Possible to bypass servicestack's authentication mechanisms for non standard authentication

Question

My authentication mechanism is in a way different it cannot fit into 1 of ServiceStack's current authentication methods (even overriding method 'TryAuthenticate' does not provide a solution). So would it be possible to authenticate from some arbitrary ServiceStack service?

To give an example:

1. I open a plain old HTML login page (I am using Angular for the record).
2. I login in and call my custom ServiceStack service in order to send the non-standard credentials to the server (of course using Angular's http directive).
3. I validate the credentials myself. If correct I like to hook up into servicestack authentication mechanism and probably have to send back a ServiceStack authentication cookie to the browser. Am I correct?

If someone can make 3 work I can call ServiceStack services which have the authenticate attribute

Answer 1

To be allowed through the [Authenticate] attribute, it needs any one of the registered AuthProviders IsAuthorized() to return true, i.e:

public class CustomAuthProvider : AuthProvider
{
    public CustomAuthProvider()
    {
        this.Provider = "custom";
    }

    public override bool IsAuthorized(
        IAuthSession session, IAuthTokens tokens, Authenticate request=null)
    {
        return true; //custom logic to verify if this session is authenticated
    }

    public override object Authenticate(
        IServiceBase authService, IAuthSession session, Authenticate request)
    {
        throw new NotImplementedException();
    }
}

Plugins.Add(new AuthFeature(() => new CustomUserSession(),
    new IAuthProvider[] {
        new CustomAuthProvider()
    }));

In your Custom Authentication Service you should also save the Users Session with IsAuthenticated=true, e.g:

public object Any(CustomAuth request)
{
    //Authenticate User
    var session = base.SessionAs<CustomUserSession>();
    session.IsAuthenticated = true;
    this.SaveSession(session);        
}