Merge pull request #69 from AppliedIS/require-https

require all authenticated activity to be over https
ais-open · Oct 21, 2016 · 9436f9d · 9436f9d
2 parents 9259a07 + cd91b42
commit 9436f9d
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 29 deletions.
diff --git a/DOL.WHD.Section14c.Api/App_Start/Startup.Auth.cs b/DOL.WHD.Section14c.Api/App_Start/Startup.Auth.cs
@@ -38,7 +38,7 @@ public void ConfigureAuth(IAppBuilder app)
                 Provider = new ApplicationOAuthProvider(PublicClientId),
                 AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(Convert.ToDouble(ConfigurationManager.AppSettings["AccessTokenExpireTimeSpanMinutes"])),
                 // In production mode set AllowInsecureHttp = false
-                AllowInsecureHttp = true
+                AllowInsecureHttp = false
             };
 
             app.Use(async (context, next) =>

diff --git a/DOL.WHD.Section14c.Api/Controllers/AccountController.cs b/DOL.WHD.Section14c.Api/Controllers/AccountController.cs
@@ -4,7 +4,7 @@
 using System.Net.Http;
 using System.Threading.Tasks;
 using System.Web.Http;
-using System.Web.Http.Cors;
+using DOL.WHD.Section14c.Api.Filters;
 using DOL.WHD.Section14c.Business;
 using DOL.WHD.Section14c.Business.Services;
 using DOL.WHD.Section14c.DataAccess.Identity;
@@ -17,7 +17,7 @@
 
 namespace DOL.WHD.Section14c.Api.Controllers
 {
-    [Authorize]
+    [AuthorizeHttps]
     [RoutePrefix("api/Account")]
     public class AccountController : ApiController
     {
@@ -33,7 +33,6 @@ public ApplicationUserManager UserManager
         }
 
         // GET api/Account/UserInfo
-        [HostAuthentication(DefaultAuthenticationTypes.ExternalBearer)]
         [Route("UserInfo")]
         public async Task<UserInfoViewModel> GetUserInfo()
         {
@@ -97,25 +96,6 @@ public async Task<IHttpActionResult> ChangePassword(ChangePasswordBindingModel m
             return Ok();
         }
 
-        // POST api/Account/SetPassword
-        [Route("SetPassword")]
-        public async Task<IHttpActionResult> SetPassword(SetPasswordBindingModel model)
-        {
-            if (!ModelState.IsValid)
-            {
-                return BadRequest(ModelState);
-            }
-
-            IdentityResult result = await UserManager.AddPasswordAsync(User.Identity.GetUserId(), model.NewPassword);
-
-            if (!result.Succeeded)
-            {
-                return GetErrorResult(result);
-            }
-
-            return Ok();
-        }
-
         // POST api/Account/RemoveLogin
         [Route("RemoveLogin")]
         public async Task<IHttpActionResult> RemoveLogin(RemoveLoginBindingModel model)

diff --git a/DOL.WHD.Section14c.Api/Controllers/AttachmentController.cs b/DOL.WHD.Section14c.Api/Controllers/AttachmentController.cs
@@ -7,14 +7,13 @@
 using System.Net.Http.Headers;
 using System.Threading.Tasks;
 using System.Web.Http;
-using System.Web.Http.Results;
+using DOL.WHD.Section14c.Api.Filters;
 using DOL.WHD.Section14c.Api.Providers;
 using DOL.WHD.Section14c.Business;
-using DOL.WHD.Section14c.Domain.Models.Submission;
 
 namespace DOL.WHD.Section14c.Api.Controllers
 {
-    [Authorize]
+    [AuthorizeHttps]
     [RoutePrefix("api/attachment")]
     public class AttachmentController : ApiController
     {

diff --git a/DOL.WHD.Section14c.Api/Controllers/SaveController.cs b/DOL.WHD.Section14c.Api/Controllers/SaveController.cs
@@ -1,16 +1,15 @@
 using System;
 using System.Net;
 using System.Net.Http;
-using System.Threading.Tasks;
 using System.Web.Http;
+using DOL.WHD.Section14c.Api.Filters;
 using DOL.WHD.Section14c.Business;
-using DOL.WHD.Section14c.Domain.ViewModels;
 using Microsoft.AspNet.Identity;
 using Newtonsoft.Json.Linq;
 
 namespace DOL.WHD.Section14c.Api.Controllers
 {
-    [Authorize]
+    [AuthorizeHttps]
     [RoutePrefix("api/save")]
     public class SaveController : ApiController
     {

diff --git a/DOL.WHD.Section14c.Api/DOL.WHD.Section14c.Api.csproj b/DOL.WHD.Section14c.Api/DOL.WHD.Section14c.Api.csproj
@@ -238,6 +238,7 @@
     <Compile Include="Controllers\AttachmentController.cs" />
     <Compile Include="Controllers\ResponseController.cs" />
     <Compile Include="Controllers\SaveController.cs" />
+    <Compile Include="Filters\AuthorizeHttps.cs" />
     <Compile Include="Global.asax.cs">
       <DependentUpon>Global.asax</DependentUpon>
     </Compile>

diff --git a/DOL.WHD.Section14c.Api/Filters/AuthorizeHttps.cs b/DOL.WHD.Section14c.Api/Filters/AuthorizeHttps.cs
@@ -0,0 +1,37 @@
+using System;
+using System.Linq;
+using System.Net.Http;
+using System.Web.Http;
+using System.Web.Http.Controllers;
+
+namespace DOL.WHD.Section14c.Api.Filters
+{
+    public class AuthorizeHttps : AuthorizeAttribute
+    {
+        public override void OnAuthorization(HttpActionContext actionContext)
+        {
+            if (SkipAuthorization(actionContext))
+                return;
+
+            if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
+            {
+                actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
+                {
+                    ReasonPhrase = "HTTPS Required"
+                };
+            }
+            else
+            {
+                base.OnAuthorization(actionContext);
+            }
+        }
+
+        // from AuthorizeAttribute
+        private static bool SkipAuthorization(HttpActionContext actionContext)
+        {
+            if (!actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any<AllowAnonymousAttribute>())
+                return actionContext.ControllerContext.ControllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any<AllowAnonymousAttribute>();
+            return true;
+        }
+    }
+}