private bool AttachBearer(HttpContext context, string token) { try { var temp = token.Split(" "); if (temp[0] == "Basic") { return(false); } if (temp[0] != "Bearer" || temp.Length != 2) { throw new Exception("malformed bearer authorization header"); } token = temp[1]; var tokenHandler = new JwtSecurityTokenHandler(); var key = _config.JwtKey; tokenHandler.ValidateToken(token, new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(key), ValidateIssuer = false, ValidateAudience = false, ClockSkew = TimeSpan.FromSeconds(30) }, out SecurityToken validatedToken); var jwtToken = (JwtSecurityToken)validatedToken; int userId = int.Parse(jwtToken.Claims.First(x => x.Type == "id").Value); context.Items["User"] = _persistence.GetUserById(userId); return(true); } catch (Exception e) { _log.Log(e.ToString()); return(false); } }
public IActionResult DeleteOrArchiveUser([FromRoute] int userId) { try { if (HttpContext.Items["User"] == null) { throw new UnauthorizedException("Authorization failed!"); } if (((User)HttpContext.Items["User"]).PermissionLevel < 3) { if (((User)HttpContext.Items["User"]).Id != userId) { throw new ForbiddenException("You don't have high enough security clearance for this operation!"); } _persistence.DeleteUser(userId); return(StatusCode(200)); } if (((User)HttpContext.Items["User"]).PermissionLevel == 3) { var temp = _persistence.GetUserById(userId); if (((User)HttpContext.Items["User"]).PermissionLevel <= temp.PermissionLevel || ((User)HttpContext.Items["User"]).OrganizationId != null && ((User)HttpContext.Items["User"]).OrganizationId != temp.OrganizationId) { throw new ForbiddenException("You don't have high enough security clearance for this operation!"); } _persistence.DeleteUser(userId); return(StatusCode(200)); } if (((User)HttpContext.Items["User"]).PermissionLevel == 4) { var temp = _persistence.GetUserById(userId); if (((User)HttpContext.Items["User"]).PermissionLevel <= temp.PermissionLevel) { throw new ForbiddenException("You don't have high enough security clearance for this operation!"); } _persistence.DeleteUser(userId); return(StatusCode(200)); } if (((User)HttpContext.Items["User"]).PermissionLevel > 4) { _persistence.DeleteUser(userId); return(StatusCode(200)); } return(StatusCode(500)); } catch (UnauthorizedException e) { return(StatusCode(401, e.Message)); } catch (ForbiddenException e) { return(StatusCode(403, e.Message)); } catch (NotFoundException e) { return(StatusCode(404, e.Message)); } catch (Exception e) { return(StatusCode(500, e.Message)); } }