private static bool TryParse(string token, out AccessToken accessToken) { try { accessToken = JsonConvert.DeserializeObject<AccessToken>(token); return true; } catch { accessToken = null; return false; } }
public bool TryAuthorize(RavenBaseApiController controller, bool hasApiKey, bool ignoreDbAccess, out HttpResponseMessage msg) { var isGetRequest = IsGetRequest(controller.InnerRequest.Method.Method, controller.InnerRequest.RequestUri.AbsolutePath); var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Admin || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && isGetRequest; var token = GetToken(controller); if (token == null) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, hasApiKey ? 412 : 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenKey, token, out tokenBody)) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is expired"); return(false); } var writeAccess = isGetRequest == false; if (!tokenBody.IsAuthorized(controller.TenantName, writeAccess)) { if (allowUnauthenticatedUsers || ignoreDbAccess) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 403, "insufficient_scope", writeAccess ? "Not authorized for read/write access for tenant " + controller.TenantName : "Not authorized for tenant " + controller.TenantName); return(false); } controller.User = new OAuthPrincipal(tokenBody, controller.TenantName); CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = tokenBody.UserId; CurrentOperationContext.User.Value = controller.User; msg = controller.GetEmptyMessage(); return(true); }
public bool Authorize(IHttpContext ctx, bool hasApiKey) { var httpRequest = ctx.Request; var isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath); var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && isGetRequest; var token = GetToken(ctx); if (token == null) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, hasApiKey ? 412 : 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired"); return(false); } var writeAccess = isGetRequest == false; if (!tokenBody.IsAuthorized(TenantId, writeAccess)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", writeAccess ? "Not authorized for read/write access for tenant " + TenantId : "Not authorized for tenant " + TenantId); return(false); } ctx.User = new OAuthPrincipal(tokenBody, TenantId); CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = tokenBody.UserId; CurrentOperationContext.User.Value = ctx.User; return(true); }
public override bool Authorize(IHttpContext ctx) { var httpRequest = ctx.Request; var requestUrl = ctx.GetRequestUrl(); if (NeverSecret.Urls.Contains(requestUrl, StringComparer.InvariantCultureIgnoreCase)) { return(true); } var isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath); var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && isGetRequest; var token = GetToken(ctx); if (token == null) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired"); return(false); } if (!tokenBody.IsAuthorized(TenantId)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", "Not authorized for tenant " + TenantId); return(false); } if (tokenBody.ReadOnly && isGetRequest) { WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", "Not authorized for writing to tenant " + TenantId); return(false); } ctx.User = new OAuthPrincipal(tokenBody); CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = tokenBody.UserId; return(true); }