public Bootstrapper(IDbConnectionFactory connectionFactory)
{
_connectionFactory = connectionFactory;
StaticConfiguration.DisableErrorTraces = false;
StaticConfiguration.EnableRequestTracing = true;
//Cross origin resource sharing
ApplicationPipelines.AfterRequest.AddItemToEndOfPipeline(x => x.Response.WithHeader("Access-Control-Allow-Origin", "*"));
ApplicationPipelines.AfterRequest.AddItemToEndOfPipeline(x => x.Response.WithHeader("Access-Control-Allow-Methods", "DELETE, GET, HEAD, POST, PUT, OPTIONS, PATCH"));
ApplicationPipelines.AfterRequest.AddItemToEndOfPipeline(x => x.Response.WithHeader("Access-Control-Allow-Headers", "Content-Type"));
ApplicationPipelines.AfterRequest.AddItemToEndOfPipeline(x => x.Response.WithHeader("Accept", "application/json"));
//Default format to JSON (very low priority)
ApplicationPipelines.BeforeRequest.AddItemToStartOfPipeline(x => {
x.Request.Headers.Accept = x.Request.Headers.Accept.Concat(new Tuple <string, decimal>("application/json", 0.01m));
return(null);
});
//Make sure this is being accessed over a secure connection
var httpsRedirect = SecurityHooks.RequiresHttps(redirect: false);
ApplicationPipelines.BeforeRequest.AddItemToEndOfPipeline(x => {
if (!IsSecure(x))
{
return(httpsRedirect(x));
}
return(null);
});
}
/// <summary>
/// This module requires authentication and NO certain claims to be present.
/// </summary>
/// <param name="module">Module to enable</param>
/// <param name="requiredClaims">Claim(s) required</param>
public static void DoesNotHaveClaim(this INancyModule module, params string[] bannedClaims)
{
module.AddBeforeHookOrExecute(SecurityHooks.RequiresAuthentication(), "Requires Authentication");
module.AddBeforeHookOrExecute(DoesNotHaveClaims(bannedClaims), "Has Banned Claims");
}
protected override void ApplicationStartup(Nancy.TinyIoc.TinyIoCContainer container, Nancy.Bootstrapper.IPipelines pipelines)
{
base.ApplicationStartup(container, pipelines);
#if !DEBUG
pipelines.BeforeRequest.AddItemToEndOfPipeline(SecurityHooks.RequiresHttps(true));
#endif
var statelessAuthenticationConfiguration = new StatelessAuthenticationConfiguration(context =>
{
string token = context.Request.Headers["X-AUTH-TOKEN"].FirstOrDefault();
if (token == null && context.Request.Query.token.HasValue)
{
token = context.Request.Query.token.Value;
}
if (token == null && context.Request.Cookies.ContainsKey("TOKEN"))
{
token = context.Request.Cookies["TOKEN"];
}
#if DEBUG
var ip = System.Net.IPAddress.Parse(context.Request.UserHostAddress);
if (token == null && System.Net.IPAddress.IsLoopback(ip))
{
return(new User
{
UserName = "******",
Claims = new string[] { "Garage", "Tag", "HVAC", "GroupMe", "Torrent", "ChoreBotNag" }
});
}
#endif
if (!String.IsNullOrWhiteSpace(token))
{
using (var sql = new SqlConnection(CloudConfigurationManager.GetSetting("DatabaseConnection")))
{
sql.Open();
var check = sql.CreateCommand();
check.CommandText = "SELECT [User].UserName, Claim.Name FROM Token JOIN [User] on [User].Id = Token.UserId LEFT JOIN Claim on Claim.UserId = [User].Id WHERE Token.Value = @token";
check.Parameters.AddWithValue("token", token);
var user = new User();
using (var reader = check.ExecuteReader())
{
while (reader.Read())
{
user.UserName = reader.GetString(0);
// Don't add a NULL claim if user doesn't have any claims
if (!reader.IsDBNull(1))
{
((List <String>)user.Claims).Add(reader.GetString(1));
}
}
}
if (user.UserName != null)
{
return(user);
}
}
}
return(null);
});
StatelessAuthentication.Enable(pipelines, statelessAuthenticationConfiguration);
}
