/// <summary>
/// Called when action starts executing.
/// </summary>
/// <param name="context">The action context.</param>
public override void OnActionExecuting(HttpActionContext context)
{
string actionName = context.GetFullActionName();
// Log the action entry
var message = new StringBuilder();
message.Append($"Entering action '{actionName}'.");
if (context.ActionArguments.Count > 0)
{
message.AppendLine().Append("Action parameters:");
foreach (KeyValuePair <string, object> parameter in context.ActionArguments)
{
object valueToLog = parameter.Value;
var login = parameter.Value as LoginRequest;
if (login != null)
{
valueToLog = new LoginRequest
{
Username = login.Username,
Password = CommonHelper.PasswordMask
};
}
string argumentDesctiption = CommonHelper.GetObjectDescription(valueToLog);
message.AppendLine().Append($"\t {parameter.Key}: {argumentDesctiption}");
}
}
Logger.Debug(message.ToString());
}
/// <summary>
/// Validates user token and authorization.
/// </summary>
///
/// <remarks>
/// All exceptions from back-end services will be propagated.
/// </remarks>
///
/// <param name="context">The action context.</param>
public override void OnActionExecuting(HttpActionContext context)
{
string methodName = $"{nameof(AuthorizationFilter)}.{nameof(OnActionExecuting)}";
Logger.DebugFormat("Entering '{0}' to validate the token.", methodName);
// skip controllers or actions which allow anonymous access
var actionDescriptor = context.ActionDescriptor;
if (actionDescriptor.GetCustomAttributes <AllowAnonymousAttribute>(true).Any() ||
actionDescriptor.ControllerDescriptor.GetCustomAttributes <AllowAnonymousAttribute>(true).Any())
{
Logger.DebugFormat("Token is not required for this action.");
return;
}
string errorMessage = null;
HttpStatusCode code = HttpStatusCode.OK;
if (context.Request.Headers.Authorization != null &&
context.Request.Headers.Authorization.Scheme == "Bearer")
{
// perform authentication
User user = SecurityService.Authenticate(context.Request.Headers.Authorization.Parameter);
if (user == null)
{
code = HttpStatusCode.Unauthorized;
errorMessage = "Token was not found or has been expired.";
}
else
{
// check authorization
string actionName = context.GetFullActionName(false);
if (!SecurityService.IsAuthorized(actionName))
{
code = HttpStatusCode.Forbidden;
errorMessage = "You are not authorized to perform this action.";
}
else
{
context.Request.Properties.Add(Helper.CurrentUserPropertyName, user);
Logger.Debug("Token is valid.");
}
}
}
else
{
code = HttpStatusCode.Unauthorized;
errorMessage = "Bearer Token is missing.";
}
if (code != HttpStatusCode.OK)
{
context.Response = new HttpResponseMessage(code);
context.Response.Content = new StringContent(errorMessage);
Logger.DebugFormat(errorMessage);
}
Logger.DebugFormat("Exiting '{0}'.", methodName);
}
/// <summary>
/// Validates user token and authorization.
/// </summary>
///
/// <remarks>
/// All exceptions from back-end services will be propagated.
/// </remarks>
///
/// <param name="context">The action context.</param>
///
/// <exception cref="AuthenticationException">
/// If Bearer token is not provided or token is invalid or expired.
/// </exception>
/// <exception cref="AuthorizationException">
/// If user is not authorized to perform current action.
/// </exception>
public override void OnActionExecuting(HttpActionContext context)
{
string methodName = $"{nameof(AuthorizationFilter)}.{nameof(OnActionExecuting)}";
Logger.DebugFormat("Entering '{0}' to validate the token.", methodName);
// skip controllers or actions which allow anonymous access
var actionDescriptor = context.ActionDescriptor;
if (actionDescriptor.GetCustomAttributes <AllowAnonymousAttribute>(true).Any() ||
actionDescriptor.ControllerDescriptor.GetCustomAttributes <AllowAnonymousAttribute>(true).Any())
{
Logger.Debug("Token is not required for the current action.");
return;
}
// check whether Bearer token is provided
if (context.Request.Headers.Authorization == null ||
context.Request.Headers.Authorization.Scheme != "Bearer")
{
throw new AuthenticationException("Bearer Token is missing.");
}
// perform authentication
User user = SecurityService.Authenticate(context.Request.Headers.Authorization.Parameter);
if (user == null)
{
throw new AuthenticationException("Token was not found or has been expired.");
}
Logger.Debug("Token is valid.");
// check authorization
string actionName = context.GetFullActionName(false);
bool authorized = user.Role != null && SecurityService.IsAuthorized(user.Role.Value, actionName);
if (!authorized)
{
authorized = user.KPIRole != null && SecurityService.IsAuthorized(user.KPIRole.Value, actionName);
}
if (!authorized)
{
throw new AuthorizationException("You are not authorized to perform this action.");
}
context.Request.Properties.Add(CommonHelper.CurrentUserPropertyName, user);
Logger.DebugFormat("Exiting '{0}'.", methodName);
}