public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) { // uncomment to disable auth //await next(); //return; if (!(context.ActionDescriptor is ControllerActionDescriptor controllerActionDescriptor)) { throw new UnauthorizedException(); } var method = controllerActionDescriptor.MethodInfo; if (context.Controller is TokensController && method.Name == nameof(TokensController.CreateTokenAsync)) { await next(); return; } var allowedUserTypes = method .GetCustomAttributes() .Where(x => x is AuthorizeAttribute) .Select(x => ((AuthorizeAttribute)x).AllowedUsers) .FirstOrDefault(); if (EnumerableExtensions.IsNullOrEmpty(allowedUserTypes)) { await next(); return; } var headers = context.HttpContext.Request.Headers; var query = context.HttpContext.Request.Query; var headerContainsToken = headers.ContainsKey("token"); if (!headerContainsToken && !query.ContainsKey("token")) { throw new UnauthorizedException(); } string strToken = headerContainsToken ? headers["token"] : query["token"]; if (!_tokensService.ValidateToken(strToken)) { throw new UnauthorizedException(); } var userId = await _tokensService.GetIdFromToken(strToken); if (userId == ObjectId.Empty) { throw new UnauthorizedException(allowedUserTypes); } var userType = await _usersService.GetPropertyAsync(userId, x => x.UserType); // ReSharper disable once AssignNullToNotNullAttribute if (userType != EUserType.SysAdmin && !allowedUserTypes.Contains(userType)) { throw new UnauthorizedException(allowedUserTypes); } if (context.Controller is IController controller) { controller.CurrentUserId = userId; } await next(); }