public string GetEnvironmentName(IDotvvmRequestContext context)
{
var owinContext = context.GetOwinContext();
var environmentName = owinContext?.Get <string>(HostingConstants.HostAppModeKey);
return(string.IsNullOrWhiteSpace(environmentName)
? "Production"
: environmentName);
}
/// <summary>
/// Called when a request is being authorized. The authorization fails if: a) no user is associated with the request;
/// b) the user is not authenticated; c) the user is not in any of the authorized <see cref="Roles" />.
/// </summary>
/// <param name="context">The request context.</param>
/// <param name="appliedOn">The object which can contain [NotAuthorizedAttribute] that could suppress it.</param>
protected virtual void Authorize(IDotvvmRequestContext context, object appliedOn)
{
if (!CanBeAuthorized(appliedOn))
{
return;
}
var owinContext = context.GetOwinContext();
if (!IsUserAuthenticated(owinContext) || !IsUserAuthorized(owinContext))
{
HandleUnauthorizedRequest(owinContext);
}
}
private byte[] GetOrCreateSessionId(IDotvvmRequestContext context, bool canGenerate = true)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var sessionIdCookieName = GetSessionIdCookieName(context);
if (string.IsNullOrWhiteSpace(sessionIdCookieName))
{
throw new FormatException("Configured SessionIdCookieName is missing or empty.");
}
// Construct protector with purposes
var protector = this.protectionProvider.Create(PURPOSE_SID);
// Get cookie value
var sidCookieValue = cookieManager.GetRequestCookie(context.GetOwinContext(), sessionIdCookieName);
if (!string.IsNullOrWhiteSpace(sidCookieValue))
{
// Try to read from cookie
try
{
var protectedSid = Convert.FromBase64String(sidCookieValue);
var sid = protector.Unprotect(protectedSid);
return(sid);
}
catch (Exception ex)
{
// Incorrect Base64 formatting of crypto protection error
// Generate new one or thow error if can't
if (!canGenerate)
{
throw new CorruptedCsrfTokenException("Value of the SessionID cookie is corrupted or has been tampered with.", ex);
}
// else suppress error and generate new SID
}
}
// No SID - generate and protect new one
if (canGenerate)
{
var rng = new System.Security.Cryptography.RNGCryptoServiceProvider();
var sid = new byte[SID_LENGTH];
rng.GetBytes(sid);
var protectedSid = protector.Protect(sid);
// Save to cookie
sidCookieValue = Convert.ToBase64String(protectedSid);
cookieManager.AppendResponseCookie(
context.GetOwinContext(),
sessionIdCookieName, // Configured cookie name
sidCookieValue, // Base64-encoded SID value
new Microsoft.Owin.CookieOptions
{
HttpOnly = true, // Don't allow client script access
Secure = context.HttpContext.Request.IsHttps // If request goes trough HTTPS, mark as secure only
});
// Return newly generated SID
return(sid);
}
else
{
throw new SecurityException("SessionID cookie is missing, so can't verify CSRF token.");
}
}
/// <summary> /// Gets the Authentication functionality available on the current request. /// </summary> /// <param name="context">The request context.</param> public static IAuthenticationManager GetAuthentication(this IDotvvmRequestContext context) => context.GetOwinContext().Authentication;
public CancellationToken GetCancellationToken(IDotvvmRequestContext context)
{
return(context.GetOwinContext().Request.CallCancelled);
}
