public LoginHandler(
            IDatabaseManager dbm,
            CryptographyManager cpm,
            RedisServer rs,
            ILoggerUtil logger,
            SessionService sessionService)
            : base(RouteConfig.Login)
        {
            // Todo: Refactor this into POST request to mitigate CSRF.
            // http://www.jhovgaard.com/nancy-csrf/
            Get[RouteConfig.Login_Request, true] = _handleLogin;

            _databaseManager     = dbm;
            _cryptographyManager = cpm;
            _redisServer         = rs;
            _logger         = logger;
            _sessionService = sessionService;

            //This might add a bit of latency to login requests, but I doubt it will be a problem. Adding this comment in case we need to debug it in the future.
            _instanceId = rs.GenerateUniqueId().Result;

            _redisServer.Subscribe(ChannelTypes.WebLogin, _instanceId, _handleRedisLoginDataResponse);
        }
Exemple #2
0
        protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines)
        {
            container.Register <IDatabaseManager, DBStateResolver>().AsSingleton();

#if !DEBUG
            DiagnosticsHook.Disable(pipelines);
#else
            StaticConfiguration.EnableRequestTracing = true;
#endif

            redisServer = new RedisServer(LogError, LogDebug, (new RedisConfig()).Address);
            container.Register <RedisServer>(redisServer);

            var serviceId = redisServer.GenerateUniqueId().Result;
            container.Register <IServerConfigService, WebServerConfigService>(new WebServerConfigService(redisServer, serviceId));

            sessionService = container.Resolve <SessionService>();

            // CSRF that uses Redis for shared token generation. Tokens currently don't expire.
            Csrf.Enable(pipelines, new CryptographyConfiguration(
                            new RijndaelEncryptionProvider(new RedisBasedKeyGenerator(redisServer)),
                            new DefaultHmacProvider(new RedisBasedKeyGenerator(redisServer)))
                        );

            pipelines.BeforeRequest.AddItemToEndOfPipeline(ctx =>
            {
                var origin = ctx.Request.Headers["Origin"].FirstOrDefault();

                if (origin == null)
                {
                    return(null);
                }

                var matches = corsDomains.FirstOrDefault(
                    allowed => Regex.IsMatch(origin, "^" + allowed + "$", RegexOptions.IgnoreCase));

                // No matches, so let's abort.
                if (matches == null)
                {
                    var responseJson = (Response)"CORS not allowed.";

                    responseJson.ContentType = "application/json";
                    responseJson.StatusCode  = HttpStatusCode.BadRequest;

                    return(responseJson);
                }
                return(null);
            });

            pipelines.AfterRequest.AddItemToEndOfPipeline(ctx =>
            {
                var origin = ctx.Request.Headers["Origin"].FirstOrDefault();

                if (origin == null)
                {
                    return;
                }

                ctx.Response.Headers.Add("Access-Control-Allow-Origin", origin);
                ctx.Response.Headers.Add("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT,OPTIONS");
                ctx.Response.Headers.Add("Access-Control-Allow-Credentials", "true");
                ctx.Response.Headers.Add("Access-Control-Allow-Headers", "Accept,Origin,Content-type");
                ctx.Response.Headers.Add("Access-Control-Expose-Headers", "Accept,Origin,Content-type");
            });

            pipelines.BeforeRequest.AddItemToEndOfPipeline(ProcessSessionAuth);

            pipelines.OnError += (ctx, ex) => {
                throw ex;
            };
        }