public SessionIdModel CreateSession(InitializeModel model)
{
// Creates a new user session and returns the Session ID and One Time Code
// used to logon
if (model == null || string.IsNullOrEmpty(model.AccessToken))
{
throw new InvalidOperationException();
}
// Makes sure the access token is valid and meant for us
if (!TokenValidator.ValidateAccessToken(model.AccessToken, out _))
{
throw new Exception("Access token was not validated");
}
// Generates a unique session id and a unique one time code
var sessionId = GenerateRandomValue();
var oneTimeCode = GenerateRandomValue();
// Stores the access token, the hashed nonce and the one time code used for the session
_memoryCache.Set(sessionId + "_at", model.AccessToken);
_memoryCache.Set(sessionId + "_hash", model.NonceHash);
_memoryCache.Set(oneTimeCode, sessionId);
return(new SessionIdModel {
OneTimeCode = oneTimeCode, SessionId = sessionId
});
}
public string Post()
{
// This is just a very simple api that returns a string
// We handle the token manually so we don't have to setup a much more complex web application
// that handles many types of authentication
var token = Request.Headers["Authorization"].ToString().Replace("Bearer ", "");
if (TokenValidator.ValidateAccessToken(token, out _))
{
return("API called OK");
}
else
{
return("API failed");
}
}
public IActionResult RefreshSession(UpdateModel model)
{
// Updates an existing session with a new access token
// The access token is validated and the session id is validated
// Finally we ensure that the access token belongs to this session
if (model == null || string.IsNullOrEmpty(model.AccessToken))
{
throw new InvalidOperationException();
}
// Validates the new access token, keeps the claims for later validation
if (!TokenValidator.ValidateAccessToken(model.AccessToken, out ClaimsPrincipal newPrincipal))
{
throw new Exception("Access token was not validated");
}
// Ensures that we have an existing session by fetching the access token for that session id
// In a real application you will probably have different mechanisms for session validation... :-)
var originalAccessToken = _memoryCache.Get <string>(model.SessionId + "_at");
// Extracts the claims from the original access token
TokenValidator.ValidateAccessToken(originalAccessToken, out ClaimsPrincipal originalPrincipal);
// Validates that the new access token is a valid replacement of the current access token
// Since we are using a simplified model here, we only have the client id to use for validation.
// In a real application you would also check the user PID, possibly the SFM_ID claim when it is ready
// and possibly other claims as well
if (newPrincipal.FindFirstValue("client_id") != originalPrincipal.FindFirstValue("client_id"))
{
throw new Exception("Client ID of original and new access token does not match!");
}
// Replaces the current access token with the new one for the given session
_memoryCache.Set(model.SessionId + "_at", model.AccessToken);
return(Ok());
}