Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
310 views
in Technique[技术] by (71.8m points)

Asp.Net Core 2.1 - Authorize based on content in request

I am exposing an endpoint for integration with a 3rd party and their requirement is for me to authorize their requests to my endpoint based on a key passed in the body being posted. My code will then needs to validate that the passed key matches some predetermined value on my side. The incoming model will look something like this:

public class RequestBase
{
    public string ApiKey { get; set; }
    ...
}

Exploring the options for Authorization in ASP.NET Core I don't really see a match for what I am attempting to do. I am thinking a custom AuthorizeAttribute from this question would work but I'm not having any luck and get a 401 regardless of what I do. This is what I have so far:

[AttributeUsage(AttributeTargets.Class)]
public class MyAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    private static IEnumerable<string> _apiKeys = new List<string>
        {
            "some key... eventually will be dynamic"
        };

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var req = context.HttpContext.Request;
        req.EnableRewind();

        using (var reader = new StreamReader(req.Body, Encoding.UTF8, true, 1024, true))
        {
            var bodyStr = reader.ReadToEnd();
            var isAuthorized = _apiKeys.Any(apiKey => bodyStr.Contains(apiKey));
            if (!isAuthorized)
            {
                context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
                return;
            }
        }

        req.Body.Position = 0;
    }
}

When the key is not found in the body the 403 is returned as expected. However, when the key is found the result I get back is still a 401. Almost seems as if the base.OnAuthorization is being called. I have other endpoints that use a standard AurhorizeAttribute. They work as expected when only if I pass in a JWT.

Questions:

  1. Am I on the right path with a custom AuthorizeAttribute or is there a better way?
  2. If a customer AuthorizeAttribute is the right path... what am I missing?

Appreciate any help!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

For using your own authorize logic with IAuthorizationFilter, you should not use with AuthorizeAttribute which will check the Authentication with default authentication schema.

Try to change AuthorizeAttribute to Attribute.

[AttributeUsage(AttributeTargets.Class)]
public class KeyAuthorizeAttribute : Attribute, IAuthorizationFilter
{

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...