public override void OnResultExecuting(ResultExecutingContext filterContext)
{
base.OnResultExecuting(filterContext);
var controller = filterContext.Controller as RestrictedControllerBase;
if (controller != null && controller.SecurityToken != null)
{
var auth = TokenSerializer.GetCookieFromToken(RegenerateToken(controller.SecurityToken));
if (filterContext.HttpContext.Request.IsLocal) //local development overrides
{
controller.Logger.Info("Local development - not using a secure cookie");
auth.Domain = "localhost";
auth.Secure = false;
}
filterContext.HttpContext.Response.Cookies.Add(auth);
}
}
//TODO: log failures
public void OnAuthorization(AuthorizationContext filterContext)
{
bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) ||
filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true);
if (!skipAuthorization)
{
var authCookie = filterContext.HttpContext.Request.Cookies["auth"];
if (authCookie == null)
{
RedirectToLogin(filterContext, "No auth cookie in request");
return;
}
var token = TokenSerializer.GetTokenFromCookie(authCookie);
token.IpAddress = filterContext.HttpContext.Request.UserHostAddress;
if (TokenHasher.IsExpired(token))
{
RedirectToLogin(filterContext, "Token is expired");
return;
}
if (!TokenHasher.IsValid(token))
{
RedirectToLogin(filterContext, string.Format("Token is invalid for {0}|{1}|{2} from {3}", token.UserId, token.RoleName, token.LocationId, token.IpAddress));
return;
}
if (!Roles.Split(',').Contains(token.RoleName))
{
RedirectToLogin(filterContext, string.Format("{0} is an invalid role", token.RoleName));
return;
}
var controller = filterContext.Controller as RestrictedControllerBase;
if (controller != null)
{
controller.SecurityToken = token;
controller.Logger.DebugFormat("Authentication passed for {0} from {1}", token.UserId, token.IpAddress);
}
}
}
