public override void OnAuthorization(HttpActionContext context)
{
try
{
TokenProvider tokenProvider = new TokenProvider();
TokenIdentity tokenIdentity = new TokenIdentity();
tokenIdentity.UserAgent = context.Request.Headers.UserAgent.ToString();
if (context.Request.Headers.Referrer != null)
{
tokenIdentity.IP = context.Request.Headers.Referrer.Authority;
}
if (context.Request.Headers.Contains("access_token"))
{
tokenIdentity.Token = context.Request.Headers.GetValues("access_token").FirstOrDefault();
}
if (!tokenProvider.ValidateToken(ref tokenIdentity))
{
context.Response = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
}
else
{
HttpContext.Current.User = new System.Security.Claims.ClaimsPrincipal(tokenIdentity);
}
base.OnAuthorization(context);
}
catch (System.NullReferenceException ex)
{
context.Response = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
}
}
public bool ValidateToken(ref TokenIdentity tokenIdentity)
{
bool result = false;
try
{
tokenIdentity.SetAuthenticationType("Custom");
// Base64 decode the string, obtaining the token:guid:username:timeStamp.
string key = Encoding.UTF8.GetString(Convert.FromBase64String(tokenIdentity.Token));
// Split the parts.
string[] parts = key.Split(new char[] { ':' });
if (parts.Length == 5)
{
// Get the hash message, username, and timestamp.
string hash = parts[0];
string guid = parts[1];
int userId = Int32.Parse(parts[2], CultureInfo.InvariantCulture);
string username = parts[3];
long ticks = Int64.Parse(parts[4], CultureInfo.InvariantCulture);
tokenIdentity.EffectiveTime = ticks;
DateTime timeStamp = new DateTime(ticks);
// Ensure the timestamp is valid.
bool expired = Math.Abs((DateTime.Now.AddHours(7) - timeStamp).TotalSeconds) > _expirationSeconds;
if (!expired)
{
// Hash the message with the key to generate a token.
string computedToken = GenerateToken(userId, username, tokenIdentity.UserAgent, tokenIdentity.IP, guid, ticks).Token;
// Compare the computed token with the one supplied and ensure they match.
if (String.Equals(tokenIdentity.Token, computedToken, StringComparison.InvariantCulture))
{
using (ApplicationDbContext db = new ApplicationDbContext())
{
AccessTokens accessToken = db.AccessTokens.SingleOrDefault(x => x.Token == computedToken);
//connection.Open();
//AccessToken accessToken = connection.QuerySingleOrDefault<AccessToken>(SchemaAuth.AccessTokens_GetByToken, new { Token = computedToken }, commandType: System.Data.CommandType.StoredProcedure);
if (accessToken != null &&
Math.Abs((DateTime.Now - accessToken.EffectiveTime).TotalSeconds) < _expirationSeconds &&
accessToken.UserName.Equals(username))
{
result = true;
tokenIdentity.SetIsAuthenticated(true);
tokenIdentity.UserName = username;
}
}
}
}
}
}
catch (NullReferenceException ex)
{
return(false);
}
return(result);
}
public TokenIdentity GenerateToken(int userId, string username, string userAgent, string ip, string guid, long effectiveTime)
{
TokenIdentity tokenIdentity = new TokenIdentity(null, userId, username, userAgent, ip, effectiveTime, _expirationSeconds);
string hashLeft = "";
string strUserId = userId.ToString(CultureInfo.InvariantCulture);
string strEffectiveTime = tokenIdentity.EffectiveTime.ToString(CultureInfo.InvariantCulture);
string hash = string.Join(":", new string[] {
strUserId,
username,
userAgent,
// ip,
guid,
strEffectiveTime
});
using (HMAC hmac = new HMACSHA256())
{
hmac.Key = Encoding.UTF8.GetBytes(_secretKey);
hashLeft = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(hash)));
tokenIdentity.Token = Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Join(":", hashLeft, guid, userId, username, tokenIdentity.EffectiveTime)));
}
return(tokenIdentity);
}