private static UserBE ValidateAuthToken(string authToken, bool impersonationOnly)
{
var context = DekiContext.Current;
var token = ParseToken(authToken);
var instance = context.Instance;
if (token == null)
{
return(null);
}
UserBE user;
if (token.IsImpersonationToken)
{
if (ValidateImpersonationToken(context, token))
{
user = string.IsNullOrEmpty(token.Username) ? UserBL.GetUserById(token.UserId) : UserBL.GetUserByName(token.Username);
instance.Log.InfoFormat("APIKEY impersonation token provided. Impersonating user '{0}' ({1})", user.Name, user.ID);
return(user);
}
return(null);
}
// only allowing impersonation tokens?
if (impersonationOnly)
{
return(null);
}
// check timestamp
if (token.Timestamp < DateTime.UtcNow.Subtract(instance.AuthCookieExpirationTime) && instance.AuthCookieExpirationTime.TotalSeconds > 0)
{
return(null);
}
// retrieve associated user object
user = UserBL.GetUserById(token.UserId);
if (user == null)
{
return(null);
}
// TODO Max: Consider logging this as an intrusion attempt.
return(authToken == CreateAuthTokenForUser(user, token.Timestamp) ? user : null);
}