Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- public class TokenAuthorize : AuthorizeAttribute
- {
- private const string SecurityToken = "token";
- public override void OnAuthorization(AuthorizationContext filterContext)
- {
- if (Authorize(filterContext))
- {
- return;
- }
- HandleUnauthorizedRequest(filterContext);
- }
- private bool Authorize(AuthorizationContext actionContext)
- {
- try
- {
- HttpContextBase context = actionContext.RequestContext.HttpContext;
- string token = context.Request.Params[SecurityToken];
- // check if the token is valid. if so, authorize action.
- bool isTokenAuthorized = SecurityManager.IsTokenValid(token);
- if (isTokenAuthorized) return true;
- // if the token is not valid, check if the user is authorized by default.
- bool isDefaultAuthorized = AuthorizeCore(context);
- return isDefaultAuthorized;
- }
- catch (Exception)
- {
- return false;
- }
- }
- }
- public class SecurityManager
- {
- private const string Alg = "HmacSHA256";
- private const string Salt = "rz8LuOtFBXphj9WQfvFh";
- // Generates a token to be used in API calls.
- // The token is generated by hashing a message with a key, using HMAC SHA256.
- // The message is: username
- // The key is: password:salt
- public static string GenerateToken(string username, string password)
- {
- string hash = string.Join(":", new string[] { username });
- string hashLeft;
- string hashRight;
- using (HMAC hmac = HMAC.Create(Alg))
- {
- hmac.Key = Encoding.UTF8.GetBytes(GetHashedPassword(password));
- hmac.ComputeHash(Encoding.UTF8.GetBytes(hash));
- hashLeft = Convert.ToBase64String(hmac.Hash);
- hashRight = string.Join(":", username);
- }
- return Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Join(":", hashLeft, hashRight)));
- }
- // used in generating a token
- private static string GetHashedPassword(string password)
- {
- string key = string.Join(":", new string[] { password, Salt });
- using (HMAC hmac = HMAC.Create(Alg))
- {
- // Hash the key.
- hmac.Key = Encoding.UTF8.GetBytes(Salt);
- hmac.ComputeHash(Encoding.UTF8.GetBytes(key));
- return Convert.ToBase64String(hmac.Hash);
- }
- }
- // Checks if a token is valid.
- public static bool IsTokenValid(string token)
- {
- var context = new ApplicationDbContext();
- try
- {
- // Base64 decode the string, obtaining the token:username.
- string key = Encoding.UTF8.GetString(Convert.FromBase64String(token));
- // Split the parts.
- string[] parts = key.Split(':');
- if (parts.Length != 2) return false;
- // Get the username.
- string username = parts[1];
- // Get the token for said user
- // var computedToken = ...
- // Compare the computed token with the one supplied and ensure they match.
- var result = (token == computedToken);
- if (!result) return false;
- // get roles for user (ASP.NET Identity 2.0)
- var user = context.Users.Single(u => u.UserName == username);
- var rolesPerUser = context.UserRoles.Where(x => x.UserId == user.Id).ToList();
- var roles = rolesPerUser.Select(role => context.Roles.Single(r => r.Id == role.RoleId).Name);
- // NOTE: define public DbSet<IdentityUserRole> UserRoles { get; set; } ...
- // ... in your DbContext in IdentityModels.cs
- HttpContext.Current.User = new GenericPrincipal(new TokenIdentity(username), roles.ToArray());
- return true;
- }
- catch
- {
- return false;
- }
- }
- }
- public class TokenIdentity : IIdentity
- {
- public string User { get; private set; }
- public TokenIdentity(string user)
- {
- this.User = user;
- }
- public string Name => User;
- public string AuthenticationType => "ApplicationToken";
- public bool IsAuthenticated => true;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement