From 4913535bc40b907e23a5825700a431268769972e Mon Sep 17 00:00:00 2001 From: dkattan <1424395+dkattan@users.noreply.github.com> Date: Fri, 3 Dec 2021 14:46:19 -0600 Subject: [PATCH 1/3] Made the authorization header require a Basic base64 encoded token instead of the literal key:secret as PowerShell 7 complains when you don't use a base64 encoded value. --- Server/Auth/ApiAuthorizationFilter.cs | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/Server/Auth/ApiAuthorizationFilter.cs b/Server/Auth/ApiAuthorizationFilter.cs index c459a1a8..468cc5f0 100644 --- a/Server/Auth/ApiAuthorizationFilter.cs +++ b/Server/Auth/ApiAuthorizationFilter.cs @@ -1,6 +1,8 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Filters; using Remotely.Server.Services; +using System; +using System.Text; namespace Remotely.Server.Auth { @@ -25,15 +27,26 @@ namespace Remotely.Server.Auth if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var result)) { - var keyId = result.ToString().Split(":")[0]?.Trim(); - var apiSecret = result.ToString().Split(":")[1]?.Trim(); + var tokenType = result.ToString().Split(" ")[0].Trim(); - if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString())) + switch (tokenType) { - var orgID = DataService.GetApiKey(keyId)?.OrganizationID; - context.HttpContext.Request.Headers["OrganizationID"] = orgID; - return; + case "Basic": + var encodedToken = result.ToString().Split(" ")[1].Trim(); + + byte[] data = Convert.FromBase64String(encodedToken); + string decodedString = Encoding.UTF8.GetString(data); + var keyId = decodedString.ToString().Split(":")[0]?.Trim(); + var apiSecret = decodedString.ToString().Split(":")[1]?.Trim(); + if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString())) + { + var orgID = DataService.GetApiKey(keyId)?.OrganizationID; + context.HttpContext.Request.Headers["OrganizationID"] = orgID; + return; + } + break; } + } context.Result = new UnauthorizedResult(); From 539cf62b7cfb20787656369f387a9269b74e24f4 Mon Sep 17 00:00:00 2001 From: Steve Sobol Date: Tue, 14 Dec 2021 17:10:09 -0800 Subject: [PATCH 2/3] Check for a valid Authorization: header --- Server/Auth/ApiAuthorizationFilter.cs | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Server/Auth/ApiAuthorizationFilter.cs b/Server/Auth/ApiAuthorizationFilter.cs index 468cc5f0..f1ef1847 100644 --- a/Server/Auth/ApiAuthorizationFilter.cs +++ b/Server/Auth/ApiAuthorizationFilter.cs @@ -27,13 +27,20 @@ namespace Remotely.Server.Auth if (context.HttpContext.Request.Headers.TryGetValue("Authorization", out var result)) { - var tokenType = result.ToString().Split(" ")[0].Trim(); + + var headerComponents = result.ToString().Split(" "); + if (headerComponents.Length < 2) + { + context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + return; + }; + + var tokenType = headerComponents[0].Trim(); + var encodedToken = headerComponents[1].Trim(); switch (tokenType) { case "Basic": - var encodedToken = result.ToString().Split(" ")[1].Trim(); - byte[] data = Convert.FromBase64String(encodedToken); string decodedString = Encoding.UTF8.GetString(data); var keyId = decodedString.ToString().Split(":")[0]?.Trim(); From 66d15a6d4e7d465ac35ae5590275adc7a90c60fa Mon Sep 17 00:00:00 2001 From: Steve Sobol Date: Tue, 14 Dec 2021 17:14:28 -0800 Subject: [PATCH 3/3] Ensure that auth payload includes both a key ID and a secret --- Server/Auth/ApiAuthorizationFilter.cs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Server/Auth/ApiAuthorizationFilter.cs b/Server/Auth/ApiAuthorizationFilter.cs index f1ef1847..a303dfd6 100644 --- a/Server/Auth/ApiAuthorizationFilter.cs +++ b/Server/Auth/ApiAuthorizationFilter.cs @@ -2,6 +2,7 @@ using Microsoft.AspNetCore.Mvc.Filters; using Remotely.Server.Services; using System; +using System.Net; using System.Text; namespace Remotely.Server.Auth @@ -43,8 +44,16 @@ namespace Remotely.Server.Auth case "Basic": byte[] data = Convert.FromBase64String(encodedToken); string decodedString = Encoding.UTF8.GetString(data); - var keyId = decodedString.ToString().Split(":")[0]?.Trim(); - var apiSecret = decodedString.ToString().Split(":")[1]?.Trim(); + + var authComponents = decodedString.ToString().Split(":"); + if (authComponents.Length < 2) + { + context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + return; + }; + + var keyId = authComponents[0]?.Trim(); + var apiSecret = authComponents[1]?.Trim(); if (DataService.ValidateApiKey(keyId, apiSecret, context.HttpContext.Request.Path, context.HttpContext.Connection.RemoteIpAddress.ToString())) { var orgID = DataService.GetApiKey(keyId)?.OrganizationID;