protected override async Task <HttpResponseMessage> SendAsync(
HttpRequestMessage request,
CancellationToken cancellationToken)
{
var req = request;
var h = req.Headers;
var client = h.Contains(Headers.XClient)
? h.GetValues(Headers.XClient).FirstOrDefault()
: null;
var nonce = h.Contains(Headers.XNonce)
? h.GetValues(Headers.XNonce).FirstOrDefault()
: null;
var scheme = h.Authorization?.Scheme;
var token = h.Authorization?.Parameter;
var date = h.Date ?? DateTimeOffset.MinValue;
if (
client != null &&
nonce != null &&
scheme == Schemas.Bearer &&
token != null &&
time.UtcNow - date <= clockSkew)
{
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
client,
req.Method.Method,
req.Content.Headers.ContentType?.ToString(),
req.Headers.Accept.Select(x => x.ToString()).ToArray(),
req.Content.Headers.ContentMD5,
date,
req.RequestUri);
SecureString secret = secretRepository.GetSecret(client);
if (secret != null)
{
var isTokenValid = signingAlgorithm.Verify(
secret,
Encoding.UTF8.GetBytes(content),
Convert.FromBase64String(token));
if (isTokenValid)
{
return(await base.SendAsync(request, cancellationToken));
}
}
}
return(new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Headers =
{
{ Headers.WWWAuthenticate, Schemas.Bearer }
}
});
}
internal static bool Validate(IOwinRequest req, ISigningAlgorithm algorithm, ISecretRepository secretRepository, ITime time, TimeSpan clockSkew)
{
var h = req.Headers;
var client = GetClient(req);
var nonce = GetNonce(req);
var auth = h.Get(Headers.Authorization)?.Split(' ');
var scheme = auth?.Length == 2 ? auth[0] : null;
var token = auth?.Length == 2 ? auth[1] : null;
DateTimeOffset date =
DateTimeOffset.TryParse(h.Get(Headers.Date), out date)
? date
: DateTimeOffset.MinValue;
if (client != null &&
nonce != null &&
scheme == Schemas.Bearer &&
token != null &&
time.UtcNow - date <= clockSkew)
{
var contentMd5 = h.Get(Headers.ContentMD5);
var builder = new CannonicalRepresentationBuilder();
var content = builder.BuildRepresentation(
nonce,
client,
req.Method,
req.ContentType,
req.Accept.Split(','),
contentMd5 == null ? null : Convert.FromBase64String(contentMd5),
date,
req.Uri);
SecureString secret = secretRepository.GetSecret(client);
if (secret != null)
{
var isTokenValid = algorithm.Verify(
secret,
Encoding.UTF8.GetBytes(content),
Convert.FromBase64String(token));
if (isTokenValid)
{
return(true);
}
}
}
return(false);
}
