private bool AttachBearer(HttpContext context, string token)
{
try {
var temp = token.Split(" ");
if (temp[0] == "Basic")
{
return(false);
}
if (temp[0] != "Bearer" || temp.Length != 2)
{
throw new Exception("malformed bearer authorization header");
}
token = temp[1];
var tokenHandler = new JwtSecurityTokenHandler();
var key = _config.JwtKey;
tokenHandler.ValidateToken(token, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
ClockSkew = TimeSpan.FromSeconds(30)
}, out SecurityToken validatedToken);
var jwtToken = (JwtSecurityToken)validatedToken;
int userId = int.Parse(jwtToken.Claims.First(x => x.Type == "id").Value);
context.Items["User"] = _persistence.GetUserById(userId);
return(true);
} catch (Exception e) {
_log.Log(e.ToString());
return(false);
}
}
public IActionResult DeleteOrArchiveUser([FromRoute] int userId)
{
try
{
if (HttpContext.Items["User"] == null)
{
throw new UnauthorizedException("Authorization failed!");
}
if (((User)HttpContext.Items["User"]).PermissionLevel < 3)
{
if (((User)HttpContext.Items["User"]).Id != userId)
{
throw new ForbiddenException("You don't have high enough security clearance for this operation!");
}
_persistence.DeleteUser(userId);
return(StatusCode(200));
}
if (((User)HttpContext.Items["User"]).PermissionLevel == 3)
{
var temp = _persistence.GetUserById(userId);
if (((User)HttpContext.Items["User"]).PermissionLevel <= temp.PermissionLevel || ((User)HttpContext.Items["User"]).OrganizationId != null && ((User)HttpContext.Items["User"]).OrganizationId != temp.OrganizationId)
{
throw new ForbiddenException("You don't have high enough security clearance for this operation!");
}
_persistence.DeleteUser(userId);
return(StatusCode(200));
}
if (((User)HttpContext.Items["User"]).PermissionLevel == 4)
{
var temp = _persistence.GetUserById(userId);
if (((User)HttpContext.Items["User"]).PermissionLevel <= temp.PermissionLevel)
{
throw new ForbiddenException("You don't have high enough security clearance for this operation!");
}
_persistence.DeleteUser(userId);
return(StatusCode(200));
}
if (((User)HttpContext.Items["User"]).PermissionLevel > 4)
{
_persistence.DeleteUser(userId);
return(StatusCode(200));
}
return(StatusCode(500));
}
catch (UnauthorizedException e)
{
return(StatusCode(401, e.Message));
}
catch (ForbiddenException e)
{
return(StatusCode(403, e.Message));
}
catch (NotFoundException e)
{
return(StatusCode(404, e.Message));
}
catch (Exception e)
{
return(StatusCode(500, e.Message));
}
}