Merge pull request #417 from immense/feature/base64-encode-basic-auth

Base64 encode API Token
2025-10-26 11:27:15 +00:00 · 2021-12-15 06:07:42 -06:00 · 2021-12-15 06:07:42 -06:00 · bb90a33042
commit bb90a33042
parent c3e80e6635 66d15a6d4e
1 changed files with 34 additions and 5 deletions
--- a/Server/Auth/ApiAuthorizationFilter.cs
+++ b/Server/Auth/ApiAuthorizationFilter.cs
@ -1,6 +1,9 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Remotely.Server.Services;
+using System;
+using System.Net;
+using System.Text;

 namespace Remotely.Server.Auth
 {
@ -25,15 +28,41 @@ namespace Remotely.Server.Auth

            if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var result))
            {
-                var keyId = result.ToString().Split(":")[0]?.Trim();
-                var apiSecret = result.ToString().Split(":")[1]?.Trim();

-                if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString()))
+                var headerComponents = result.ToString().Split(" ");
+                if (headerComponents.Length < 2)
                {
-                    var orgID = DataService.GetApiKey(keyId)?.OrganizationID;
-                    context.HttpContext.Request.Headers["OrganizationID"] = orgID;
+                    context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                    return;
+                };
+
+                var tokenType = headerComponents[0].Trim();
+                var encodedToken = headerComponents[1].Trim();
+
+                switch (tokenType)
+                {
+                    case "Basic":
+                        byte[] data = Convert.FromBase64String(encodedToken);
+                        string decodedString = Encoding.UTF8.GetString(data);
+
+                        var authComponents = decodedString.ToString().Split(":");
+                        if (authComponents.Length < 2)
+                        {
+                            context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                            return;
+                        };
+
+                        var keyId = authComponents[0]?.Trim();
+                        var apiSecret = authComponents[1]?.Trim();
+                        if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString()))
+                        {
+                            var orgID = DataService.GetApiKey(keyId)?.OrganizationID;
+                            context.HttpContext.Request.Headers["OrganizationID"] = orgID;
+                            return;
+                        }
+                        break;
                }
+
            }

            context.Result = new UnauthorizedResult();