Esempio n. 1
0
        protected bool CheckAuthentication(HttpRequestMessage req, string[] authorizationHeaderValues)
        {
            if (authorizationHeaderValues != null)
            {
                var appId = authorizationHeaderValues[AppIdIndex];
                var incomingBase64Signature = authorizationHeaderValues[IncomingHashedSignatureIndex];
                var nonce             = authorizationHeaderValues[NonceIndex];
                var requestTimeStamp  = authorizationHeaderValues[RequestTimeStampIndex];
                var requestThumbprint = new SecureRequestThumbprint
                {
                    AppId                   = appId,
                    RequestMessage          = req,
                    IncomingBase64Signature = incomingBase64Signature,
                    Nonce                   = nonce,
                    RequestTimeStamp        = requestTimeStamp
                };

                var isValid = IsValidRequest(requestThumbprint);

                if (isValid.Result)
                {
                    return(true);
                }

                LogUnauthorized(requestThumbprint);
                return(false);
            }

            LogNoHeaders();
            return(false);
        }
Esempio n. 2
0
        protected async Task <bool> IsValidRequest(SecureRequestThumbprint request)
        {
            string requestContentBase64String = "";
            string requestUri        = WebUtility.UrlEncode(request.RequestMessage.RequestUri.AbsoluteUri.ToLower());
            string requestHttpMethod = request.RequestMessage.Method.Method;

            if (!AllowedApps.ContainsKey(request.AppId))
            {
                return(false);
            }

            var sharedKey = AllowedApps[request.AppId];

            if (IsReplayRequest(request.Nonce, request.RequestTimeStamp))
            {
                return(false);
            }

            byte[] hash = await ComputeHash(request.RequestMessage.Content);

            if (hash != null)
            {
                requestContentBase64String = Convert.ToBase64String(hash);
            }

            string data = String.Format("{0}{1}{2}{3}{4}{5}", request.AppId, requestHttpMethod, requestUri, request.RequestTimeStamp, request.Nonce, requestContentBase64String);

            var secretKeyBytes = Convert.FromBase64String(sharedKey);

            byte[] signature = Encoding.UTF8.GetBytes(data);

            using (HMACSHA256 hmac = new HMACSHA256(secretKeyBytes))
            {
                byte[] signatureBytes = hmac.ComputeHash(signature);

                return(request.IncomingBase64Signature.Equals(Convert.ToBase64String(signatureBytes), StringComparison.Ordinal));
            }
        }