public IPrincipal GetUser(RavenBaseApiController controller, bool hasApiKey) { var token = GetToken(controller); if (token == null) { WriteAuthorizationChallenge(controller, hasApiKey ? 412 : 401, "invalid_request", "The access token is required"); return(null); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(controller.DatabasesLandlord.SystemConfiguration.OAuthTokenKey, token, out tokenBody)) { WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is invalid"); return(null); } return(new OAuthPrincipal(tokenBody, null)); }
public IPrincipal GetUser(IHttpContext ctx, bool hasApiKey) { var token = GetToken(ctx); if (token == null) { WriteAuthorizationChallenge(ctx, hasApiKey ? 412 : 401, "invalid_request", "The access token is required"); return(null); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenKey, token, out tokenBody)) { WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid"); return(null); } return(new OAuthPrincipal(tokenBody, null)); }
public bool TryAuthorize(RavenBaseApiController controller, bool hasApiKey, bool ignoreDbAccess, out HttpResponseMessage msg) { var isGetRequest = IsGetRequest(controller); var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Admin || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && isGetRequest; var token = GetToken(controller); if (token == null) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, hasApiKey ? 412 : 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenKey, token, out tokenBody)) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is expired"); return(false); } var writeAccess = isGetRequest == false; if (!tokenBody.IsAuthorized(controller.ResourceName, writeAccess)) { if (allowUnauthenticatedUsers || ignoreDbAccess) { msg = controller.GetEmptyMessage(); return(true); } msg = WriteAuthorizationChallenge(controller, 403, "insufficient_scope", writeAccess ? "Not authorized for read/write access for tenant " + controller.ResourceName : "Not authorized for tenant " + controller.ResourceName); return(false); } controller.User = new OAuthPrincipal(tokenBody, controller.ResourceName); CurrentOperationContext.User.Value = controller.User; msg = controller.GetEmptyMessage(); return(true); }
public override bool Authorize(IHttpContext ctx) { var httpRequest = ctx.Request; var isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath); var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && isGetRequest; var token = GetToken(ctx); if (token == null) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired"); return(false); } var writeAccess = isGetRequest == false; if (!tokenBody.IsAuthorized(TenantId, writeAccess)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", writeAccess ? "Not authorized for read/write access for tenant " + TenantId : "Not authorized for tenant " + TenantId); return(false); } ctx.User = new OAuthPrincipal(tokenBody, TenantId); CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = tokenBody.UserId; CurrentOperationContext.User.Value = ctx.User; return(true); }
public override bool Authorize(IHttpContext ctx) { var httpRequest = ctx.Request; var requestUrl = ctx.GetRequestUrl(); if (neverSecretUrls.Contains(requestUrl, StringComparer.InvariantCultureIgnoreCase)) { return(true); } var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All || Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get && IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath); var token = GetToken(ctx); if (token == null) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_request", "The access token is required"); return(false); } AccessTokenBody tokenBody; if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid"); return(false); } if (tokenBody.IsExpired()) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired"); return(false); } if (!tokenBody.IsAuthorized(TenantId)) { if (allowUnauthenticatedUsers) { return(true); } WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", "Not authorized for tenant " + TenantId); return(false); } ctx.User = new OAuthPrincipal(tokenBody); return(true); }