//We always make a new in-memory ephemeral session which gets collected right after this request protected override WaveSession MakeNewSessionInstance(WorkContext work) { const string BASIC = WebConsts.AUTH_SCHEME_BASIC + " "; const string BEARER = WebConsts.AUTH_SCHEME_BEARER + " "; //Always create new session var session = base.MakeNewSessionInstance(work); //try to inject session.DataContextName var dch = DataContextHeader; if (dch.IsNotNullOrWhiteSpace()) { var dcn = work.Request.Headers[dch]; if (dcn.IsNotNullOrWhiteSpace()) { dcn = dcn.Trim().TakeFirstChars(1024);//hard limit safeguard session.DataContextName = dcn; } } var hdr = work.Request.Headers[WebConsts.HTTP_HDR_AUTHORIZATION]?.TrimStart(' '); if (hdr.IsNullOrWhiteSpace()) { return(session); //unauthorized } Credentials credentials = null; try { if (hdr.StartsWith(BASIC, StringComparison.OrdinalIgnoreCase)) { var basic = hdr.Substring(BASIC.Length).Trim(); credentials = IDPasswordCredentials.FromBasicAuth(basic); } else if (hdr.StartsWith(BEARER, StringComparison.OrdinalIgnoreCase)) { var bearer = hdr.Substring(BEARER.Length).Trim(); credentials = new BearerCredentials(bearer); } } catch { } if (credentials == null) { throw HTTPStatusException.BadRequest_400("Bad [Authorization] header"); } session.User = App.SecurityManager.Authenticate(credentials);//authenticate the user work.SetAuthenticated(session.User.IsAuthenticated); return(session); }
//We always make a new in-memory ephemeral session which gets collected right after this request protected override WaveSession MakeNewSessionInstance(WorkContext work) { //Always create new session var session = base.MakeNewSessionInstance(work); //try to inject session.DataContextName var dch = DataContextHeader; if (dch.IsNotNullOrWhiteSpace()) { var dcn = work.Request.Headers[dch]; if (dcn.IsNotNullOrWhiteSpace()) { dcn = dcn.Trim().TakeFirstChars(1024);//hard limit safeguard session.DataContextName = dcn; } } string hdr = null; var altHdrName = AltAuthorizationHeader; if (altHdrName.IsNotNullOrWhiteSpace()) { hdr = work.Request.Headers[altHdrName]?.TrimStart(' '); } if (hdr.IsNullOrWhiteSpace()) { //real AUTHORIZATION header hdr = work.Request.Headers[WebConsts.HTTP_HDR_AUTHORIZATION]?.TrimStart(' '); if (hdr.IsNullOrWhiteSpace()) { var mockHdrName = DefaultImpersonationAuthorizationHeaderValue; if (mockHdrName.IsNotNullOrEmpty()) { hdr = mockHdrName; } else { return(session);//unauthorized } } } User user; if (EnableSystemTokens && hdr.StartsWith(SYSTOKEN, StringComparison.OrdinalIgnoreCase)) { var sysTokenContent = hdr.Substring(SYSTOKEN.Length).Trim(); if (sysTokenContent.IsNullOrWhiteSpace() || // empty or null tokens treated as empty !SysAuthToken.TryParse(sysTokenContent, out var sysToken)) { throw HTTPStatusException.BadRequest_400("Bad [Authorization] header systoken"); } user = App.SecurityManager.Authenticate(sysToken);//authenticate the user using Systoken } else//credentials { Credentials credentials = null; try { if (hdr.StartsWith(BASIC, StringComparison.OrdinalIgnoreCase)) { var basic = hdr.Substring(BASIC.Length).Trim(); credentials = IDPasswordCredentials.FromBasicAuth(basic); } else if (hdr.StartsWith(BEARER, StringComparison.OrdinalIgnoreCase)) { var pfxBasic = BearerBasicPrefix; var bearer = hdr.Substring(BEARER.Length).Trim(); if (pfxBasic.IsNotNullOrWhiteSpace() && bearer.IsNotNullOrWhiteSpace() && bearer.StartsWith(pfxBasic)) { var basicContent = bearer.Substring(pfxBasic.Length).Trim(); credentials = IDPasswordCredentials.FromBasicAuth(basicContent); } else { credentials = new BearerCredentials(bearer); } } } catch { } if (credentials == null) { throw HTTPStatusException.BadRequest_400("Bad [Authorization] header"); } user = App.SecurityManager.Authenticate(credentials);//authenticate the user } session.User = user;//<===========================================================I work.SetAuthenticated(user.IsAuthenticated); //gate bad traffic var gate = NetGate; if (!user.IsAuthenticated && gate != null && gate.Enabled) { var vname = GateBadAuthVar; if (vname.IsNotNullOrWhiteSpace()) { gate.IncreaseVariable(IO.Net.Gate.TrafficDirection.Incoming, work.EffectiveCallerIPEndPoint.Address.ToString(), vname, 1); } } return(session); }