/// <summary>
/// Try and auth the user from the HTTP headers on the request to the API
/// Look for bearer token aka JWT token & try to verify & deserialise it
/// </summary>
/// <param name="request"></param>
/// <returns>If success auth'd return the associated Umbraco backoffice user</returns>
private static IUser Authenticate(HttpRequestMessage request)
{
//Try to get the Authorization header in the request
var ah = request.Headers.Authorization;
//If no Auth header sent or the scheme is not bearer aka TOKEN
if (ah == null || ah.Scheme.ToLower() != "bearer")
{
//Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
//Get the JWT token from auth HTTP header param param (Base64 encoded - username:password)
var jwtToken = ah.Parameter;
try
{
//Decode & verify token was signed with our secret
var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken);
//Ensure our token is not null (was decoded & valid)
if (decodeJwt != null)
{
//Just the presence of the token & being deserialised with correct SECRET key is a good sign
//Get the user from userService from it's username
var user = ApplicationContext.Current.Services.UserService.GetUserById(decodeJwt.IdentityId);
//var user = ApplicationContext.Current.Services.UserService.GetByProviderKey(decodeJwt.IdentityId);
//If user is NOT Approved OR the user is Locked Out
if (!user.IsApproved || user.IsLockedOut)
{
//Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
//Verify token is what we have on the user
var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt);
//Token matches what we have in DB
if (isTokenValid)
{
//Lets return the backoffice user from Umbraco
//Can we use this user & pass down to API controller that is [Auth'd]
return(user);
}
//Token does not match in DB
return(null);
}
//JWT token could not be serialised to AuthToken object
return(null);
}
catch (SignatureVerificationException ex)
{
//Bubble exception up
throw ex;
}
}
/// <summary>
/// Try and auth the user from the HTTP headers on the request to the API
/// Look for bearer token aka JWT token & try to verify & deserialise it
/// </summary>
/// <param name="request"></param>
/// <returns>If success auth'd return the associated Umbraco backoffice user</returns>
private static IMember Authenticate(HttpRequestMessage request)
{
// Try to get the JWT token from the request
string jwtToken = GetTokenFromRequest(request);
// Return null if we didn't find a token (by returning null, base method above will return it as HTTP 401)
if (string.IsNullOrEmpty(jwtToken))
{
return(null);
}
try
{
// Decode & verify token was signed with our secret
var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken);
// Ensure our token is not null (was decoded & valid)
if (decodeJwt != null)
{
// Just the presence of the token & being deserialised with correct SECRET key is a good sign
// Get the member from userService from it's id
var member = ApplicationContext.Current.Services.MemberService.GetById(decodeJwt.IdentityId);
// If user is NOT Approved OR the user is Locked Out
if (!member.IsApproved || member.IsLockedOut)
{
// Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
// Verify token is what we have on the user
var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt);
// Token matches what we have in DB
if (isTokenValid)
{
// Lets return the member
return(member);
}
// Token does not match in DB
return(null);
}
// JWT token could not be serialised to AuthToken object
return(null);
}
catch (SignatureVerificationException ex)
{
// Bubble exception up
throw ex;
}
}