コード例 #1
0
        protected async override Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            var header = SplitAuthenticationHeader();

            if (header == null)
            {
                return(AuthenticateResult.NoResult());
            }

            // Verify that request data is within acceptable time
            if (!DateTimeOffset.TryParseExact(Request.Headers[DateHeader], "r", System.Globalization.CultureInfo.InvariantCulture, System.Globalization.DateTimeStyles.AssumeUniversal, out DateTimeOffset requestDate))
            {
                return(AuthenticateResult.Fail("Unable to parse Date header"));
            }

            if (requestDate > Clock.UtcNow.Add(Options.AllowedDateDrift) || requestDate < Clock.UtcNow.Subtract(Options.AllowedDateDrift))
            {
                return(AuthenticateResult.Fail("Date is drifted more than allowed, adjust your time settings."));
            }

            // Lookup and verify secret
            Logger.LogDebug("Looking up secret for {Id}", header.Value.id);
            var secret = await lookup.LookupAsync(header.Value.id);

            if (secret == null)
            {
                Logger.LogInformation("No secret found for {Id}", header.Value.id);
                return(AuthenticateResult.Fail("Invalid id"));
            }
            else if (secret.Length != 32)
            {
                Logger.LogError("Secret must be 32 bytes in size");
                throw new InvalidOperationException("Incorrect secret size");
            }

            // Check signature
            string serverSignature = SignatureHelper.Calculate(secret, SignatureHelper.Generate(requestDate, Request.ContentLength ?? 0, Request.Method, Request.Path, Request.QueryString.Value));

            Logger.LogDebug("Calculated server side signature {signature}", serverSignature);

            if (serverSignature.Equals(header.Value.signature))
            {
                return(AuthenticateResult.Success(new AuthenticationTicket(
                                                      new GenericPrincipal(new GenericIdentity(header.Value.id), Options.GetRolesForId?.Invoke(header.Value.id) ?? null),
                                                      new AuthenticationProperties()
                {
                    IsPersistent = false, AllowRefresh = false
                },
                                                      Options.Schema)));
            }
            else
            {
                return(AuthenticateResult.Fail("Invalid signature"));
            }
        }
コード例 #2
0
        protected async override Task <AuthenticateResult> HandleAuthenticateAsync()
        {
            var header = SplitAuthenticationHeader();

            if (header == null)
            {
                return(AuthenticateResult.NoResult());
            }

            // Verify that request data is within acceptable time
            if (!DateTimeOffset.TryParseExact(Request.Headers[DateHeader], "r", System.Globalization.CultureInfo.InvariantCulture, System.Globalization.DateTimeStyles.AssumeUniversal, out DateTimeOffset requestDate))
            {
                return(AuthenticateResult.Fail("Unable to parse Date header"));
            }

            if (requestDate > Clock.UtcNow.Add(Options.AllowedDateDrift) || requestDate < Clock.UtcNow.Subtract(Options.AllowedDateDrift))
            {
                return(AuthenticateResult.Fail("Date drifted more than allowed, adjust your time settings."));
            }

            var nonce = Request.Headers[NonceHeader];

            if (!string.IsNullOrEmpty(nonce))
            {
                if (cache.TryGetValue(nonce, out string _))
                {
                    return(AuthenticateResult.Fail("This message has already been processed"));
                }

                //At two times the allowed drift the nonce cache will make sure we never have a repeat message within the allowed drift and outside the allowed drift the message will be invalid due to drift
                cache.Set <string>(nonce, nonce, TimeSpan.FromTicks(Options.AllowedDateDrift.Ticks * 2));
            }

            // Lookup and verify secret
            Logger.LogDebug("Looking up secret for {Id}", header.Value.id);
            var secret = await lookup.LookupAsync(header.Value.id);

            if (secret == null)
            {
                Logger.LogInformation("No secret found for {Id}", header.Value.id);
                return(AuthenticateResult.Fail("Invalid id"));
            }

            // Check signature
            string serverSignature = SignatureHelper.Calculate(secret, SignatureHelper.Generate(requestDate, await StreamToStringAsync(Request), Request.Method, Request.Path, Request.QueryString.Value, nonce.ToString()));;

            Logger.LogDebug("Calculated server side signature {signature}", serverSignature);

            if (serverSignature.Equals(header.Value.signature))
            {
                return(AuthenticateResult.Success(new AuthenticationTicket(
                                                      new GenericPrincipal(new GenericIdentity(header.Value.id), Options.GetRolesForId?.Invoke(header.Value.id) ?? null),
                                                      new AuthenticationProperties()
                {
                    IsPersistent = false, AllowRefresh = false
                },
                                                      Options.Schema)));
            }
            else
            {
                return(AuthenticateResult.Fail("Invalid signature"));
            }
        }