/// <summary>
/// Gets the token to auth with the api.
/// </summary>
/// <param name="userName"></param>
/// <param name="password"></param>
private void GetToken(string userName, string password)
{
using (var client = new HttpClient())
{
var tokenUrl = ServerUrl.Replace("api/", "") + "token";
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
client.Timeout = new TimeSpan(0, 0, 30);
var result = client.PostAsync(tokenUrl, new StringContent("username="******"&password="******"&grant_type=password")).Result;
if (result.IsSuccessStatusCode)
{
_token = result.Content.ReadAsAsync <TokenResponce>().Result;
return;
}
// TODO: This exception cannot be caught. We need a fix for this.
throw new ArgumentNullException("Failed to get auth token");
}
}
public ActionResult Post(UserCredentials credentials)
{
//TODO: encrypt password with SHA1 for increased security
if (ModelState.IsValid)
{
using (euanmortoncoukContext db = new euanmortoncoukContext())
{
var obj = db.Users.Where(a => a.Username.Equals(credentials.Username) && a.Password.Equals(credentials.Password)).FirstOrDefault();
if (obj != null)
{
//user okay, create token
string token = GenerateJWT(credentials);
TokenResponce responce = new TokenResponce();
responce.token = token;
responce.message = "Token aquired";
return(Ok(responce));
}
}
}
return(Unauthorized());
}
public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext)
{
string token = string.Empty;
try
{
//first we need to check if any token was passed in the header of the request
var authorization = actionContext.Request.Headers.Authorization;
if (authorization == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
Content = new StringContent("Missing Flow-Token")
};
return;
}
else
{
token = authorization.Parameter.ToString();
}
}
catch (Exception)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
Content = new StringContent("Missing Flow-Token")
};
return;
}
//we got a token - so now lets validate the actual token itself
try
{
//we need to get the caller address this will be compared in the token validation
var referrer = actionContext.Request.Headers.Referrer;
string callerUrl = string.Empty;
if (referrer != null)
{
callerUrl = referrer.Authority;
}
//we also need to check if this was a original call from an ang6 application - if so bypass this validation
if (!token.StartsWith("Ng6App"))
{
using (Token t = new Token())
{
using (TokenResponce result = t.ValidateUserToken(token, callerUrl))
{
if (!result.IsTokenValid)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest)
{
Content = new StringContent(result.Reason)
};
return;
}
}
}
}
}
catch (Exception exp)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
Content = new StringContent("Invalid Flow-Token - " + exp.Message)
};
return;
}
base.OnActionExecuting(actionContext);
}
