public static APIKey loadThisAPIKey(SqlConnection connection, string key)
{
APIKey returnMe = null;
/* Make sure that the API key is valid - if not, do not attempt an SQL query with it */
/* API keys are 40 characters */
if (key.Length != 40)
{
return(null);
}
/* Check for non alphanumeric characters */
Regex r = new Regex("^[a-zA-Z0-9]*$");
if (!r.IsMatch(key))
{
return(null);
}
/* TODO: figure out other ways to validate it... */
/* Attempt to load the API key from the database */
SqlCommand sqlCommand = new SqlCommand();
sqlCommand.Connection = connection;
sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText = "SELECT * FROM api_keys WHERE api_key=@APIKEY AND active=1;";
sqlCommand.Parameters.AddWithValue("@APIKEY", key);
sqlCommand.Connection.Open();
SqlDataReader dataReader = sqlCommand.ExecuteReader();
if (dataReader.HasRows)
{
while (dataReader.Read())
{
returnMe = new APIKey(
dataReader["api_key"].ToString().Trim(),
dataReader["username"].ToString().Trim(),
dataReader["description"].ToString().Trim(),
DateTime.Parse(dataReader["date_issued"].ToString().Trim()),
DateTime.Parse(dataReader["date_expires"].ToString().Trim()),
bool.Parse(dataReader["is_internal_only"].ToString().Trim())
);
}
}
sqlCommand.Connection.Close();
return(returnMe);
}
public static bool logAPIKeyUse(SqlConnection connection, APIKey key, string url, string useragent, string ip)
{
try
{
SqlCommand sqlCommand = new SqlCommand();
sqlCommand.Connection = connection;
sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText = "INSERT INTO key_access_log(dDate, api_key, url_accessed, user_agent, remote_ip, key_user) VALUES(@DATE, @KEY, @URL, @USERAGENT, @IP, @USER)";
sqlCommand.Parameters.AddWithValue("@DATE", DateTime.Now);
sqlCommand.Parameters.AddWithValue("@KEY", key.key);
sqlCommand.Parameters.AddWithValue("@URL", url);
sqlCommand.Parameters.AddWithValue("@USERAGENT", useragent);
sqlCommand.Parameters.AddWithValue("@IP", ip);
sqlCommand.Parameters.AddWithValue("@USER", key.username);
sqlCommand.Connection.Open();
sqlCommand.ExecuteNonQuery();
sqlCommand.Connection.Close();
return(true);
}
catch
{
return(false);
}
}
protected void Page_Init(object sender, EventArgs e)
{
// Check the IP to make sure traffic originates from within our network
if (
!(
(Request.ServerVariables["REMOTE_ADDR"].Contains("127.0.0.1")) ||
(Request.ServerVariables["REMOTE_ADDR"].Contains("::1"))
)
)
{
if (!Request.ServerVariables["REMOTE_ADDR"].StartsWith(localNetworkChunk))
{
Response.Redirect(outsideErrorMessage);
Response.End();
}
}
String dbConnectionString = ConfigurationManager.ConnectionStrings["DataExplorerDatabase"].ConnectionString;
APIKey apiKey = null;
/* Check for an API key */
if (!string.IsNullOrEmpty(Request.QueryString["apikey"]))
{
using (SqlConnection connection = new SqlConnection(dbConnectionString))
{
apiKey = APIKey.loadThisAPIKey(connection, Request.QueryString["apikey"]);
}
if (apiKey != null)
{
if (apiKey.internalOnly)
{
if (
!(
(Request.ServerVariables["REMOTE_ADDR"].Contains("127.0.0.1")) ||
(Request.ServerVariables["REMOTE_ADDR"].Contains("::1"))
)
)
{
apiKey = null;
}
}
}
/* If they key is used, log it */
if (apiKey != null)
{
using (SqlConnection connection = new SqlConnection(dbConnectionString))
{
APIKey.logAPIKeyUse(connection, apiKey, Request.ServerVariables["UNENCODED_URL"], Request.ServerVariables["HTTP_USER_AGENT"], Request.ServerVariables["REMOTE_ADDR"]);
}
}
}
/* Check for a username */
if (!string.IsNullOrEmpty(getSessionIDFromCookies()))
{
using (SqlConnection connection = new SqlConnection(dbConnectionString))
{
loggedInUser = session.loadThisSession(connection, getSessionIDFromCookies(), Request.ServerVariables["REMOTE_ADDR"], Request.ServerVariables["HTTP_USER_AGENT"]);
}
}
if ((loggedInUser == null) && (apiKey == null))
{
if (!Request.ServerVariables["SCRIPT_NAME"].ToLower().Equals(loginURL.ToLower()))
{
redirectToLogin();
}
}
/* Check to see if the the page is restricted to admins only */
if (MainMenu == null)
{
MainMenu = Nav.getMainMenu();
}
List <string> restrictedPages = new List <string>();
foreach (NavMenuItem item in MainMenu)
{
if (item.admin_only)
{
restrictedPages.Add(item.url);
}
}
bool grantAccess = true;
foreach (string restrictedURL in restrictedPages)
{
if (Request.RawUrl.ToLower().Contains(restrictedURL.ToLower()))
{
if (!loggedInUser.is_admin)
{
grantAccess = false;
}
}
}
if (!grantAccess)
{
Response.Write("Your user account does not have access to this page.");
Response.End();
}
}
