protected bool CheckAuthentication(HttpRequestMessage req, string[] authorizationHeaderValues) { if (authorizationHeaderValues != null) { var appId = authorizationHeaderValues[AppIdIndex]; var incomingBase64Signature = authorizationHeaderValues[IncomingHashedSignatureIndex]; var nonce = authorizationHeaderValues[NonceIndex]; var requestTimeStamp = authorizationHeaderValues[RequestTimeStampIndex]; var requestThumbprint = new SecureRequestThumbprint { AppId = appId, RequestMessage = req, IncomingBase64Signature = incomingBase64Signature, Nonce = nonce, RequestTimeStamp = requestTimeStamp }; var isValid = IsValidRequest(requestThumbprint); if (isValid.Result) { return(true); } LogUnauthorized(requestThumbprint); return(false); } LogNoHeaders(); return(false); }
protected async Task <bool> IsValidRequest(SecureRequestThumbprint request) { string requestContentBase64String = ""; string requestUri = WebUtility.UrlEncode(request.RequestMessage.RequestUri.AbsoluteUri.ToLower()); string requestHttpMethod = request.RequestMessage.Method.Method; if (!AllowedApps.ContainsKey(request.AppId)) { return(false); } var sharedKey = AllowedApps[request.AppId]; if (IsReplayRequest(request.Nonce, request.RequestTimeStamp)) { return(false); } byte[] hash = await ComputeHash(request.RequestMessage.Content); if (hash != null) { requestContentBase64String = Convert.ToBase64String(hash); } string data = String.Format("{0}{1}{2}{3}{4}{5}", request.AppId, requestHttpMethod, requestUri, request.RequestTimeStamp, request.Nonce, requestContentBase64String); var secretKeyBytes = Convert.FromBase64String(sharedKey); byte[] signature = Encoding.UTF8.GetBytes(data); using (HMACSHA256 hmac = new HMACSHA256(secretKeyBytes)) { byte[] signatureBytes = hmac.ComputeHash(signature); return(request.IncomingBase64Signature.Equals(Convert.ToBase64String(signatureBytes), StringComparison.Ordinal)); } }