protected virtual HmacResult IsAuthenticated( HttpActionContext actionContext, IDependencyScope dependencyScope, WebApiControllingCacheData controllingData, DateTime utcNow, out Customer customer) { customer = null; var request = HttpContext.Current.Request; var authorization = actionContext.Request.Headers.Authorization; if (request == null) { return(HmacResult.FailedForUnknownReason); } if (controllingData.ApiUnavailable) { return(HmacResult.ApiUnavailable); } if (authorization == null || authorization.Scheme.IsEmpty() || authorization.Parameter.IsEmpty() || (authorization.Scheme.CompareTo("Basic") != 0) || !actionContext.Request.Headers.Contains("CustomerGUID")) { return(HmacResult.InvalidAuthorizationHeader); } string tokenUsername = ValidateToken(authorization.Parameter); if (tokenUsername == null) { return(HmacResult.UserUnknown); } var GUID = actionContext.Request.Headers.GetValues("CustomerGuid").FirstOrDefault(); if (GUID == null) { return(HmacResult.UserUnknown); } customer = GetCustomerByGuId(dependencyScope, GUID); if (customer == null) { return(HmacResult.UserUnknown); } if (!HasPermission(dependencyScope, customer)) { return(HmacResult.UserHasNoPermission); } if (customer.Email.Equals(tokenUsername)) { return(HmacResult.Success); } else { return(HmacResult.UserUnknown); } }
protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out Customer customer) { customer = null; var request = HttpContext.Current.Request; DateTime headDateTime; if (request == null) { return(HmacResult.FailedForUnknownReason); } if (cacheControllingData.ApiUnavailable) { return(HmacResult.ApiUnavailable); } string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"]; string headTimestamp = request.Headers[WebApiGlobal.Header.Date]; string headPublicKey = request.Headers[WebApiGlobal.Header.PublicKey]; string scheme = actionContext.Request.Headers.Authorization.Scheme; string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter; if (string.IsNullOrWhiteSpace(headPublicKey)) { return(HmacResult.UserInvalid); } if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer)) { return(HmacResult.InvalidAuthorizationHeader); } if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime)) { return(HmacResult.InvalidTimestamp); } int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod); if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes) { return(HmacResult.TimestampOutOfPeriod); } var cacheUserData = WebApiCachingUserData.Data(); var apiUser = cacheUserData.FirstOrDefault(x => x.PublicKey == headPublicKey); if (apiUser == null) { return(HmacResult.UserUnknown); } if (!apiUser.Enabled) { return(HmacResult.UserDisabled); } if (!cacheControllingData.NoRequestTimestampValidation && apiUser.LastRequest.HasValue && headDateTime <= apiUser.LastRequest.Value) { return(HmacResult.TimestampOlderThanLastRequest); } var context = new WebApiRequestContext { HttpMethod = request.HttpMethod, HttpAcceptType = request.Headers["Accept"], PublicKey = headPublicKey, SecretKey = apiUser.SecretKey, Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower()) }; string contentMd5 = CreateContentMd5Hash(actionContext.Request); if (headContentMd5.HasValue() && headContentMd5 != contentMd5) { return(HmacResult.ContentMd5NotMatching); } string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp); if (string.IsNullOrEmpty(messageRepresentation)) { return(HmacResult.MissingMessageRepresentationParameter); } string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation); if (signatureProvider != signatureConsumer) { if (cacheControllingData.AllowEmptyMd5Hash) { messageRepresentation = _hmac.CreateMessageRepresentation(context, null, headTimestamp); signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation); if (signatureProvider != signatureConsumer) { return(HmacResult.InvalidSignature); } } else { return(HmacResult.InvalidSignature); } } customer = GetCustomer(apiUser.CustomerId); if (customer == null) { return(HmacResult.UserUnknown); } if (!customer.Active || customer.Deleted) { return(HmacResult.UserIsInactive); } if (!HasPermission(actionContext, customer)) { return(HmacResult.UserHasNoPermission); } //var headers = HttpContext.Current.Response.Headers; //headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : ""); apiUser.LastRequest = headDateTime; return(HmacResult.Success); }
protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out Customer customer) { customer = null; var request = HttpContext.Current.Request; DateTime headDateTime; if (request == null) return HmacResult.FailedForUnknownReason; if (cacheControllingData.ApiUnavailable) return HmacResult.ApiUnavailable; string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"]; string headTimestamp = request.Headers[WebApiGlobal.Header.Date]; string headPublicKey = request.Headers[WebApiGlobal.Header.PublicKey]; string scheme = actionContext.Request.Headers.Authorization.Scheme; string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter; if (string.IsNullOrWhiteSpace(headPublicKey)) return HmacResult.UserInvalid; if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer)) return HmacResult.InvalidAuthorizationHeader; if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime)) return HmacResult.InvalidTimestamp; int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod); if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes) return HmacResult.TimestampOutOfPeriod; var cacheUserData = WebApiCaching.UserData(); var apiUser = cacheUserData.FirstOrDefault(x => x.PublicKey == headPublicKey); if (apiUser == null) return HmacResult.UserUnknown; if (!apiUser.Enabled) return HmacResult.UserDisabled; if (apiUser.LastRequest.HasValue && headDateTime <= apiUser.LastRequest.Value) return HmacResult.TimestampOlderThanLastRequest; var context = new WebApiRequestContext() { HttpMethod = request.HttpMethod, HttpAcceptType = request.Headers["Accept"], PublicKey = headPublicKey, SecretKey = apiUser.SecretKey, Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower()) }; string contentMd5 = CreateContentMd5Hash(actionContext.Request); if (headContentMd5.HasValue() && headContentMd5 != contentMd5) return HmacResult.ContentMd5NotMatching; string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp); if (string.IsNullOrEmpty(messageRepresentation)) return HmacResult.MissingMessageRepresentationParameter; string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation); if (signatureProvider != signatureConsumer) return HmacResult.InvalidSignature; customer = GetCustomer(apiUser.CustomerId); if (customer == null) return HmacResult.UserUnknown; if (!HasPermission(actionContext, customer)) return HmacResult.UserHasNoPermission; //var headers = HttpContext.Current.Response.Headers; //headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : ""); apiUser.LastRequest = now; return HmacResult.Success; }