1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.Net.Http.Headers;
using System;
using System.Linq;
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
using Timeline.Services;
namespace Timeline.Authenticate
{
static class AuthConstants
{
public const string Scheme = "Bearer";
public const string DisplayName = "My Jwt Auth Scheme";
}
class AuthOptions : AuthenticationSchemeOptions
{
/// <summary>
/// The query param key to search for token. If null then query params are not searched for token. Default to <c>"token"</c>.
/// </summary>
public string TokenQueryParamKey { get; set; } = "token";
}
class AuthHandler : AuthenticationHandler<AuthOptions>
{
private readonly ILogger<AuthHandler> _logger;
private readonly IUserService _userService;
public AuthHandler(IOptionsMonitor<AuthOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IUserService userService)
: base(options, logger, encoder, clock)
{
_logger = logger.CreateLogger<AuthHandler>();
_userService = userService;
}
// return null if no token is found
private string ExtractToken()
{
// check the authorization header
string header = Request.Headers[HeaderNames.Authorization];
if (!string.IsNullOrEmpty(header) && header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
var token = header.Substring("Bearer ".Length).Trim();
_logger.LogInformation("Token is found in authorization header. Token is {} .", token);
return token;
}
// check the query params
var paramQueryKey = Options.TokenQueryParamKey;
if (!string.IsNullOrEmpty(paramQueryKey))
{
string token = Request.Query[paramQueryKey];
if (!string.IsNullOrEmpty(token))
{
_logger.LogInformation("Token is found in query param with key \"{}\". Token is {} .", paramQueryKey, token);
return token;
}
}
// not found anywhere then return null
return null;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
var token = ExtractToken();
if (string.IsNullOrEmpty(token))
{
_logger.LogInformation("No jwt token is found.");
return AuthenticateResult.NoResult();
}
try
{
var userInfo = await _userService.VerifyToken(token);
var identity = new ClaimsIdentity(AuthConstants.Scheme);
identity.AddClaim(new Claim(identity.NameClaimType, userInfo.Username, ClaimValueTypes.String));
identity.AddClaims(Entities.UserUtility.IsAdminToRoleArray(userInfo.Administrator).Select(role => new Claim(identity.RoleClaimType, role, ClaimValueTypes.String)));
var principal = new ClaimsPrincipal();
principal.AddIdentity(identity);
return AuthenticateResult.Success(new AuthenticationTicket(principal, AuthConstants.Scheme));
}
catch (ArgumentException)
{
throw; // this exception usually means server error.
}
catch (Exception e)
{
_logger.LogInformation(e, "A jwt token validation failed.");
return AuthenticateResult.Fail(e);
}
}
}
}
|
