Exemplo n.º 1
0
 public void Update(ExpiredAccessToken expiredAccessToken)
 {
     _expiredAccessTokenRepository.Update(expiredAccessToken);
 }
Exemplo n.º 2
0
        protected override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            var tsc = new TaskCompletionSource <HttpResponseMessage>();

            // 1. Look for credentials in the request.
            var authHeader = request.Headers.Authorization;
            // Might have to check the request route to see if it is SSO, if so return base.SendAsync(request, cancellationToken
            Uri isSSO = request.RequestUri;

            if (isSSO.Segments[2] == "Sso/")
            {
                return(base.SendAsync(request, cancellationToken));
            }

            // 2. The reques has have a "Bearer" request to process
            if (authHeader == null || authHeader.Scheme != "Bearer")
            {
                return(base.SendAsync(request, cancellationToken));
            }

            var token = authHeader.Parameter;

            if (token == null)
            {
                return(base.SendAsync(request, cancellationToken));
            }

            // Check the Bad Tokens to ensure this hasn't been seen before.
            if (_badAccessTokenRepository.Exists(badToken => badToken.BadTokenValue == token))
            {
                return(SendError(tsc, "Malformed Token"));
            }

            // 4. Check the database for a reuse of expired tokens.
            var expiredAccessToken = _expiredAccessTokenRepository.GetSingle(expiredToken => expiredToken.ExpiredTokenValue == token);

            if (expiredAccessToken != null)
            {
                if (expiredAccessToken.CanReuse)
                {
                    expiredAccessToken.CanReuse = false;
                    _expiredAccessTokenRepository.Update(expiredAccessToken);
                }
                else
                {
                    return(SendError(tsc, "Expired Token"));
                }
            }

            try
            {
                // 6. Finally check if the token is validated and returns a principal.
                IPrincipal principal = JwtManager.Instance.GetPrincipal(token);
                if (!HasAcceptedClaims(principal))
                {
                    throw new Exception("Required Claims not Present");
                }

                // 7. Authentication was successful, set the principal to notify other filters that
                // the request is authenticated.
                Thread.CurrentPrincipal  = principal;
                HttpContext.Current.User = principal;
            }
            catch (Exception e)
            {
                _badAccessTokenRepository.Insert(new BadAccessToken(token));
                return(SendError(tsc, e.Message));
            }
            return(base.SendAsync(request, cancellationToken));
        }