Exemplo n.º 1
0
        /// <summary>
        /// Attempt to refresh the access token, return a boolean indicating success (true)/failure (false), and
        /// include the response code and body from the Authorization Server in the event of failure
        /// </summary>
        /// <param name="errMsg"></param>
        /// <param name="statusCode"></param>
        /// <returns></returns>
        bool RefreshAccessToken(out string errMsg, out int statusCode)
        {
            using (var client = new HttpsClient())
            {
                CrestronConsole.PrintLine("Attempting to refresh Access Token...");
                HttpsClientRequest req = new HttpsClientRequest();
                req.RequestType = Crestron.SimplSharp.Net.Https.RequestType.Post;
                req.Url         = new UrlParser(TokenEndpoint);
                HttpsHeaders headers = new HttpsHeaders();
                // Auth0's token endpoint expects all the necessary information to be
                // placed in the entity-body of the request
                headers.SetHeaderValue("Content-Type", "application/x-www-form-urlencoded");
                req.ContentString = BuildQueryString(
                    new NameValueCollection
                {
                    { "grant_type", "refresh_token" },
                    { "client_id", ClientID },
                    { "client_secret", ClientSecret },
                    { "refresh_token", RefreshToken }
                });

                // Always set the Content-Length of your POST request to indicate the length of the body,
                // or else the Content-Length will be set to 0 by default!
                headers.SetHeaderValue("Content-Length", req.ContentString.Length.ToString());
                req.Header = headers;

                // Send the POST request to the token endpoint and wait for a response...
                HttpsClientResponse tokenResponse = client.Dispatch(req);
                if (tokenResponse.Code >= 200 && tokenResponse.Code < 300)
                {
                    // Parse JSON response and securely store the token
                    JObject resBody = JsonConvert.DeserializeObject <JObject>(tokenResponse.ContentString);
                    accessToken = (string)resBody["access_token"];
                    CrestronConsole.PrintLine("Received a new \"{0}\" Access Token. It expires in {1} hours",
                                              (string)resBody["token_type"],
                                              (int)resBody["expires_in"] / 60.0 / 60.0);
                    // Client is now authorized to access the protected resource again
                    hasAccessToken = true;
                    errMsg         = "";
                    statusCode     = tokenResponse.Code;
                    return(true);
                }
                else
                {
                    CrestronConsole.PrintLine("Refresh Failed");
                    errMsg     = tokenResponse.ContentString;
                    statusCode = tokenResponse.Code;
                    return(false);
                }
            }
        }
Exemplo n.º 2
0
        public void ProcessRequest(HttpCwsContext context)
        {
            try
            {
                Uri    requestUri = context.Request.Url;
                string method     = context.Request.HttpMethod;
                string path       = context.Request.Path.ToLower();
                switch (path)
                {
                case "/cws/":
                    if (method == "GET" || method == "HEAD")
                    {
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = "OK";
                        context.Response.ContentType       = "text/html";
                        // include the body for the GET request, but not HEAD
                        if (method == "GET")
                        {
                            context.Response.Write(CreateHtmlBody(startHtml,
                                                                  // Use the current state to decide whether to enable the buttons or not
                                                                  new NameValueCollection()
                            {
                                { "enable",
                                  Registered ? "" : "disabled" },
                                { "enable-forget-access",
                                  (Registered && hasAccessToken) ? "" : "disabled" },
                                { "enable-forget-refresh",
                                  (Registered && HasRefreshToken) ? "" : "disabled" }
                            }),
                                                   false);
                        }
                        context.Response.End();
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                case "/cws/register":
                    if (method == "GET" || method == "HEAD")
                    {
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = "OK";
                        context.Response.ContentType       = "text/html";
                        // include the body for the GET request, but not HEAD
                        if (method == "GET")
                        {
                            string body = Registered ? File.ReadToEnd(registeredHtml, Encoding.UTF8) :
                                          File.ReadToEnd(unregisteredHtml, Encoding.UTF8);

                            body = CreateHtmlBody(registerHtml,
                                                  new NameValueCollection()
                            {
                                { "register", body }
                            });
                            if (!Registered)
                            {
                                // Make two additional variable evaluations on the "unregistered" HTML page
                                string scheme = context.Request.Url.Scheme;
                                body = body.Replace("{@callbackUrl}", CallbackUrl);
                                body = body.Replace("{@httpsAlert}", (scheme == "https") ? "" :
                                                    "<p>WARNING: It looks like you got here via http, not https."
                                                    + " Check that SSL is enabled"
                                                    + " on the control system. Don't submit anything until it is!</p>");
                            }
                            context.Response.Write(body, false);
                        }
                        context.Response.End();
                    }
                    else if (method == "POST")
                    {
                        // Get the entity-body, which should contain the domain, client_id, and client_secret
                        // parameters
                        if (context.Request.ContentType != "application/x-www-form-urlencoded")
                        {
                            SendError(context, 415, "Content-Type must be application/x-www-form-urlencoded");
                            return;
                        }
                        // POST requests from HTML forms put their parameters in the request body
                        // using the application/x-www-form-urlencoded content type. An example can be found
                        // at https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
                        string requestBody;
                        // Parse the entity-body of the request and check for correctness
                        using (StreamReader sr = new StreamReader(context.Request.InputStream))
                        {
                            requestBody = sr.ReadToEnd();
                        }
                        NameValueCollection keyValuePairs = ParseQueryParams(requestBody);

                        string[] keys = keyValuePairs.AllKeys;

                        // Handler for the "Unregister and Return to Home Page" button
                        if (keys.Contains("unregister"))
                        {
                            Registered = false;
                            context.Response.Redirect("/cws/", true);
                            return;
                        }

                        // Check that all necessary registration fields (client_id, client_secret, and domain)
                        // have been provided
                        if (String.IsNullOrEmpty(keyValuePairs["domain"]) ||
                            String.IsNullOrEmpty(keyValuePairs["client_id"]) ||
                            String.IsNullOrEmpty(keyValuePairs["client_secret"]))
                        {
                            // Error, bad request
                            SendError(context, 400, "Registration submission is missing a necessary field");
                            return;
                        }
                        // Save the values provided to the datastore
                        Domain       = keyValuePairs["domain"];
                        ClientID     = keyValuePairs["client_id"];
                        ClientSecret = keyValuePairs["client_secret"];

                        // Send OK response
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = statusDescriptions[200];
                        context.Response.Write(CreateHtmlBody(regsuccessHtml,
                                                              new NameValueCollection()
                        {
                            { "domain", Domain },
                            { "client_id", ClientID }
                        }), true);

                        // Now the client is registered with the Authorization Server
                        Registered = true;
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD", "POST");
                    }
                    break;

                case "/cws/authorize":
                    if (!Registered)
                    {
                        SendError(context, 404, "The client must be registered with the Auth0 Authorization server" +
                                  " before it can get authorized");
                        return;
                    }
                    if (method == "GET" || method == "HEAD")
                    {
                        // First, discard the old set of tokens
                        accessToken     = Empty;
                        hasAccessToken  = false;
                        RefreshToken    = Empty;
                        HasRefreshToken = false;

                        // Generate a random state parameter, which the callback URL will check for
                        // consistency
                        stateString = Guid.NewGuid().ToString("N");
                        NameValueCollection queries =
                            new NameValueCollection()
                        {
                            // necessary scopes to get full user info and to get a Refresh Token
                            { "scope", "offline_access%20openid%20email%20profile" },
                            // Authorization code flow
                            { "response_type", "code" },
                            { "client_id", ClientID },
                            { "redirect_uri", CallbackUrl },
                            { "state", stateString },
                            // Always show the login and consent pages upon redirecting
                            { "prompt", "login%20consent" }
                        };

                        context.Response.StatusCode        = 302;
                        context.Response.StatusDescription = statusDescriptions[302];
                        // Contruct the redirect URL and send the user to Auth0's authorization endpoint
                        context.Response.AppendHeader("Location", BuildAuthorizationUrl(queries));
                        context.Response.End();
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                case "/cws/callback":
                    if (method == "HEAD" || method == "GET")
                    {
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = statusDescriptions[200];
                        if (method == "GET")
                        {
                            // Check if there's a query string
                            if (context.Request.Url.Query == null ||
                                context.Request.Url.Query == "")
                            {
                                SendError(context, 400, "No Query parameters provided");
                                return;
                            }
                            NameValueCollection queryParams = null;
                            // Parse query string and check state
                            try
                            {
                                queryParams = ParseQueryParams(context.Request.Url.Query);
                            }
                            catch (Exception e)
                            {
                                SendError(context, 400, "Query string parsing error: " + e.Message);
                                return;
                            }
                            if (queryParams["state"] != stateString)
                            {
                                CrestronConsole.PrintLine("State parameter mismatch: expected " +
                                                          stateString + " but got " + queryParams["state"]);
                                SendError(context, 400, "State parameter did not match.");
                                return;
                            }
                            authorizationCode = queryParams["code"];

                            if (String.IsNullOrEmpty(authorizationCode))
                            {
                                // Authorization was denied by the user
                                SendError(context, 400,
                                          "Authorization was denied. The OAuth Client has no Access or Refresh token now");
                                return;
                            }

                            // Using an HttpsClient, exchange the received authorization code for an Access Token
                            using (HttpsClient client = new HttpsClient())
                            {
                                HttpsClientRequest req = new HttpsClientRequest();
                                req.RequestType = Crestron.SimplSharp.Net.Https.RequestType.Post;
                                req.Url         = new UrlParser(TokenEndpoint);
                                CrestronConsole.PrintLine("GETting {0}", req.Url);
                                HttpsHeaders headers = new HttpsHeaders();
                                // Auth0's token endpoint expects all the necessary information to be
                                // placed in the entity-body of the request
                                headers.SetHeaderValue("Content-Type", "application/x-www-form-urlencoded");

                                req.ContentString = BuildQueryString(
                                    new NameValueCollection
                                {
                                    { "grant_type", "authorization_code" },
                                    { "client_id", ClientID },
                                    { "client_secret", ClientSecret },
                                    { "code", authorizationCode },
                                    { "redirect_uri", CallbackUrl }
                                });

                                // Always set the Content-Length of your POST request to indicate the length of the body,
                                // or else the Content-Length will be set to 0 by default!
                                headers.SetHeaderValue("Content-Length", req.ContentString.Length.ToString());
                                req.Header = headers;

                                // Send the POST request to the token endpoint and wait for a response...
                                HttpsClientResponse tokenResponse = client.Dispatch(req);
                                if (tokenResponse.Code >= 200 && tokenResponse.Code < 300)
                                {
                                    // Parse JSON response and securely store the tokens
                                    JObject resBody = JsonConvert.DeserializeObject <JObject>(tokenResponse.ContentString);
                                    accessToken     = (string)resBody["access_token"];
                                    hasAccessToken  = true;
                                    RefreshToken    = (string)resBody["refresh_token"];
                                    HasRefreshToken = true;
                                    CrestronConsole.PrintLine("Received \"{0}\" Access/Refresh Tokens. They expire in {1} hours",
                                                              (string)resBody["token_type"],
                                                              (int)resBody["expires_in"] / 60.0 / 60.0);
                                    // Respond
                                    context.Response.Write(CreateHtmlBody(authsuccessHtml, null), false);
                                }
                                else
                                {
                                    SendError(context, tokenResponse.Code,
                                              "Could not get access/refresh tokens. Token endpoint returned code " +
                                              "<strong>" + tokenResponse.Code + "</strong>" +
                                              "<br /><br />Error Message:<br /><br /><strong>"
                                              + tokenResponse.ContentString + "</strong>");
                                    return;
                                }
                            }
                        }
                        context.Response.End();
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                case "/cws/test":
                    if (method == "GET" || method == "HEAD")
                    {
                        if (method == "GET")
                        {
                            if (!Registered)
                            {
                                SendError(context, 404, "The client must be registered before it can try to access" +
                                          " a protected resource");
                                return;
                            }

                            // Send a GET request to the protected resource
                            using (HttpsClient client = new HttpsClient())
                            {
                                HttpsClientRequest req = new HttpsClientRequest();
                                req.RequestType = Crestron.SimplSharp.Net.Https.RequestType.Get;
                                req.Url         = new UrlParser(ResourceEndpoint);
                                CrestronConsole.PrintLine("GETting {0}", req.Url);
                                // Put the Access Token in the Authorization header, if it's present
                                if (hasAccessToken)
                                {
                                    req.Header.SetHeaderValue("Authorization", "Bearer " + accessToken);
                                }
                                var res = client.Dispatch(req);
                                if (res.Code >= 200 && res.Code < 300)
                                {
                                    JObject resBody =
                                        JsonConvert.DeserializeObject <JObject>(res.ContentString);
                                    string name, email, picUrl;
                                    bool   verified;
                                    // Try to get the username from any of these three JSON properties,
                                    // if they are defined. If none of them are defined, put "undefined" as a
                                    // placeholder name
                                    name = (string)resBody["given_name"] ??
                                           (string)resBody["nickname"] ??
                                           (string)resBody["email"] ??
                                           "undefined";
                                    email    = (string)resBody["email"] ?? "undefined";
                                    picUrl   = (string)resBody["picture"] ?? "undefined";
                                    verified = (bool?)resBody["email_verified"] ?? false;

                                    context.Response.Write(CreateHtmlBody(testHtml,
                                                                          new NameValueCollection()
                                    {
                                        { "name", name },
                                        { "email", email },
                                        { "verified", "<strong>" + (verified ? "verified" : "not verified")
                                          + "</strong>" },
                                        { "pic_url", picUrl },
                                    }), false);
                                }
                                else
                                {
                                    // If RefreshAccessToken succeeds, accessToken will contain the new token
                                    // If not, display the body of the error response returned from the
                                    // authorization server
                                    string errMsg;
                                    int    errCode;
                                    if (RefreshAccessToken(out errMsg, out errCode))
                                    {
                                        CrestronConsole.PrintLine("Successfully refreshed the Access Token." +
                                                                  " Redirecting user to /cws/Test...");
                                        context.Response.Redirect("/cws/Test", true);
                                        return;
                                    }
                                    else
                                    {
                                        SendError(context, errCode,
                                                  "Failed to refresh Access Token." +
                                                  " Resource endpoint returned code <strong>" + errCode + "</strong>" +
                                                  "<br /><br />Error Message:<br /><br /><strong>" + errMsg + "</strong>");
                                        return;
                                    }
                                }
                                context.Response.End();
                            }
                        }
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                case "/cws/forgetaccess":
                    if (method == "GET" || method == "HEAD")
                    {
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = statusDescriptions[200];
                        if (method == "GET")
                        {
                            if (hasAccessToken)
                            {
                                accessToken    = Empty;
                                hasAccessToken = false;
                                context.Response.Write(CreateHtmlBody(tokenDisposedHtml,
                                                                      new NameValueCollection
                                {
                                    { "token_kind", "Access" }
                                }), false);
                            }
                            else
                            {
                                SendError(context, 404, "There is currently no Access Token to be disposed of");
                            }
                        }
                        context.Response.End();
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                case "/cws/forgetrefresh":
                    if (method == "GET" || method == "HEAD")
                    {
                        context.Response.StatusCode        = 200;
                        context.Response.StatusDescription = statusDescriptions[200];
                        if (method == "GET")
                        {
                            if (HasRefreshToken)
                            {
                                RefreshToken    = Empty;
                                HasRefreshToken = false;
                                context.Response.Write(CreateHtmlBody(tokenDisposedHtml,
                                                                      new NameValueCollection
                                {
                                    { "token_kind", "Refresh" }
                                }), false);
                            }
                            else
                            {
                                SendError(context, 404, "There is currently no Refresh Token to be disposed of");
                            }
                        }
                        context.Response.End();
                    }
                    else
                    {
                        SendError(context, 405, context.Request.HttpMethod + " not allowed", "GET", "HEAD");
                    }
                    break;

                default:
                    SendError(context, 404, path + " not found");
                    break;
                }
            }
            catch (Exception e)
            {
                CrestronConsole.PrintLine("Error in ProcessRequest(): {0}", e);
                try
                {
                    SendError(context, 500, "An error occurred in the CWS server: " + e.Message);
                    CrestronConsole.PrintLine("Sent " + context.Response.StatusCode +
                                              " response to " + context.Request.UserHostName);
                }
                catch (Exception ex)
                {
                    CrestronConsole.PrintLine("Could not send Error response: {0}", ex);
                }
            }
            finally
            {
                CrestronConsole.PrintLine("Sent " + context.Response.StatusCode +
                                          " response to " + context.Request.UserHostName);
            }
        }