/// <summary> /// Gets the token to auth with the api. /// </summary> /// <param name="userName"></param> /// <param name="password"></param> private void GetToken(string userName, string password) { using (var client = new HttpClient()) { var tokenUrl = ServerUrl.Replace("api/", "") + "token"; client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded")); client.Timeout = new TimeSpan(0, 0, 30); var result = client.PostAsync(tokenUrl, new StringContent("username="******"&password="******"&grant_type=password")).Result; if (result.IsSuccessStatusCode) { _token = result.Content.ReadAsAsync <TokenResponce>().Result; return; } // TODO: This exception cannot be caught. We need a fix for this. throw new ArgumentNullException("Failed to get auth token"); } }
public ActionResult Post(UserCredentials credentials) { //TODO: encrypt password with SHA1 for increased security if (ModelState.IsValid) { using (euanmortoncoukContext db = new euanmortoncoukContext()) { var obj = db.Users.Where(a => a.Username.Equals(credentials.Username) && a.Password.Equals(credentials.Password)).FirstOrDefault(); if (obj != null) { //user okay, create token string token = GenerateJWT(credentials); TokenResponce responce = new TokenResponce(); responce.token = token; responce.message = "Token aquired"; return(Ok(responce)); } } } return(Unauthorized()); }
public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext) { string token = string.Empty; try { //first we need to check if any token was passed in the header of the request var authorization = actionContext.Request.Headers.Authorization; if (authorization == null) { actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden) { Content = new StringContent("Missing Flow-Token") }; return; } else { token = authorization.Parameter.ToString(); } } catch (Exception) { actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden) { Content = new StringContent("Missing Flow-Token") }; return; } //we got a token - so now lets validate the actual token itself try { //we need to get the caller address this will be compared in the token validation var referrer = actionContext.Request.Headers.Referrer; string callerUrl = string.Empty; if (referrer != null) { callerUrl = referrer.Authority; } //we also need to check if this was a original call from an ang6 application - if so bypass this validation if (!token.StartsWith("Ng6App")) { using (Token t = new Token()) { using (TokenResponce result = t.ValidateUserToken(token, callerUrl)) { if (!result.IsTokenValid) { actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest) { Content = new StringContent(result.Reason) }; return; } } } } } catch (Exception exp) { actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden) { Content = new StringContent("Invalid Flow-Token - " + exp.Message) }; return; } base.OnActionExecuting(actionContext); }