CODEWITHSUNDEEP
asp.net-mvc-4asp.net-web-api
Androme
Androme

Reputation: 2449

ASP.NET MVC API with WebForms

I am trying to create an ASP.NET MVC API Authorization filter, the reason for this is that I would like for my API to work with both the session login and an API key.

So if the HttpContext.Current.User.Identity.IsAuthenticated it true, do nothing. If no find the parameter API key and validate it and the user for this request only. I have tried the following below, but when I get into the action it is called is the HttpContext.Current.User.Identity.Name just empty and IsAuthenticated is false.

public class MyAccessFilter : ActionFilterAttribute, IAuthorizationFilter { private DatabaseEntities database;

public MyAccessFilter()
{
    database = new DatabaseEntities();   
}

public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken,
    Func<Task<HttpResponseMessage>> continuation)
{
    // If the users is already authed is this a local call, user id should be set
    if (HttpContext.Current.User.Identity.IsAuthenticated)
        return continuation();

    // Find the api key and log in with it

    IEnumerable<string> apiKeyHeader;
    if (!actionContext.Request.Headers.TryGetValues("apikey", out apiKeyHeader))
        return failed();
    if(apiKeyHeader.Count() != 1)
        return failed();
    string key = apiKeyHeader.First();


    //var key = actionContext.ControllerContext.RouteData.Values["apikey"] as string;
    if (String.IsNullOrWhiteSpace(key))
        return failed();

    var userid = (from f in database.Users where f.ApiKey == key select f.Id).FirstOrDefault();
    if (userid == 0)
    {
        return failed();
    }

    var usernameClaim = new Claim(ClaimTypes.Name, userid.ToString());
    var identity = new ClaimsIdentity(new[] { usernameClaim }, "ApiKey");
    var principal = new ClaimsPrincipal(identity);
    Thread.CurrentPrincipal = principal;

    return continuation();
}

private Task<HttpResponseMessage> failed()
{
    TaskCompletionSource<HttpResponseMessage> tcs = new TaskCompletionSource<HttpResponseMessage>();
    tcs.SetResult(new HttpResponseMessage(HttpStatusCode.Unauthorized));
    return tcs.Task;
}

}

Upvotes: 0

Views: 166

Answers (1)

kkocabiyik
kkocabiyik

Reputation: 4426

Derive it from AuthorizeAttribute and implement OnAuthorization method. See for more details

Upvotes: 1

Related Questions