Reputation: 2449
I am trying to create an ASP.NET MVC API Authorization filter, the reason for this is that I would like for my API to work with both the session login and an API key.
So if the HttpContext.Current.User.Identity.IsAuthenticated
it true, do nothing. If no find the parameter API key and validate it and the user for this request only.
I have tried the following below, but when I get into the action it is called is the HttpContext.Current.User.Identity.Name
just empty and IsAuthenticated
is false.
public class MyAccessFilter : ActionFilterAttribute, IAuthorizationFilter { private DatabaseEntities database;
public MyAccessFilter()
{
database = new DatabaseEntities();
}
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken,
Func<Task<HttpResponseMessage>> continuation)
{
// If the users is already authed is this a local call, user id should be set
if (HttpContext.Current.User.Identity.IsAuthenticated)
return continuation();
// Find the api key and log in with it
IEnumerable<string> apiKeyHeader;
if (!actionContext.Request.Headers.TryGetValues("apikey", out apiKeyHeader))
return failed();
if(apiKeyHeader.Count() != 1)
return failed();
string key = apiKeyHeader.First();
//var key = actionContext.ControllerContext.RouteData.Values["apikey"] as string;
if (String.IsNullOrWhiteSpace(key))
return failed();
var userid = (from f in database.Users where f.ApiKey == key select f.Id).FirstOrDefault();
if (userid == 0)
{
return failed();
}
var usernameClaim = new Claim(ClaimTypes.Name, userid.ToString());
var identity = new ClaimsIdentity(new[] { usernameClaim }, "ApiKey");
var principal = new ClaimsPrincipal(identity);
Thread.CurrentPrincipal = principal;
return continuation();
}
private Task<HttpResponseMessage> failed()
{
TaskCompletionSource<HttpResponseMessage> tcs = new TaskCompletionSource<HttpResponseMessage>();
tcs.SetResult(new HttpResponseMessage(HttpStatusCode.Unauthorized));
return tcs.Task;
}
}
Upvotes: 0
Views: 166
Reputation: 4426
Derive it from AuthorizeAttribute
and implement OnAuthorization method. See for more details
Upvotes: 1