1

I have a MVC 5 application that has controllers dressed with the [Authorize] attribute. However, requirements state that clients may not be able to login to the web application (as this web app will be deployed on signage players -- not web browsers -- that accepts URLs as input to access specific actions in the web app).

In response, I was thinking about using a URL that a client could use that would authorize their actions, in place of logging in...in the format of:

http://{website}/Action?token={/* randomly generated key for this user */}

How would I go about implementing this without changing my current code dressed with the [Authorize] attribute?

1 Answers1

0

I did change my code slightly. Instead of dressing my controllers with [Authorize], I created a custom authorize attribute called [TokenAuthorize].

I created a SecurityManager class to generate and validate a token. This was adapted from Primary Objects, although I chose not to use any of their client-side code or hash using ip or userAgent. Also, I created a TokenIdentity class to create an Identity for authorizing an action. This was adapted from Steve's Coding Blog. Jelle's link also helped in authorizing a user by token using GenericPrincipal: HttpContext.Current.User = new GenericPrincipal(new TokenIdentity(username), roles.ToArray());

After implementing this, I was able to authorize an action using a url parameter called token: http://{website}/Action?token={/* randomly generated key for this user */}

TokenAuthorize.cs

public class TokenAuthorize : AuthorizeAttribute
{
    private const string SecurityToken = "token";

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (Authorize(filterContext))
        {
            return;
        }

        HandleUnauthorizedRequest(filterContext);
    }

    private bool Authorize(AuthorizationContext actionContext)
    {
        try
        {
            HttpContextBase context = actionContext.RequestContext.HttpContext;
            string token = context.Request.Params[SecurityToken];

            // check if the token is valid. if so, authorize action.
            bool isTokenAuthorized = SecurityManager.IsTokenValid(token);
            if (isTokenAuthorized) return true; 

            // if the token is not valid, check if the user is authorized by default.
            bool isDefaultAuthorized = AuthorizeCore(context);
            return isDefaultAuthorized; 
        }
        catch (Exception)
        {
            return false;
        }
    }
}

SecurityManager.cs (adapted from Primary Objects)

public class SecurityManager
{
    private const string Alg = "HmacSHA256";
    private const string Salt = "rz8LuOtFBXphj9WQfvFh";

    // Generates a token to be used in API calls.
    // The token is generated by hashing a message with a key, using HMAC SHA256.
    // The message is: username
    // The key is: password:salt
    public static string GenerateToken(string username, string password)
    {
        string hash = string.Join(":", new string[] { username });
        string hashLeft;
        string hashRight;

        using (HMAC hmac = HMAC.Create(Alg))
        {
            hmac.Key = Encoding.UTF8.GetBytes(GetHashedPassword(password));
            hmac.ComputeHash(Encoding.UTF8.GetBytes(hash));

            hashLeft = Convert.ToBase64String(hmac.Hash);
            hashRight = string.Join(":", username);
        }

        return Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Join(":", hashLeft, hashRight)));
    }

    // used in generating a token
    private static string GetHashedPassword(string password)
    {
        string key = string.Join(":", new string[] { password, Salt });

        using (HMAC hmac = HMAC.Create(Alg))
        {
            // Hash the key.
            hmac.Key = Encoding.UTF8.GetBytes(Salt);
            hmac.ComputeHash(Encoding.UTF8.GetBytes(key));

            return Convert.ToBase64String(hmac.Hash);
        }
    }

    // Checks if a token is valid.
    public static bool IsTokenValid(string token)
    {
        var context = new ApplicationDbContext();

        try
        {
            // Base64 decode the string, obtaining the token:username.
            string key = Encoding.UTF8.GetString(Convert.FromBase64String(token));

            // Split the parts.
            string[] parts = key.Split(':');
            if (parts.Length != 2) return false;

            // Get the username.
            string username = parts[1];

            // Get the token for said user
            // var computedToken = ...

            // Compare the computed token with the one supplied and ensure they match.
            var result = (token == computedToken);

            if (!result) return false;

            // get roles for user (ASP.NET Identity 2.0)
            var user = context.Users.Single(u => u.UserName == username);
            var rolesPerUser = context.UserRoles.Where(x => x.UserId == user.Id).ToList();
            var roles = rolesPerUser.Select(role => context.Roles.Single(r => r.Id == role.RoleId).Name);
            // NOTE: define public DbSet<IdentityUserRole> UserRoles { get; set; } ...
            // ... in your DbContext in IdentityModels.cs

            HttpContext.Current.User = new GenericPrincipal(new TokenIdentity(username), roles.ToArray());

            return true;
        }
        catch
        {
            return false;
        }
    }
}

TokenIdentity.cs (adapted from Steve's Coding Blog)

public class TokenIdentity : IIdentity
{
    public string User { get; private set; }

    public TokenIdentity(string user)
    {
        this.User = user;
    }

    public string Name => User;

    public string AuthenticationType => "ApplicationToken";

    public bool IsAuthenticated => true;
}
Community
  • 1
  • 1