private async Task <HttpResponseMessage> ValidateRequest(ApiKey key, HttpRequestMessage request, CancellationToken cancellationToken) { if (key.Type == ApiKey.ApplicationType.Browser) { var pattern = new Regex(key.RegexPattern, RegexOptions.IgnoreCase); var referrer = request.Headers.Referrer; var hasOrigin = request.Headers.Where(x => x.Key == Origin).ToList(); if (referrer == null && !hasOrigin.Any()) { return(request.CreateResponse(HttpStatusCode.BadRequest, new ResultContainer { Status = (int)HttpStatusCode.BadRequest, Message = "Referrer http header is missing. " + "Turn off any security solutions that hide this header to use this service." }, new MediaTypeHeaderValue("application/json"))); } if (!referrer.IsAbsoluteUri) { return(request.CreateResponse(HttpStatusCode.BadRequest, new ResultContainer { Status = (int)HttpStatusCode.BadRequest, Message = "Referrer http header is invalid. The value must be a vaid URI. e.g. http://my.url.com" }, new MediaTypeHeaderValue("application/json"))); } var corsOriginHeader = hasOrigin.FirstOrDefault(); var corsOriginValue = ""; if (corsOriginHeader.Key != null) { corsOriginValue = corsOriginHeader.Value.SingleOrDefault(); } if (key.AppStatus == ApiKey.ApplicationStatus.Development && IsLocalDevelopment(referrer, corsOriginValue)) { return(await base.SendAsync(request, cancellationToken)); } if (!ApiKeyPatternMatches(pattern, corsOriginValue, referrer)) { return(_invalidResponse); } } else { var ip = key.Pattern; var userHostAddress = IpProvider.GetIp(request); if (ip != userHostAddress) { return(request.CreateResponse(HttpStatusCode.BadRequest, new ResultContainer { Status = (int)HttpStatusCode.BadRequest, Message = string.Format("Invalid API key. The IP you provided does not match what the API " + "is receiving. Double check your API key or create a new one using `{0}` " + "as the pattern.", userHostAddress) }, new MediaTypeHeaderValue("application/json"))); } } return(null); }