diff --git a/Server/Auth/ApiAuthorizationFilter.cs b/Server/Auth/ApiAuthorizationFilter.cs index c459a1a8..a303dfd6 100644 --- a/Server/Auth/ApiAuthorizationFilter.cs +++ b/Server/Auth/ApiAuthorizationFilter.cs @@ -1,6 +1,9 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Filters; using Remotely.Server.Services; +using System; +using System.Net; +using System.Text; namespace Remotely.Server.Auth { @@ -25,15 +28,41 @@ namespace Remotely.Server.Auth if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var result)) { - var keyId = result.ToString().Split(":")[0]?.Trim(); - var apiSecret = result.ToString().Split(":")[1]?.Trim(); - if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString())) + var headerComponents = result.ToString().Split(" "); + if (headerComponents.Length < 2) { - var orgID = DataService.GetApiKey(keyId)?.OrganizationID; - context.HttpContext.Request.Headers["OrganizationID"] = orgID; + context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; + }; + + var tokenType = headerComponents[0].Trim(); + var encodedToken = headerComponents[1].Trim(); + + switch (tokenType) + { + case "Basic": + byte[] data = Convert.FromBase64String(encodedToken); + string decodedString = Encoding.UTF8.GetString(data); + + var authComponents = decodedString.ToString().Split(":"); + if (authComponents.Length < 2) + { + context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + return; + }; + + var keyId = authComponents[0]?.Trim(); + var apiSecret = authComponents[1]?.Trim(); + if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString())) + { + var orgID = DataService.GetApiKey(keyId)?.OrganizationID; + context.HttpContext.Request.Headers["OrganizationID"] = orgID; + return; + } + break; } + } context.Result = new UnauthorizedResult();