From 15b5ba8ca03b9ec8096cb8fc4d73fba26a0d5903 Mon Sep 17 00:00:00 2001 From: Lucio Maranta Date: Wed, 17 Apr 2019 14:05:13 +0200 Subject: [PATCH] FIX WebApi bearer token authorization --- .../Controllers/SessionsController.cs | 1 + Step.Model/Constants.cs | 1 + Step/App_Start/Startup.cs | 2 +- Step/Attributes/WebApiAuthorizeAttribute.cs | 61 ++++++++++++------- 4 files changed, 41 insertions(+), 24 deletions(-) diff --git a/Step.Database/Controllers/SessionsController.cs b/Step.Database/Controllers/SessionsController.cs index 1cee1f81..08e99ffc 100644 --- a/Step.Database/Controllers/SessionsController.cs +++ b/Step.Database/Controllers/SessionsController.cs @@ -25,6 +25,7 @@ namespace Step.Database.Controllers { return dbCtx .Sessions + .Include("MachineUser") .Where(x => x.Token == token) // Find session by token .FirstOrDefault(); } diff --git a/Step.Model/Constants.cs b/Step.Model/Constants.cs index 2fde3d93..9c6fb291 100644 --- a/Step.Model/Constants.cs +++ b/Step.Model/Constants.cs @@ -109,6 +109,7 @@ namespace Step.Model public const string REGISTER_MACHINE_ID_KEY_NAME = "MachineUniqueId"; // Token fields Keys + public const string AUTHENTICATION_TYPE = "Bearer"; public const string MACHINE_ID_KEY = "machineId"; public const string ROLE_LEVEL_KEY = "roleLevel"; diff --git a/Step/App_Start/Startup.cs b/Step/App_Start/Startup.cs index f4dddb55..159ce205 100644 --- a/Step/App_Start/Startup.cs +++ b/Step/App_Start/Startup.cs @@ -87,7 +87,7 @@ namespace Step.App_Start // Set authorization options app.UseOAuthAuthorizationServer(OAuthOptions); // Set bearer oAuth as authentication method - app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); + app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions() { AuthenticationType = AUTHENTICATION_TYPE }); } public void SignalRConfig(IAppBuilder app) diff --git a/Step/Attributes/WebApiAuthorizeAttribute.cs b/Step/Attributes/WebApiAuthorizeAttribute.cs index cb2e88de..fc41d4b9 100644 --- a/Step/Attributes/WebApiAuthorizeAttribute.cs +++ b/Step/Attributes/WebApiAuthorizeAttribute.cs @@ -1,6 +1,5 @@ using System; using System.Linq; -using System.Security.Claims; using System.Web.Http; using System.Web.Http.Controllers; using Step.Database.Controllers; @@ -10,6 +9,10 @@ using static Step.Config.ServerConfig; using static Step.Model.Constants; using static Step.Listeners.SignalRStaticObjects; +using Microsoft.Owin.Security.OAuth; +using System.Security.Claims; +using Microsoft.Owin.Security; + namespace Step { class WebApiAuthorizeAttribute : AuthorizeAttribute @@ -18,38 +21,43 @@ namespace Step public ACTIONS Action; protected override bool IsAuthorized(HttpActionContext actionContext) { - if (!base.IsAuthorized(actionContext)) - return false; - - // Get claims from token - ClaimsPrincipal principal = actionContext.RequestContext.Principal as ClaimsPrincipal; - // Get user id stored in the bearer token - var userId = principal.Claims.Where(c => c.Type == USER_ID_KEY).FirstOrDefault(); - - // Get machine unique id stored in the bearer token - var machineId = principal.Claims.Where(c => c.Type == MACHINE_ID_KEY).FirstOrDefault(); - - //User data not found -> not authorized - if (userId == null || machineId == null) - return false; - // Get token from headers string token = actionContext.Request.Headers.Authorization.ToString(); + + token = token.Split(' ')[1]; + if (!base.IsAuthorized(actionContext)) + if (string.IsNullOrEmpty(token)) + return false; // check authorization - if (!CheckAuthorization(Convert.ToInt32(machineId.Value), Convert.ToInt32(userId.Value), FunctionAccess, token)) + if (!CheckAuthorization(FunctionAccess, token, out int machineId, out int userId)) return false; + var claims = new ClaimsIdentity(AUTHENTICATION_TYPE); + claims.AddClaim(new Claim(USER_ID_KEY, userId.ToString())); + claims.AddClaim(new Claim(MACHINE_ID_KEY, machineId.ToString())); + + + actionContext.RequestContext.Principal = new ClaimsPrincipal(claims); + // Get claims from token + //ClaimsPrincipal principal = actionContext.RequestContext.Principal as ClaimsPrincipal; + //// Get user id stored in the bearer token + //var userId = principal.Claims.Where(c => c.Type == USER_ID_KEY).FirstOrDefault(); + + //// Get machine unique id stored in the bearer token + //var machineId = principal.Claims.Where(c => c.Type == MACHINE_ID_KEY).FirstOrDefault(); + + ////User data not found -> not authorized + //if (userId == null || machineId == null) + // return false; + return true; } - private bool CheckAuthorization(int machineId, int userId, string functionName, string token) - { - // Check if the machine is the same where the user logged in - if (machineId != MachineConfig.MachineId) - return false; - + private bool CheckAuthorization(string functionName, string token, out int machineId, out int userId) + { + machineId = userId = 0; using (SessionsController sessionsController = new SessionsController()) { // Find user session on this machine @@ -57,6 +65,13 @@ namespace Step if (session == null) return false; + // Check if the machine is the same where the user logged in + if (session.MachineUserId != MachineConfig.MachineId) + return false; + + machineId = session.MachineUserId; + userId = session.MachineUser.UserId; + MachineUserModel machineUser = new MachineUserModel(); using (MachinesUsersController machineUsersController = new MachinesUsersController()) {