public async Task Invoke(HttpContext context, IClientApiKeyService clientApiKeyService)
{
var path = context.Request.Path.Value.ToLower();
if (context.Request.Path.HasValue)
{
if (path.StartsWith("/sys/appenv/") || path.EndsWith("/sys/appenv") ||
path.StartsWith("/api/isvalid/") || path.EndsWith("/api/isvalid") ||
path.StartsWith("/swagger/") || path.EndsWith("/swagger"))
{
// These two special paths don't need api-key validation
await _next.Invoke(context);
return;
}
}
if (!context.Request.Headers.Keys.Contains(ApiHttpHeaders.ApiKey) || !context.Request.Headers.Keys.Contains(ApiHttpHeaders.ApiSecret))
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await context.Response.WriteAsync($"{ApiHttpHeaders.ApiKey} and/or {ApiHttpHeaders.ApiSecret} missing");
}
else
{
string apiKey = context.Request.Headers[ApiHttpHeaders.ApiKey];
string apiSecret = context.Request.Headers[ApiHttpHeaders.ApiSecret];
string action = context.Request.Method;
var serviceName = context.Request.GetServiceName();
var apiName = context.Request.GetApiName();
var result = await clientApiKeyService.IsClientApiKeyValidAsync(apiKey, apiSecret, serviceName, apiName, action);
if (result.IsValid)
{
_logger.LogInformation(LogEvents.ApiKeyValidationPassed, path, apiKey, serviceName, apiName);
// Add IDs into context to forward to actual API for client identification
context.Items.Add(ApiHttpHeaders.ApiKey, apiKey);
context.Items.Add(ApiHttpHeaders.KeyId, result.KeyId);
context.Items.Add(ApiHttpHeaders.ApiId, result.ApiId);
context.Items.Add(ApiHttpHeaders.ServiceId, result.ServiceId);
await _next.Invoke(context);
}
else
{
// Validation failed
_logger.LogInformation(LogEvents.ApiKeyValidationFailed, path, apiKey, serviceName, apiName);
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await context.Response.WriteAsync(result.ToJson());
}
}
}
public async Task Invoke(HttpContext context)
{
var path = context.Request.Path.Value.ToLower();
if (_allowAnnon != null && _allowAnnon.IsMatch(path))
{
// Skip ApiKey validation. This path is allowed for anonymous access
await _next.Invoke(context);
}
else
{
if (!context.Request.Headers.Keys.Contains(ApiHttpHeaders.ApiKey) ||
!context.Request.Headers.Keys.Contains(ApiHttpHeaders.ApiSecret))
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await context.Response.WriteAsync(
$"{ApiHttpHeaders.ApiKey} and/or {ApiHttpHeaders.ApiSecret} missing");
}
else
{
string apiKey = context.Request.Headers[ApiHttpHeaders.ApiKey];
string apiSecret = context.Request.Headers[ApiHttpHeaders.ApiSecret];
string action = context.Request.Method;
string apiName = context.Request.GetApiName();
var result = await _clientApiKeyService.IsClientApiKeyValidAsync(apiKey, apiSecret,
_settings.ServiceName, apiName, action);
if (result.IsValid)
{
context.Items.Add(ApiHttpHeaders.ApiKey, apiKey);
await _next.Invoke(context);
}
else
{
// Validation failed
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await context.Response.WriteAsync(result.ToJson());
}
}
}
}
