// Process API calls based on the class's HTTP URL
private void ApiProcess()
{
// The API request wrapper
UriWrapper uri = new UriWrapper(this.HttpUrl, this.HttpMethod);
// The user who is accessing the API
User apiUser = null;
// The handler being accessed
IApiHandler api = null;
// No API request found? Serve web UI
if (!uri.IsApiCall)
{
api = Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler("web");
api.Process(uri, this, apiUser);
return;
}
// Get client IP address
string ip = ((IPEndPoint)this.Socket.Client.RemoteEndPoint).Address.ToString();
// Check for valid API action ("web" and "error" are technically valid, but can't be used in this way)
if (uri.ApiAction == null || uri.ApiAction == "web" || uri.ApiAction == "error")
{
ErrorApiHandler errorApi = (ErrorApiHandler)Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler("error");
errorApi.Process(uri, this, apiUser, "Invalid API call");
logger.IfInfo(String.Format("[{0}] API: {1}", ip, this.HttpUrl));
return;
}
// Check for session cookie authentication, unless this is a login request
string sessionId = null;
if (uri.ApiAction != "login")
{
sessionId = this.GetSessionCookie();
apiUser = Injection.Kernel.Get <IApiAuthenticate>().AuthenticateSession(sessionId);
}
// If no cookie, try parameter authentication
if (apiUser == null)
{
apiUser = Injection.Kernel.Get <IApiAuthenticate>().AuthenticateUri(uri);
// If user still null, failed authentication, so serve error
if (apiUser == null)
{
ErrorApiHandler errorApi = (ErrorApiHandler)Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler("error");
errorApi.Process(uri, this, apiUser, "Authentication failed");
logger.IfInfo(String.Format("[{0}] API: {1}", ip, this.HttpUrl));
return;
}
}
// apiUser.SessionId will be generated on new login, so that takes precedence for new session cookie
apiUser.SessionId = apiUser.SessionId ?? sessionId;
this.SetSessionCookie(apiUser.SessionId);
// Store user's current session object
apiUser.CurrentSession = Injection.Kernel.Get <ISessionRepository>().SessionForSessionId(apiUser.SessionId);
// Retrieve the requested API handler by its action
IApiHandler apiHandler = Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler(uri.ApiAction);
// Check for valid API action
if (apiHandler == null)
{
ErrorApiHandler errorApi = (ErrorApiHandler)Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler("error");
errorApi.Process(uri, this, apiUser, "Invalid API call");
logger.IfInfo(String.Format("[{0}] API: {1}", ip, this.HttpUrl));
return;
}
// Log API call
logger.IfInfo(String.Format("[{0}/{1}@{2}] API: {3} {4}", apiUser.UserName, apiUser.CurrentSession.ClientName, ip, this.HttpMethod, this.HttpUrl));
// Check if user has appropriate permissions for this action on this API handler
if (!apiHandler.CheckPermission(apiUser, uri.Action))
{
ErrorApiHandler errorApi = (ErrorApiHandler)Injection.Kernel.Get <IApiHandlerFactory>().CreateApiHandler("error");
errorApi.Process(uri, this, apiUser, "Permission denied");
return;
}
// Finally, process and return results
apiHandler.Process(uri, this, apiUser);
}