private async Task <HttpResponseMessage> ValidateRequest(ApiKey key, HttpRequestMessage request,
CancellationToken cancellationToken)
{
if (key.Type == ApiKey.ApplicationType.Browser)
{
var pattern = new Regex(key.RegexPattern, RegexOptions.IgnoreCase);
var referrer = request.Headers.Referrer;
var hasOrigin = request.Headers.Where(x => x.Key == Origin).ToList();
if (referrer == null && !hasOrigin.Any())
{
return(request.CreateResponse(HttpStatusCode.BadRequest,
new ResultContainer
{
Status = (int)HttpStatusCode.BadRequest,
Message = "Referrer http header is missing. " +
"Turn off any security solutions that hide this header to use this service."
},
new MediaTypeHeaderValue("application/json")));
}
if (!referrer.IsAbsoluteUri)
{
return(request.CreateResponse(HttpStatusCode.BadRequest,
new ResultContainer
{
Status = (int)HttpStatusCode.BadRequest,
Message = "Referrer http header is invalid. The value must be a vaid URI. e.g. http://my.url.com"
},
new MediaTypeHeaderValue("application/json")));
}
var corsOriginHeader = hasOrigin.FirstOrDefault();
var corsOriginValue = "";
if (corsOriginHeader.Key != null)
{
corsOriginValue = corsOriginHeader.Value.SingleOrDefault();
}
if (key.AppStatus == ApiKey.ApplicationStatus.Development &&
IsLocalDevelopment(referrer, corsOriginValue))
{
return(await base.SendAsync(request, cancellationToken));
}
if (!ApiKeyPatternMatches(pattern, corsOriginValue, referrer))
{
return(_invalidResponse);
}
}
else
{
var ip = key.Pattern;
var userHostAddress = IpProvider.GetIp(request);
if (ip != userHostAddress)
{
return(request.CreateResponse(HttpStatusCode.BadRequest,
new ResultContainer
{
Status = (int)HttpStatusCode.BadRequest,
Message = string.Format("Invalid API key. The IP you provided does not match what the API " +
"is receiving. Double check your API key or create a new one using `{0}` " +
"as the pattern.", userHostAddress)
},
new MediaTypeHeaderValue("application/json")));
}
}
return(null);
}
