public AuthHeader(string header) { try { if (!string.IsNullOrEmpty(header)) { var requestString = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(header.Split(':')[0])); var requestParts = requestString.Split('|'); Request = new RequestPayload { ClientId = requestParts[0], UserName = requestParts[1], Identifier = requestParts[2], RequestCount = requestParts[3] }; var storedResponse = _requestStore.GetResponse(Request.Identifier) .GetAwaiter() .GetResult(); if (storedResponse == null) { _isValid = false; } else if (int.Parse(storedResponse.Response.RequestCount) + 1 != int.Parse(Request.RequestCount)) { _isValid = false; } _isValid = true; return; } _isValid = false; } catch (Exception ex) { _isValid = false; } }
protected override async Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { if (_responseStore == null) { _responseStore = AuthAPIConfiguration.Instance.ResponseStore; } if (_authStore == null) { _authStore = AuthAPIConfiguration.Instance.AuthStore; } var authHeader = new AuthHeader(request.Headers.Authorization == null ? string.Empty : request.Headers.Authorization.Parameter); if (authHeader.IsValid) { var clientSecret = await _authStore.GetClientSecretById(authHeader.Request.ClientId); var userPassword = await _authStore.GetPasswordByUserName(authHeader.Request.UserName); var cachedResponseIdentifier = await _responseStore.GetResponse(authHeader.Request.Identifier); if (cachedResponseIdentifier != null) { var expectedRequestPayload = authHeader.Request.Copy <RequestPayload>(); expectedRequestPayload.RequestCount = string.Format("{0:D8}", int.Parse(cachedResponseIdentifier.Response.RequestCount) + 1); var content = await request.Content.ReadAsByteArrayAsync(); var contentString = System.Text.Encoding.UTF8.GetString(content); var expectedAuthHeader = new AuthHeader { Request = expectedRequestPayload, Data = new DataPayload { ClientId = authHeader.Request.ClientId, Method = request.Method.Method, Password = userPassword, RequestBodyBase64 = Convert.ToBase64String(content), RequestURI = request.RequestUri.PathAndQuery, UserName = authHeader.Request.UserName } }; if (expectedAuthHeader.ToHMAC(clientSecret).Equals(request.Headers.Authorization.Parameter.Split(':')[1])) { var newResponse = authHeader.Request.ToResponsePayload(); await _responseStore.UpdateResponse(newResponse.Identifier, newResponse); request.GetRequestContext().Principal = new GenericPrincipal(new GenericIdentity(authHeader.Request.UserName), new string[] { }); } } } return(await base.SendAsync(request, cancellationToken) .ContinueWith(task => { var response = task.Result; if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized) { var responsePayload = new ResponsePayload { Identifier = Guid.NewGuid().ToString(), RequestCount = string.Format("{0:D8}", 0) }; response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("AuthAPI", responsePayload.ToBase64())); _responseStore.StoreResponse(responsePayload, DateTime.Now.AddMilliseconds(AuthAPIConfiguration.Instance.TokenExpirationMiliseconds)); } return response; })); }