//Run before action is run - we inspect the request's header to authenticate the user. If authentication fails, we return http 401 and request credentials.
public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext)
{
//Check that the header contains authorization
if (actionContext.Request.Headers.Authorization == null)
{
actionContext.Response = UnauthorizedResponseMessage(); //No authorization in header - return 401
}
else //Authentication exists in header
{
var authToken = actionContext.Request.Headers.Authorization.Parameter;
var decodedToken = Encoding.UTF8.GetString(Convert.FromBase64String(authToken));
var username = decodedToken.Substring(0, decodedToken.IndexOf(":", StringComparison.Ordinal));
var password = decodedToken.Substring(decodedToken.IndexOf(":", StringComparison.Ordinal) + 1);
//Super advanced password check - use membership provider, etc irl :)
if (username == password)
{
var user = new User { Username = username };
HttpContext.Current.User = new GenericPrincipal(new ApiIdentity(user), new string[] { });
//Authorized - continue
base.OnActionExecuting(actionContext);
}
else //Invalid credentials
{
actionContext.Response = UnauthorizedResponseMessage(); //return - 401 with WWW-Authenticate: Basic
}
}
}
public ApiIdentity(User user)
{
if (user == null)
throw new ArgumentNullException("user");
User = user;
}