/// <summary>Validates the tokens.</summary>
///
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Cookie Missing error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Form Field Missing error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Tokens Swapped error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Security Token Mismatch error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Username Mismatch error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException"> Thrown when a Create Claim UID Mismatch error condition occurs.</exception>
/// <exception cref="HttpAntiForgeryException">Thrown when a Create Additional Data Check Failed error condition occurs.</exception>
///
/// <param name="httpContext"> Context for the HTTP.</param>
/// <param name="identity"> The identity.</param>
/// <param name="sessionToken">The session token.</param>
/// <param name="fieldToken"> The field token.</param>
public void ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
{
// Were the tokens even present at all?
if (sessionToken == null)
{
throw HttpAntiForgeryException.CreateCookieMissingException(_config.CookieName);
}
if (fieldToken == null)
{
throw HttpAntiForgeryException.CreateFormFieldMissingException(_config.FormFieldName);
}
// Do the tokens have the correct format?
if (!sessionToken.IsSessionToken || fieldToken.IsSessionToken)
{
throw HttpAntiForgeryException.CreateTokensSwappedException(_config.CookieName, _config.FormFieldName);
}
// Are the security tokens embedded in each incoming token identical?
if (!Equals(sessionToken.SecurityToken, fieldToken.SecurityToken))
{
throw HttpAntiForgeryException.CreateSecurityTokenMismatchException();
}
// Is the incoming token meant for the current user?
string currentUsername = String.Empty;
BinaryBlob currentClaimUid = null;
if (identity != null && identity.IsAuthenticated)
{
currentClaimUid = _claimUidExtractor.ExtractClaimUid(identity);
if (currentClaimUid == null)
{
currentUsername = identity.Name ?? String.Empty;
}
}
// OpenID and other similar authentication schemes use URIs for the username.
// These should be treated as case-sensitive.
bool useCaseSensitiveUsernameComparison = currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
if (!String.Equals(fieldToken.Username, currentUsername, (useCaseSensitiveUsernameComparison) ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase))
{
throw HttpAntiForgeryException.CreateUsernameMismatchException(fieldToken.Username, currentUsername);
}
if (!Equals(fieldToken.ClaimUid, currentClaimUid))
{
throw HttpAntiForgeryException.CreateClaimUidMismatchException();
}
// Is the AdditionalData valid?
if (_config.AdditionalDataProvider != null && !_config.AdditionalDataProvider.ValidateAdditionalData(httpContext, fieldToken.AdditionalData))
{
throw HttpAntiForgeryException.CreateAdditionalDataCheckFailedException();
}
}
/// <summary>true this object to the given stream.</summary>
///
/// <exception>Thrown when a Create Deserialization Failed error condition occurs.</exception>
///
/// <param name="serializedToken">The serialized token.</param>
///
/// <returns>An AntiForgeryToken.</returns>
public AntiForgeryToken Deserialize(string serializedToken)
{
try {
using (MemoryStream stream = new MemoryStream(_cryptoSystem.Unprotect(serializedToken))) {
using (BinaryReader reader = new BinaryReader(stream)) {
AntiForgeryToken token = DeserializeImpl(reader);
if (token != null)
{
return(token);
}
}
}
} catch {
// swallow all exceptions - homogenize error if something went wrong
}
// if we reached this point, something went wrong deserializing
throw HttpAntiForgeryException.CreateDeserializationFailedException();
}
