public async Task<ValidateResult> Validate(HttpRequestBase request, HttpResponseBase response)
{
request.ThrowIfNull("request");
response.ThrowIfNull("response");
if (!String.IsNullOrEmpty(request.ContentType))
{
try
{
var contentType = new ContentType(request.ContentType);
if (String.Equals(contentType.MediaType, "application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase) || String.Equals(contentType.MediaType, "multipart/form-data", StringComparison.OrdinalIgnoreCase))
{
ValidationResult validationResult = await _antiCsrfNonceValidator.ValidateAsync(request);
ResponseResult responseResult = await _antiCsrfResponseGenerator.GetResponseAsync(validationResult);
if (responseResult.ResultType == ResponseResultType.ResponseGenerated)
{
return ValidateResult.ResponseGenerated(responseResult.Response);
}
}
}
catch (FormatException)
{
}
}
await _antiCsrfCookieManager.ConfigureCookieAsync(request, response);
return ValidateResult.RequestValidated();
}
public ResponseHandlerResult HandleResponse(HttpRequestBase httpRequest, HttpResponseBase httpResponse, IResponse suggestedResponse, ICache cache, string cacheKey)
{
httpRequest.ThrowIfNull("httpRequest");
httpResponse.ThrowIfNull("httpResponse");
suggestedResponse.ThrowIfNull("suggestedResponse");
StatusAndSubStatusCode statusCode = suggestedResponse.StatusCode;
if (!_statusCodes.Contains(statusCode))
{
return ResponseHandlerResult.ResponseNotHandled();
}
AcceptHeader[] acceptHeaders = AcceptHeader.ParseMany(httpRequest.Headers["Accept"]).ToArray();
if (acceptHeaders.Any() && !acceptHeaders.Any(arg => arg.MediaTypeMatches("text/plain")))
{
return ResponseHandlerResult.ResponseNotHandled();
}
Response response = new Response(statusCode)
.TextPlain()
.Content(String.Format("{0} {1}", statusCode.StatusDescription, statusCode.StatusDescription.Length > 0 ? String.Format("({0})", statusCode.StatusDescription) : ""));
response.CachePolicy.NoClientCaching();
new CacheResponse(response).WriteResponse(httpResponse);
httpResponse.TrySkipIisCustomErrors = true;
return ResponseHandlerResult.ResponseWritten();
}
public ResponseHandlerResult HandleResponse(HttpRequestBase httpRequest, HttpResponseBase httpResponse, IResponse suggestedResponse, ICache cache, string cacheKey)
{
httpRequest.ThrowIfNull("httpRequest");
httpResponse.ThrowIfNull("httpResponse");
suggestedResponse.ThrowIfNull("suggestedResponse");
var cacheResponse = new CacheResponse(suggestedResponse);
cacheResponse.WriteResponse(httpResponse);
return ResponseHandlerResult.ResponseWritten();
}
public Task<Guid?> GetSessionIdAsync(HttpResponseBase response)
{
response.ThrowIfNull("response");
if (!response.Cookies.AllKeys.Contains(_configuration.CookieName))
{
return null;
}
Guid sessionId;
return (Guid.TryParse(response.Cookies[_configuration.CookieName].Value, out sessionId) ? sessionId : (Guid?)null).AsCompletedTask();
}
public Task ConfigureCookieAsync(HttpRequestBase request, HttpResponseBase response)
{
request.ThrowIfNull("request");
response.ThrowIfNull("response");
string cookieName = _configuration.CookieName;
string sessionId = request.Cookies.AllKeys.Contains(cookieName) ? request.Cookies[cookieName].Value : _guidFactory.Random().ToString("N");
response.Cookies.Remove(cookieName);
var cookie = new HttpCookie(cookieName, sessionId) { HttpOnly = true };
response.Cookies.Add(cookie);
return Task.Factory.Empty();
}
public Task ConfigureCookieAsync(HttpRequestBase request, HttpResponseBase response)
{
request.ThrowIfNull("request");
response.ThrowIfNull("response");
if (request.Cookies.AllKeys.Contains(_configuration.CookieName))
{
response.Cookies.Set(request.Cookies[_configuration.CookieName]);
return Task.Factory.Empty();
}
string sessionId = _guidFactory.Random().ToString("N");
var cookie = new HttpCookie(_configuration.CookieName, sessionId) { HttpOnly = true };
response.Cookies.Add(cookie);
return Task.Factory.Empty();
}
public Task<AuthenticationResult> AuthenticateAsync(HttpRequestBase request, HttpResponseBase response, Routing.Route route)
{
request.ThrowIfNull("request");
response.ThrowIfNull("response");
route.ThrowIfNull("route");
if (!_helper.IsTicketValid(request))
{
return AuthenticationResult.AuthenticationFailed.AsCompletedTask();
}
Cookie cookie = _helper.RenewTicket(request);
response.Cookies.Remove(cookie.Name);
response.Cookies.Add(cookie.GetHttpCookie());
return AuthenticationResult.AuthenticationSucceeded.AsCompletedTask();
}
public ResponseHandlerResult HandleResponse(HttpRequestBase httpRequest, HttpResponseBase httpResponse, IResponse suggestedResponse, ICache cache, string cacheKey)
{
httpRequest.ThrowIfNull("httpRequest");
httpResponse.ThrowIfNull("httpResponse");
suggestedResponse.ThrowIfNull("suggestedResponse");
StatusAndSubStatusCode statusCode = suggestedResponse.StatusCode;
if (!_statusCodes.Contains(statusCode))
{
return ResponseHandlerResult.ResponseNotHandled();
}
AcceptHeader[] acceptHeaders = AcceptHeader.ParseMany(httpRequest.Headers["Accept"]).ToArray();
if (acceptHeaders.Any() && !acceptHeaders.Any(arg => arg.MediaTypeMatches("text/html")))
{
return ResponseHandlerResult.ResponseNotHandled();
}
const string format = @"<!DOCTYPE html>
<html>
<head>
<title>{0}</title>
<style>h1 {{ margin: 0; padding: 0; }}</style>
</head>
<body>
<h1>{0}</h1>
<hr/>
HTTP {1}{2}
</body>
</html>";
Response response = new Response(statusCode)
.TextHtml()
.Content(String.Format(format, statusCode.StatusDescription, statusCode.StatusCode, statusCode.SubStatusCode == 0 ? "" : "." + statusCode.SubStatusCode));
response.CachePolicy.NoClientCaching();
new CacheResponse(response).WriteResponse(httpResponse);
httpResponse.TrySkipIisCustomErrors = true;
return ResponseHandlerResult.ResponseWritten();
}
public async Task WriteResponseAsync(HttpResponseBase response)
{
response.ThrowIfNull("response");
response.StatusCode = _statusCode.StatusCode;
response.SubStatusCode = _statusCode.SubStatusCode;
response.ContentType = ContentType;
response.Charset = Charset;
response.ContentEncoding = ContentEncoding;
foreach (Header header in Headers)
{
response.Headers.Add(header.Field, header.Value);
}
response.HeaderEncoding = HeaderEncoding;
foreach (Cookie cookie in Cookies)
{
response.Cookies.Add(cookie.GetHttpCookie());
}
_cachePolicy.Apply(response.Cache);
response.TrySkipIisCustomErrors = _skipIisCustomErrors;
response.BinaryWrite(await _content.Value);
}
public ResponseHandlerResult HandleResponse(HttpRequestBase httpRequest, HttpResponseBase httpResponse, IResponse suggestedResponse, ICache cache, string cacheKey)
{
httpRequest.ThrowIfNull("request");
httpResponse.ThrowIfNull("httpResponse");
suggestedResponse.ThrowIfNull("suggestedResponse");
if (!suggestedResponse.CachePolicy.HasPolicy || cache == null || cacheKey == null)
{
return ResponseHandlerResult.ResponseNotHandled();
}
CacheItem cacheItem = cache.Get(cacheKey);
string responseETag = suggestedResponse.CachePolicy.ETag;
#region If-Match precondition header
IfMatchHeader[] ifMatchHeaders = IfMatchHeader.ParseMany(httpRequest.Headers["If-Match"]).ToArray();
// Only consider If-Match headers if response status code is 2xx or 412
if (ifMatchHeaders.Any() && ((suggestedResponse.StatusCode.StatusCode >= 200 && suggestedResponse.StatusCode.StatusCode <= 299) || suggestedResponse.StatusCode.StatusCode == 412))
{
// Return 412 if no If-Match header matches the response ETag
// Return 412 if an "If-Match: *" header is present and the response has no ETag
if (ifMatchHeaders.All(arg => arg.EntityTag.Value != responseETag) ||
(responseETag == null && ifMatchHeaders.Any(arg => arg.EntityTag.Value == "*")))
{
return WriteResponse(httpResponse, Response.PreconditionFailed());
}
}
#endregion
#region If-None-Match precondition header
IfNoneMatchHeader[] ifNoneMatchHeaders = IfNoneMatchHeader.ParseMany(httpRequest.Headers["If-None-Match"]).ToArray();
if (ifNoneMatchHeaders.Any())
{
// Return 304 if an If-None-Match header matches the response ETag and the request method was GET or HEAD
// Return 304 if an "If-None-Match: *" header is present, the response has an ETag and the request method was GET or HEAD
// Return 412 if an "If-None-Match: *" header is present, the response has an ETag and the request method was not GET or HEAD
if (ifNoneMatchHeaders.Any(arg => arg.EntityTag.Value == responseETag) ||
(ifNoneMatchHeaders.Any(arg => arg.EntityTag.Value == "*") && responseETag != null))
{
if (String.Equals(httpRequest.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase) || String.Equals(httpRequest.HttpMethod, "HEAD", StringComparison.OrdinalIgnoreCase))
{
if (cacheItem != null)
{
cacheItem.Response.CachePolicy.Apply(httpResponse.Cache);
}
else
{
suggestedResponse.CachePolicy.Apply(httpResponse.Cache);
}
return WriteResponse(httpResponse, Response.NotModified());
}
return WriteResponse(httpResponse, Response.PreconditionFailed());
}
}
#endregion
#region If-Modified-Since precondition header
IfModifiedSinceHeader ifModifiedSinceHeader = IfModifiedSinceHeader.Parse(httpRequest.Headers["If-Modified-Since"]);
bool validIfModifiedSinceHttpDate = ifModifiedSinceHeader != null && ifModifiedSinceHeader.HttpDate <= _systemClock.UtcDateTime;
// Only consider an If-Modified-Since header if response status code is 200 and the HTTP-date is valid
if (suggestedResponse.StatusCode.ParsedStatusCode == HttpStatusCode.OK && validIfModifiedSinceHttpDate)
{
// Return 304 if the response was cached before the HTTP-date
if (cacheItem != null && cacheItem.CachedUtcTimestamp < ifModifiedSinceHeader.HttpDate)
{
return WriteResponse(httpResponse, Response.NotModified());
}
}
#endregion
#region If-Unmodified-Since precondition header
IfUnmodifiedSinceHeader ifUnmodifiedSinceHeader = IfUnmodifiedSinceHeader.Parse(httpRequest.Headers["If-Unmodified-Since"]);
bool validIfUnmodifiedSinceHttpDate = ifUnmodifiedSinceHeader != null && ifUnmodifiedSinceHeader.HttpDate <= _systemClock.UtcDateTime;
// Only consider an If-Unmodified-Since header if response status code is 2xx or 412 and the HTTP-date is valid
if (((suggestedResponse.StatusCode.StatusCode >= 200 && suggestedResponse.StatusCode.StatusCode <= 299) || suggestedResponse.StatusCode.StatusCode == 412) && validIfUnmodifiedSinceHttpDate)
{
// Return 412 if the previous response was removed from the cache or was cached again at a later time
if (cacheItem == null || cacheItem.CachedUtcTimestamp >= ifUnmodifiedSinceHeader.HttpDate)
{
return WriteResponse(httpResponse, Response.PreconditionFailed());
}
}
#endregion
#region No server caching
// Do not cache the response when the response sends a non-cacheable status code, or when an Authorization header is present
if (!_cacheableStatusCodes.Contains(suggestedResponse.StatusCode) || httpRequest.Headers["Authorization"] != null)
{
return WriteResponse(httpResponse, suggestedResponse);
}
CacheControlHeader cacheControlHeader = CacheControlHeader.Parse(httpRequest.Headers["Cache-Control"]);
// Do not cache the response if a "Cache-Control: no-cache" or "Cache-Control: no-store" header is present
if (cacheControlHeader != null && (cacheControlHeader.NoCache || cacheControlHeader.NoStore))
{
return WriteResponse(httpResponse, suggestedResponse);
}
IEnumerable<PragmaHeader> pragmaHeader = PragmaHeader.ParseMany(httpRequest.Headers["Pragma"]);
// Do not cache the response if a "Pragma: no-cache" header is present
if (pragmaHeader.Any(arg => String.Equals(arg.Name, "no-cache", StringComparison.OrdinalIgnoreCase)))
{
return WriteResponse(httpResponse, suggestedResponse);
}
#endregion
// Return 504 if the response has not been cached but the client is requesting to receive only a cached response
if (cacheItem == null && cacheControlHeader != null && cacheControlHeader.OnlyIfCached)
{
return WriteResponse(httpResponse, Response.GatewayTimeout());
}
if (cacheItem != null)
{
// Write the cached response if no Cache-Control header is present
// Write the cached response if a "Cache-Control: max-age" header is validated
// Write the cached response if a "Cache-Control: max-stale" header is validated
// Write the cached response if a "Cache-Control: min-fresh" header is validated
if (cacheControlHeader == null ||
_systemClock.UtcDateTime - cacheItem.CachedUtcTimestamp <= cacheControlHeader.MaxAge ||
cacheControlHeader.OnlyIfCached ||
cacheItem.ExpiresUtcTimestamp == null ||
_systemClock.UtcDateTime - cacheItem.ExpiresUtcTimestamp.Value <= cacheControlHeader.MaxStale ||
cacheItem.ExpiresUtcTimestamp.Value - _systemClock.UtcDateTime < cacheControlHeader.MinFresh)
{
return WriteResponseInCache(httpResponse, cacheItem);
}
}
bool cacheOnServer = suggestedResponse.CachePolicy.AllowsServerCaching;
var cacheResponse = new CacheResponse(suggestedResponse);
if (cacheOnServer)
{
DateTime expirationUtcTimestamp = suggestedResponse.CachePolicy.ServerCacheExpirationUtcTimestamp != null
? suggestedResponse.CachePolicy.ServerCacheExpirationUtcTimestamp.Value
: _systemClock.UtcDateTime + suggestedResponse.CachePolicy.ServerCacheMaxAge.Value;
cache.Add(cacheKey, cacheResponse, expirationUtcTimestamp);
}
return WriteResponse(httpResponse, cacheResponse);
}
public void WriteResponse(HttpResponseBase response)
{
response.ThrowIfNull("response");
response.StatusCode = _statusCode.StatusCode;
response.SubStatusCode = _statusCode.SubStatusCode;
response.ContentType = ContentType;
response.Charset = Charset;
response.ContentEncoding = ContentEncoding;
foreach (Header header in Headers)
{
response.Headers.Add(header.Field, header.Value);
}
response.HeaderEncoding = HeaderEncoding;
foreach (Cookie cookie in Cookies)
{
response.Cookies.Add(cookie.GetHttpCookie());
}
_cachePolicy.Apply(response.Cache);
response.BinaryWrite(_content);
}
public void RemoveTicket(HttpResponseBase response)
{
response.ThrowIfNull("response");
var cookie = new HttpCookie(_configuration.CookieName, "")
{
Expires = new DateTime(2000, 01, 01),
HttpOnly = true,
Path = _configuration.CookiePath,
Secure = _configuration.RequireSsl,
Shareable = false
};
if (_configuration.CookieDomain != null)
{
cookie.Domain = _configuration.CookieDomain;
}
response.Cookies.Remove(_configuration.CookieName);
response.Cookies.Add(cookie);
}
