I have an URL to generate jwt token for API calls. I want to create a web api action method with token autherizion. How can I validate the token inside the action method?
[Authorize]
[HttpPost]
[Route("api/customer")]
public String customer(APICustomer APICustomer1)
{
try
{
insert_Customer(APICustomer1.custid,APICustomer1.custname,APICustmer1.status);
}
catch (Exception ex)
{}
return APICustomer1.custid+": is Inserted";
}
Related
I am working on a web application in which we are using web-api and oAuth2.
I had stored my UserId in front-end but now for security reason I am storing my UserId in backend against the token generated from oAuth2.
So I have around 800 api's in my application all of them are POST api's and the data is passing in those api's like below
Type 1
[HttpPost]
[Authorize]
[ActionName("GetList")]
[Filters.AuthorizeLoginApi()]
public List<BusinessEntities.Admin.Users> GetList(Dictionary<string, string> Parameters)
{
try
{
if (Parameters != null)
{
BusinessLayer.IAdmin.IUsers a = (BusinessLayer.IAdmin.IUsers)DALFinder.GetInstance(typeof(BusinessLayer.IAdmin.IUsers));
return a.GetList(Convert.ToString(Parameters["LoginText"]), Convert.ToString(Parameters["Name"])
, Convert.ToString(Parameters["Email"]), Convert.ToInt32(Parameters["UserTypeId"]), Convert.ToString(Parameters["IsActive"])
, Convert.ToInt32(Parameters["UserId"])); /*(LoginText, Name, Email, UserTypeId, IsActive, UserId);*/
}
else
{
return new List<BusinessEntities.Admin.Users>();
}
}
catch (Exception ex)
{
Utils.Logger.Instance.LogException(ex);
return new List<BusinessEntities.Admin.Users>();
}
}
In the above code I have a Dictionary parameter in which I am storing my userId
Type 2
[HttpPost]
[Authorize]
[ActionName("Delete")]
[Filters.AuthorizeLoginApi()]
public SPResponse Delete(BusinessEntities.Admin.Users item)
{
SPResponse response = new SPResponse();
try
{
//item.ModifiedByUserId is my UserId
BusinessLayer.IAdmin.IUsers a = (BusinessLayer.IAdmin.IUsers)DALFinder.GetInstance(typeof(BusinessLayer.IAdmin.IUsers));
response = a.Delete(item);
}
catch (Exception ex)
{
response.ReturnMessage = ex.Message;
}
return response;
}
I am doing custom validation in each and every api calls like below
public class AuthorizeLoginApi : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
//Code to Get userId from database
//int UserId = data coming from db
//pass the above UserId Parameter into every apis as UserId/ModifiedByUserId
}
}
Now I want to Pass UserId/ModifiedByUserId from OnActionExecuting filter method into my respective API's
How can I achieve this
I would like to create a rest api that handle user messenger app credential (token,appsecret,verifToken) as parameters instead of define them as env variable.
So that more than one user (facebook app) can subscribe to my rest api throw messenger webhook .
Is that possible?
First, i tried with credential in app.prop and injected the Messenger4j client in Restcontroller constructor and it works like charm (webhook call, conversation...).
Now is it possible to do that for more than one facebook app to communicate with my rest api :
the logic will be:
first connect(accesToken,appSecret) to our backend and save app credential and get response with myBackendApiUrl and generate verifToken.
#RequestMapping(value = "/connect", method = RequestMethod.POST)
public ResponseEntity<String> connect(#RequestParam final String pageAccessToken,
#RequestParam final String appSecret,
) {
logger.debug(" connect ");
try {
logger.debug("********");
//Messenger messenger = Messenger.create(pageAccessToken, appSecret, verifyToken).;
String verifyToken= UUID.randomUUID().toString();
MessengerCredentials msgerCred = new MessengerCredentials(pageAccessToken,appSecret,verifyToken);
messengerCredentialRepo.save(msgerCred);
return ResponseEntity.ok("webhookurl: myurl"+ "verifToken:"+verifyToken);
} catch (Exception e) {
logger.warn("failed to connect", e.getMessage());
return ResponseEntity.status(HttpStatus.FORBIDDEN).body(e.getMessage());
}
}
After that the user should configure messenger app webhook with url and verif token recived in the response body method connect() to avonke the webhook handler and this is how it may be like
#RequestMapping(method = RequestMethod.GET)
public ResponseEntity<String> verifyWebhook(#RequestParam(MODE_REQUEST_PARAM_NAME) final String mode,
#RequestParam(CHALLENGE_REQUEST_PARAM_NAME) final String challenge,
#RequestParam(VERIFY_TOKEN_REQUEST_PARAM_NAME) final String verifyToken
) {
logger.debug("Received Webhook verification request - mode: {} | verifyToken: {} | challenge: {}", mode, verifyToken, challenge);
try {
logger.debug("********");
this.messenger.verifyWebhook(mode, verifyToken);
return ResponseEntity.ok(challenge);
} catch (MessengerVerificationException e) {
logger.warn("Webhook verification failed: {}", e.getMessage());
return ResponseEntity.status(HttpStatus.FORBIDDEN).body(e.getMessage());
}
}
Is that possible?!
and how can i deal with post handler to handel users events it my Messenger4j bean not instanciate yet.
I am new to Spring boot application development.
I need to add the basic auth headers to all the api requests in spring boot.
Can any one share the valid documentation of how I proceed
It depends on what kind of auth u require
for something like self auth token it would look something like
public String controllerFunction(#RequestHeader("Auth-header") String authToken){
if (authToken == null) {
log.error("Self token authentication failed");
throw new Exception(TOKEN_NOT_FOUND);
}
if (!"auth_password".equals(authToken)) {
log.error("Self token authentication failed");
throw new Exception(AUTH_FAILED);
}
log.info("Self token authentication successful");
}
If it's unique to individual users u will have to fetch the "auth_password" from your database for that particular user and validate it
To use it in globally you can build annotations like this
#Before("#annotation(tokenValidation)")
public void beforeAdvice(TokenValidation tokenValidation) {
String authToken = request.getHeader("Auth-header");
if (authToken == null) {
log.error("Self token authentication failed");
throw new Exception(TOKEN_NOT_FOUND);
}
if (!"auth_password".equals(authToken)) {
log.error("Self token authentication failed");
throw new Exception(AUTH_FAILED);
}
log.info("Self token authentication successful");
}
U might have to look up how to implement the annotations in spring boot but this is a basic concept.
and in the controllers, u just have to do
#tokenValidation
public String controllerFunction(String authToken){
//your code;
}
I was going to implement protective measures against CSRF attack (using Spring Security) on my already built application. However, I am facing the following issues while designing the approach:
Suppose I have two APIs with following endpoints:
/abc
/xyz
Scenario 1: Front End calls /abc along with csrf token. Server checks the csrf token and passes it if found correct. This is working fine.
Scenario 2: Front End calls /xyz along with csrf token. Server checks the csrf token and passes it if found correct. This again is working fine.
Scenario 3: The API /abc calls the API /xyz internally. However, API /xyz is expecting the CSRF token which only comes from front end and hence /xyz is failing due to no csrf token.
Scenario 4: We also have few third party apps (like payment gateway) that consumes our APIs. How will they pass CSRF token to our APIs?
Basically, I want to protect all our APIs from CSRF attack but I am finding it hard to pass the csrf token from BE to BE and from Payment Gateway to BE. Please help me in finalizing the approach that I should follow so that I can easily cover all these 4 scenarios and protect the application from any CSRF attack.
UPDATING QUESTION WITH CODE SAMPLES
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.requireCsrfProtectionMatcher(new RequestMatcher() {
#Override
public boolean matches(HttpServletRequest request) {
final HashSet<String> allowedMethods = new HashSet<String>(
Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
boolean methodCheck = allowedMethods.contains(request.getMethod());
if(methodCheck) {
return false;
}
return true;
}
});
}
}
APIs
API 1:
#RestController
public class GetVersion {
#RequestMapping(path="/", method=RequestMethod.GET)
public String getVersion() {
return "This is a Get Call";
}
}
API 2:
#RestController
public class PostCall2 {
#RequestMapping(value="/{path}/postcall2",method=RequestMethod.POST)
public String postCall2(#PathVariable("path") String path) {
return "This is path: "+path;
}
}
API 3:
#RestController
public class PostCall1 {
#RequestMapping(path="/{path}/postcall1",method=RequestMethod.POST)
#ResponseBody
public String postCall1(#PathVariable("path") String path) {
System.out.println("Tring to call /postcall2 from /postcall1");
final String url = "http://localhost:8080/thisisxyz/postcall2";
RestTemplate restTemplate = new RestTemplate();
try {
String result = restTemplate.postForObject(url, "", String.class);
System.out.println("Result is: "+result);
System.out.println("Successfully called /postcall2 from /postcall1");
return "This is path: "+path;
}
catch(HTTPException e) {
e.printStackTrace();
return "Failed";
}
catch(Exception e) {
e.printStackTrace();
return "Failed";
}
}
}
API 1 and API 2 are working fine as they are being called directly. However, API 3 is trying to internally call API 2 and it is failing because it cannot provide CSRF Token to API 2. Please help.
I'm trying to implement IUserTokenProvider interface to register in Identity system and use further for authentication.
Why token authentication because i write Web Api server in Asp Net Core using Identity 3.
The obstacle is i don't know how to generate token. IUserTokenProvider has 2 method i need: 1. generates token 2. validates token.
what do i write inside them? what's algorithm?
public class UserTokenProvider : IUserTokenProvider<AppUser>
{
public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<AppUser> manager, AppUser user)
{
throw new NotImplementedException();
}
public Task<string> GenerateAsync(string purpose, UserManager<AppUser> manager, AppUser user)
{
/* here logic to generate token */
string result = "generated token";
return Task.FromResult(result);
}
public Task<bool> ValidateAsync(string purpose, string token, UserManager<AppUser> manager, AppUser user)
{
/* validating token */
if (token == "generated token")
return Task.FromResult(true);
else return Task.FromResult(false);
}
}
and in ConfigureServices method of StartUp class i register my provider:
services.AddIdentity<AppUser, IdentityRole>(options => {
options.User.RequireUniqueEmail = true;
})
.AddEntityFrameworkStores<UserDbContext>()
.AddTokenProvider<UserTokenProvider>("AuthToken")
.AddDefaultTokenProviders();
As explained in this other SO post, IUserTokenProvider has absolutely nothing to do with token authentication.
I'd recommend reading these other questions for more information about how you can issue your own access tokens in ASP.NET Core:
Simple JWT authentication in ASP.NET Core 1.0 Web API.
Web API Authentication in ASP.NET 5.
Configure the authorization server endpoint.