From f8ec65fd2907fafe9e9331a10c3f25bb8946fe96 Mon Sep 17 00:00:00 2001 From: Kun Deng Date: Sat, 27 Aug 2022 21:35:49 -0400 Subject: [PATCH] Tokens are validated in respective endpoints --- Controllers/v1/AlbumController.cs | 17 ++++--- Controllers/v1/ArtistController.cs | 17 ++++--- Controllers/v1/BaseController.cs | 49 +++++++++++++++++++ Controllers/v1/CoverArtController.cs | 16 ++++-- Controllers/v1/GenreController.cs | 15 ++++-- .../v1/SongCompressedDataControllers.cs | 9 ++-- Controllers/v1/SongController.cs | 39 +++++---------- Controllers/v1/SongDataController.cs | 49 +++++-------------- Controllers/v1/SongStreamController.cs | 30 +----------- 9 files changed, 126 insertions(+), 115 deletions(-) create mode 100644 Controllers/v1/BaseController.cs diff --git a/Controllers/v1/AlbumController.cs b/Controllers/v1/AlbumController.cs index cdb6502..903494a 100644 --- a/Controllers/v1/AlbumController.cs +++ b/Controllers/v1/AlbumController.cs @@ -1,6 +1,5 @@ using System; using System.Collections.Generic; -using System.Configuration; using System.Linq; using Microsoft.AspNetCore.Authorization; @@ -10,18 +9,16 @@ using Microsoft.Extensions.Logging; using Icarus.Models; using Icarus.Database.Contexts; -// using Icarus.Database.Repositories; namespace Icarus.Controllers.V1 { [Route("api/v1/album")] [ApiController] - public class AlbumController : ControllerBase + public class AlbumController : BaseController { #region Fields private readonly ILogger _logger; private string _connectionString; - private IConfiguration _config; #endregion @@ -41,9 +38,13 @@ namespace Icarus.Controllers.V1 #region HTTP Routes [HttpGet] - [Authorize("read:albums")] public IActionResult Get() { + if (!IsTokenValid("read:albums")) + { + return StatusCode(401, "Not allowed"); + } + List albums = new List(); var albumContext = new AlbumContext(_connectionString); @@ -57,9 +58,13 @@ namespace Icarus.Controllers.V1 } [HttpGet("{id}")] - [Authorize("read:albums")] public IActionResult Get(int id) { + if (!IsTokenValid("read:albums")) + { + return StatusCode(401, "Not allowed"); + } + Album album = new Album { AlbumID = id diff --git a/Controllers/v1/ArtistController.cs b/Controllers/v1/ArtistController.cs index 0531149..51e21b2 100644 --- a/Controllers/v1/ArtistController.cs +++ b/Controllers/v1/ArtistController.cs @@ -1,6 +1,4 @@ using System; -using System.Collections.Generic; -using System.Configuration; using System.Linq; using Microsoft.AspNetCore.Authorization; @@ -15,12 +13,11 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/artist")] [ApiController] - public class ArtistController : ControllerBase + public class ArtistController : BaseController { #region Fields private readonly ILogger _logger; private string _connectionString; - private IConfiguration _config; #endregion @@ -40,9 +37,13 @@ namespace Icarus.Controllers.V1 #region HTTP Routes [HttpGet] - [Authorize("read:artists")] public IActionResult Get() { + if (!IsTokenValid("read:artists")) + { + return StatusCode(401, "Not allowed"); + } + var artistContext = new ArtistContext(_connectionString); var artists = artistContext.Artists.ToList(); @@ -54,9 +55,13 @@ namespace Icarus.Controllers.V1 } [HttpGet("{id}")] - [Authorize("read:artists")] public IActionResult Get(int id) { + if (!IsTokenValid("read:artists")) + { + return StatusCode(401, "Not allowed"); + } + Artist artist = new Artist { ArtistID = id diff --git a/Controllers/v1/BaseController.cs b/Controllers/v1/BaseController.cs new file mode 100644 index 0000000..911d273 --- /dev/null +++ b/Controllers/v1/BaseController.cs @@ -0,0 +1,49 @@ +using System; +using System.Linq; + +using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Configuration; + +using Icarus.Controllers.Managers; + + +namespace Icarus.Controllers.V1 +{ + public class BaseController : ControllerBase + { + #region Fiends + protected IConfiguration _config; + #endregion + + + #region Methods + protected string ParseBearerTokenFromHeader() + { + var token = string.Empty; + const string tokenType = "Bearer"; + const string otherTokenType = "Jwt"; + + var req = Request; + var auth = req.Headers.Authorization; + var val = auth.ToString(); + + if ((val.Contains(tokenType) || val.Contains(otherTokenType)) && val.Split(" ").Count() > 1) + { + var split = val.Split(" "); + token = split[1]; + } + + + return token; + } + + protected bool IsTokenValid(string scope) + { + var token = ParseBearerTokenFromHeader(); + var tokMgr = new TokenManager(_config); + + return tokMgr.IsTokenValid(scope, token); + } + #endregion + } +} \ No newline at end of file diff --git a/Controllers/v1/CoverArtController.cs b/Controllers/v1/CoverArtController.cs index 103d1c3..482b6a4 100644 --- a/Controllers/v1/CoverArtController.cs +++ b/Controllers/v1/CoverArtController.cs @@ -1,6 +1,4 @@ using System; -using System.Collections.Generic; -using System.IO; using System.Linq; using System.Threading.Tasks; @@ -17,12 +15,11 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/coverart")] [ApiController] - public class CoverArtController : ControllerBase + public class CoverArtController : BaseController { #region Fields private readonly ILogger _logger; private string _connectionString; - private IConfiguration _config; #endregion @@ -39,6 +36,11 @@ namespace Icarus.Controllers.V1 #region HTTP Routes public IActionResult Get() { + if (!IsTokenValid("read:songs")) + { + return StatusCode(401, "Not allowed"); + } + var coverArtContext = new CoverArtContext(_connectionString); var coverArtRecords = coverArtContext.CoverArtImages.ToList(); @@ -56,9 +58,13 @@ namespace Icarus.Controllers.V1 } [HttpGet("{id}")] - [Authorize("download:cover_art")] public async Task Get(int id) { + if (!IsTokenValid("download:cover_art")) + { + return StatusCode(401, "Not allowed"); + } + var coverArt = new CoverArt { CoverArtID = id }; var coverArtContext = new CoverArtContext(_connectionString); diff --git a/Controllers/v1/GenreController.cs b/Controllers/v1/GenreController.cs index a53bc4e..8e29502 100644 --- a/Controllers/v1/GenreController.cs +++ b/Controllers/v1/GenreController.cs @@ -14,12 +14,11 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/genre")] [ApiController] - public class GenreController : ControllerBase + public class GenreController : BaseController { #region Fields private readonly ILogger _logger; private string _connectionString; - private IConfiguration _config; #endregion @@ -39,9 +38,13 @@ namespace Icarus.Controllers.V1 #region HTTP Routes [HttpGet] - [Authorize("read:genre")] public IActionResult Get() { + if (!IsTokenValid("read:genre")) + { + return StatusCode(401, "Not allowed"); + } + var genres = new List(); var genreStore = new GenreContext(_connectionString); @@ -55,9 +58,13 @@ namespace Icarus.Controllers.V1 } [HttpGet("{id}")] - [Authorize("read:genre")] public IActionResult Get(int id) { + if (!IsTokenValid("read:genre")) + { + return StatusCode(401, "Not allowed"); + } + var genre = new Genre { GenreID = id diff --git a/Controllers/v1/SongCompressedDataControllers.cs b/Controllers/v1/SongCompressedDataControllers.cs index 97f36c8..cc96800 100644 --- a/Controllers/v1/SongCompressedDataControllers.cs +++ b/Controllers/v1/SongCompressedDataControllers.cs @@ -19,11 +19,10 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/song/compressed/data")] [ApiController] - public class SongCompressedDataController : ControllerBase + public class SongCompressedDataController : BaseController { #region Fields private string _connectionString; - private IConfiguration _config; private string _songTempDir; private string _archiveDir; #endregion @@ -46,9 +45,13 @@ namespace Icarus.Controllers.V1 #region API Routes [HttpGet("{id}")] - [Authorize("download:songs")] public async Task Get(int id) { + if (!IsTokenValid("download:songs")) + { + return StatusCode(401, "Not allowed"); + } + var context = new SongContext(_connectionString); SongCompression cmp = new SongCompression(_archiveDir); diff --git a/Controllers/v1/SongController.cs b/Controllers/v1/SongController.cs index 77d755b..d94f78f 100644 --- a/Controllers/v1/SongController.cs +++ b/Controllers/v1/SongController.cs @@ -18,12 +18,11 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/song")] [ApiController] - public class SongController : ControllerBase + public class SongController : BaseController { #region Fields private readonly ILogger _logger; private string _connectionString; - private IConfiguration _config; private SongManager _songMgr; #endregion @@ -44,35 +43,13 @@ namespace Icarus.Controllers.V1 #region Methods - private string ParseBearerTokenFromHeader() - { - var token = string.Empty; - const string tokenType = "Bearer"; - - var req = Request; - var auth = req.Headers.Authorization; - var val = auth.ToString(); - - if (val.Contains(tokenType) && val.Split(" ").Count() > 1) - { - var split = val.Split(" "); - token = split[1]; - } - - - return token; - } #region HTTP Endpoints [HttpGet] - // [Authorize("read:song_details")] public IActionResult Get() { - var token = ParseBearerTokenFromHeader(); - var tokMgr = new TokenManager(_config); - - if (!tokMgr.IsTokenValid("read:song_details", token)) + if (!IsTokenValid("read:song_details")) { return StatusCode(401, "Not allowed"); } @@ -92,9 +69,13 @@ namespace Icarus.Controllers.V1 } [HttpGet("{id}")] - [Authorize("read:song_details")] public IActionResult Get(int id) { + if (!IsTokenValid("read:song_details")) + { + return StatusCode(401, "Not allowed"); + } + var context = new SongContext(_connectionString); Song song = new Song { SongID = id }; @@ -108,10 +89,14 @@ namespace Icarus.Controllers.V1 return NotFound(); } - [Authorize("update:songs")] [HttpPut("{id}")] public IActionResult Put(int id, [FromBody] Song song) { + if (!IsTokenValid("update:songs")) + { + return StatusCode(401, "Not allowed"); + } + var context = new SongContext(_connectionString); song.SongID = id; diff --git a/Controllers/v1/SongDataController.cs b/Controllers/v1/SongDataController.cs index e44bebe..4760939 100644 --- a/Controllers/v1/SongDataController.cs +++ b/Controllers/v1/SongDataController.cs @@ -20,11 +20,10 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/song/data")] [ApiController] - public class SongDataController : ControllerBase + public class SongDataController : BaseController { #region Fields private string _connectionString; - private IConfiguration _config; private ILogger _logger; private SongManager _songMgr; private string _songTempDir; @@ -47,33 +46,15 @@ namespace Icarus.Controllers.V1 #endregion - private string ParseBearerTokenFromHeader() - { - var token = string.Empty; - const string tokenType = "Bearer"; - const string otherTokenType = "Jwt"; - - var req = Request; - var auth = req.Headers.Authorization; - var val = auth.ToString(); - - if (val.Contains(tokenType) && val.Split(" ").Count() > 1 || - val.Contains(otherTokenType) && val.Split(" ").Count() > 1) - { - var split = val.Split(" "); - token = split[1]; - } - - - return token; - } - - [HttpGet("download/{id}")] [Route("private-scoped")] - [Authorize("download:songs")] public async Task Get(int id) { + if (!IsTokenValid("download:songs")) + { + return StatusCode(401, "Not allowed"); + } + var songContext = new SongContext(_connectionString); var songMetaData = songContext.RetrieveRecord(new Song { SongID = id}); @@ -96,13 +77,9 @@ namespace Icarus.Controllers.V1 // [HttpPost("upload"), DisableRequestSizeLimit] [Route("private-scoped")] - // [Authorize("upload:songs")] public IActionResult Post([FromForm(Name = "file")] List songData) { - var token = ParseBearerTokenFromHeader(); - var tokMgr = new TokenManager(_config); - - if (!tokMgr.IsTokenValid("upload:songs", token)) + if (!IsTokenValid("upload:songs")) { return StatusCode(401, "Not allowed"); } @@ -142,13 +119,9 @@ namespace Icarus.Controllers.V1 // [HttpPost("upload/with/data")] [Route("private-scoped")] - // [Authorize("upload:songs")] public IActionResult Post ([FromForm] UploadSongWithDataForm up) { - var token = ParseBearerTokenFromHeader(); - var tokMgr = new TokenManager(_config); - - if (!tokMgr.IsTokenValid("upload:songs", token)) + if (!IsTokenValid("upload:songs")) { return StatusCode(401, "Not allowed"); } @@ -172,9 +145,13 @@ namespace Icarus.Controllers.V1 } [HttpDelete("delete/{id}")] - [Authorize("delete:songs")] public IActionResult Delete(int id) { + if (!IsTokenValid("delete:songs")) + { + return StatusCode(401, "Not allowed"); + } + var songContext = new SongContext(_connectionString); var songMetaData = new Song{ SongID = id }; diff --git a/Controllers/v1/SongStreamController.cs b/Controllers/v1/SongStreamController.cs index 01a8c44..b273a08 100644 --- a/Controllers/v1/SongStreamController.cs +++ b/Controllers/v1/SongStreamController.cs @@ -20,12 +20,11 @@ namespace Icarus.Controllers.V1 { [Route("api/v1/song/stream")] [ApiController] - public class SongStreamController : ControllerBase + public class SongStreamController : BaseController { #region Fields private ILogger _logger; private string _connectionString; - private IConfiguration _config; #endregion @@ -43,39 +42,14 @@ namespace Icarus.Controllers.V1 #endregion - private string ParseBearerTokenFromHeader() - { - var token = string.Empty; - const string tokenType = "Bearer"; - - var req = Request; - var auth = req.Headers.Authorization; - var val = auth.ToString(); - - if (val.Contains(tokenType) && val.Split(" ").Count() > 1) - { - var split = val.Split(" "); - token = split[1]; - } - - - return token; - } - #region HTTP endpoints [HttpGet("{id}")] - // [Authorize("stream:songs")] public async Task Get(int id) { - var token = ParseBearerTokenFromHeader(); - var tokMgr = new TokenManager(_config); - - /** - if (!tokMgr.IsTokenValid("stream:songs", token)) + if (!IsTokenValid("stream:songs")) { return StatusCode(401, "Not allowed"); } - */ var context = new SongContext(_config.GetConnectionString("DefaultConnection"));