public string Unprotect(string protectedData, IDotvvmRequestContext context) { if (protectedData == null) { throw new ArgumentNullException(nameof(protectedData)); } if (string.IsNullOrWhiteSpace(protectedData)) { throw new ArgumentException("Value cannot be empty or whitespace only string.", nameof(protectedData)); } if (context == null) { throw new ArgumentNullException(nameof(context)); } // Construct protector with purposes var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); var protector = this.protectionProvider.Create(PRIMARY_PURPOSE, userIdentity, requestIdentity); // Return unprotected view model data var dataToUnprotect = Convert.FromBase64String(protectedData); var unprotectedData = protector.Unprotect(dataToUnprotect); return(Encoding.UTF8.GetString(unprotectedData)); }
private const string KDF_LABEL_TOKEN = "DotVVM.Framework.Security.DefaultCsrfProtector.Token"; // Key derivation label for protecting token public string GenerateToken(IDotvvmRequestContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } // Get SID var sid = this.GetOrCreateSessionId(context); // Get application key helper var keyHelper = new ApplicationKeyHelper(context.Configuration.Security); // Get token var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); var tokenData = keyHelper.ProtectData(sid, KDF_LABEL_TOKEN, userIdentity, requestIdentity); // Return encoded token return(Convert.ToBase64String(tokenData)); }
public string GenerateToken(IDotvvmRequestContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } // Get SID var sid = this.GetOrCreateSessionId(context); // Construct protector with purposes var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); var protector = this.protectionProvider.Create(PURPOSE_TOKEN, userIdentity, requestIdentity); // Get token var tokenData = protector.Protect(sid); // Return encoded token return(Convert.ToBase64String(tokenData)); }
public void VerifyToken(IDotvvmRequestContext context, string token) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (string.IsNullOrWhiteSpace(token)) { throw new SecurityException("CSRF protection token is missing."); } // Get application key helper var keyHelper = new ApplicationKeyHelper(context.Configuration.Security); // Get token var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); byte[] tokenSid; try { var tokenData = Convert.FromBase64String(token); tokenSid = keyHelper.UnprotectData(tokenData, KDF_LABEL_TOKEN, userIdentity, requestIdentity); } catch (Exception ex) { // Incorrect Base64 formatting of crypto protection error throw new SecurityException("CSRF protection token is invalid.", ex); } // Get SID from cookie and compare with token one var cookieSid = this.GetOrCreateSessionId(context); if (!cookieSid.SequenceEqual(tokenSid)) { throw new SecurityException("CSRF protection token is invalid."); } }
public void VerifyToken(IDotvvmRequestContext context, string token) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (string.IsNullOrWhiteSpace(token)) { throw new SecurityException("CSRF protection token is missing."); } // Construct protector with purposes var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); var protector = this.protectionProvider.Create(PURPOSE_TOKEN, userIdentity, requestIdentity); // Get token byte[] tokenSid; try { var tokenData = Convert.FromBase64String(token); tokenSid = protector.Unprotect(tokenData); } catch (Exception ex) { // Incorrect Base64 formatting of crypto protection error throw new SecurityException("CSRF protection token is invalid.", ex); } // Get SID from cookie and compare with token one var cookieSid = this.GetOrCreateSessionId(context, canGenerate: false); // should not generate new token if (!cookieSid.SequenceEqual(tokenSid)) { throw new SecurityException("CSRF protection token is invalid."); } }
public string Unprotect(string protectedData, IDotvvmRequestContext context) { if (protectedData == null) { throw new ArgumentNullException(nameof(protectedData)); } if (string.IsNullOrWhiteSpace(protectedData)) { throw new ArgumentException("Value cannot be empty or whitespace only string.", nameof(protectedData)); } if (context == null) { throw new ArgumentNullException(nameof(context)); } // Get application key helper var keyHelper = new ApplicationKeyHelper(context.Configuration.Security); // Unprotect serialized data var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); return(keyHelper.UnprotectString(protectedData, KDF_LABEL, userIdentity, requestIdentity)); }
private byte[] GetOrCreateSessionId(IDotvvmRequestContext context, bool canGenerate = true) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var sessionIdCookieName = GetSessionIdCookieName(context); if (string.IsNullOrWhiteSpace(sessionIdCookieName)) { throw new FormatException("Configured SessionIdCookieName is missing or empty."); } // Get cookie manager var mgr = new ChunkingCookieManager(); // TODO: Make this configurable // Construct protector with purposes var userIdentity = ProtectionHelpers.GetUserIdentity(context); var requestIdentity = ProtectionHelpers.GetRequestIdentity(context); var protector = this.protectionProvider.Create(PURPOSE_SID); // Get cookie value var sidCookieValue = mgr.GetRequestCookie(context.GetOwinContext(), sessionIdCookieName); if (!string.IsNullOrWhiteSpace(sidCookieValue)) { // Try to read from cookie try { var protectedSid = Convert.FromBase64String(sidCookieValue); var sid = protector.Unprotect(protectedSid); return(sid); } catch (Exception ex) { // Incorrect Base64 formatting of crypto protection error // Generate new one or thow error if can't if (!canGenerate) { throw new SecurityException("Value of the SessionID cookie is corrupted or has been tampered with.", ex); } // else suppress error and generate new SID } } // No SID - generate and protect new one if (canGenerate) { var rng = new System.Security.Cryptography.RNGCryptoServiceProvider(); var sid = new byte[SID_LENGTH]; rng.GetBytes(sid); var protectedSid = protector.Protect(sid); // Save to cookie sidCookieValue = Convert.ToBase64String(protectedSid); mgr.AppendResponseCookie( context.GetOwinContext(), sessionIdCookieName, // Configured cookie name sidCookieValue, // Base64-encoded SID value new Microsoft.Owin.CookieOptions { HttpOnly = true, // Don't allow client script access Secure = context.HttpContext.Request.IsHttps // If request goes trough HTTPS, mark as secure only }); // Return newly generated SID return(sid); } else { throw new SecurityException("SessionID cookie is missing, so can't verify CSRF token."); } }