bearer ";

            var auth = controller.GetHeader("Authorization");

            if (auth == null)
            {
                auth = controller.GetCookie("OAuth-Token");
                if (auth != null)
                {
                    auth = Uri.UnescapeDataString(auth);
                }
            }
            if (auth == null || auth.Length <= bearerPrefix.Length ||
                !auth.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
            {
                return(null);
            }

            var token = auth.Substring(bearerPrefix.Length, auth.Length - bearerPrefix.Length);

            return(token);
        }
		// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
		public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
		{

			var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;
			if (accessControlAllowOrigin.Count == 0)
				return;

			var originHeader = controller.GetHeader("Origin");
			if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
				return; // no need

			bool originAllowed = accessControlAllowOrigin.Contains("*") ||
								 accessControlAllowOrigin.Contains(originHeader);
			if (originAllowed)
			{
				controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
			}
			if (controller.InnerRequest.Method.Method != "OPTIONS")
				return;

			controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
			controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
			controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
			if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
			{

				// allow whatever headers are being requested
				var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
				if (hdr != null)
					controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
			}
			else
			{
				controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
			}
		}
        static string GetToken(RavenBaseApiController controller)
		{
			const string bearerPrefix = "Bearer ";

			var auth = controller.GetHeader("Authorization");
			if (auth == null)
			{
				auth = controller.GetCookie("OAuth-Token");
				if (auth != null)
					auth = Uri.UnescapeDataString(auth);
			}
			if (auth == null || auth.Length <= bearerPrefix.Length ||
				!auth.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
				return null;

			var token = auth.Substring(bearerPrefix.Length, auth.Length - bearerPrefix.Length);

			return token;
		}
	    // Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
        public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
		{
			if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlAllowOrigin))
				return;

			controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);

			bool originAllowed = landlord.SystemConfiguration.AccessControlAllowOrigin == "*" ||
					landlord.SystemConfiguration.AccessControlAllowOrigin.Split(' ')
						.Any(o => o == controller.GetHeader("Origin"));
			if (originAllowed)
			{
				controller.AddHeader("Access-Control-Allow-Origin", controller.GetHeader("Origin"), msg);
			}

			controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
			controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
			if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
			{
				// allow whatever headers are being requested
				var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
				if (hdr != null) 
					controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
			}
			else
			{
				controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
			}
		}