public void GenerateNewCredentials(ApiCredentialsPart part)
{
// we use base64 to prevent possible encoding issues on transmission
var key = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)),
Base64FormattingOptions.None);
// test that we haven't used this already. It's random but better safe than sorry.
while (GetPartByKey(key) != null)
{
key = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)),
Base64FormattingOptions.None);
}
part.ApiKey = key;
// encryption and hashing of the secret
var secret = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString()),
Base64FormattingOptions.None);
// save an encrypted secret so we can display it to authorized users
part.ApiSecret = Convert.ToBase64String(
_encryptionService.Encode(
Encoding.UTF8.GetBytes(secret)));
// save an hashed secret for validation when signing in
part.HashAlgorithm = BearerTokenHelpers.PBKDF2;
BearerTokenHelpers.SetSecretHashed(part, secret);
part.CreatedUtc = _clock.UtcNow;
}
public new IUser GetAuthenticatedUser()
{
if (_isNonOrchardUser)
{
return(null);
}
if (_signedInUser != null || _isAuthenticated)
{
return(_signedInUser);
}
// may be authenticated "normally" with .ASPXAUTH cookie
_signedInUser = base.GetAuthenticatedUser();
if (_signedInUser == null)
{
// logic to try to get an Orchard User based on the user from the bearer token
var httpContext = _httpContextAccessor.Current();
if (httpContext.IsBackgroundContext() ||
!httpContext.Request.IsAuthenticated ||
!(httpContext.User.Identity is BearerTokenIdentity))
{
return(null);
}
// get info from identity
var bearerIdentity = (BearerTokenIdentity)httpContext.User.Identity;
var userData = bearerIdentity.Ticket.UserData ?? "";
var userDataDictionary = new Dictionary <string, string>();
try {
userDataDictionary = BearerTokenHelpers.DeserializeUserData(userData);
} catch (Exception) {
return(null);
}
// 1. Take the username
if (!userDataDictionary.ContainsKey("UserName"))
{
return(null); // should never happen, unless the cookie has been tampered with
}
var userName = userDataDictionary["UserName"];
_signedInUser = _membershipService.GetUser(userName);
if (_signedInUser == null)
{
_isNonOrchardUser = true;
return(null);
}
// 2. Check the other stuff from the dictionary
var validLogin = _bearerTokenDataProviders.All(udp => udp.IsValid(_signedInUser, userDataDictionary));
if (!validLogin)
{
_signedInUser = null;
return(null);
}
_isAuthenticated = true;
}
return(_signedInUser);
}
private bool TestSecret(ApiCredentialsPart userApi, string secret)
{
var valid = BearerTokenHelpers.TestSecret(userApi, secret);
// TODO: migrate secrets hashed with "old" algorithms
// This will have to happen here whenever we change the default hash algorithm
// See how the similar thing is done in Orchard.Users
return(valid);
}
private string ComputeUserData(IUser user)
{
// serialize dictionary to userData string
return(BearerTokenHelpers.SerializeUserDataDictionary(ComputeUserDataDictionary(user)));
}