This commit is contained in:
@@ -60,55 +60,54 @@ namespace AyaNova.Api.Controllers
|
||||
|
||||
|
||||
|
||||
//Moved this functionality to authentication and expiry follows jwt token expiry
|
||||
// //LOOKAT: Centralize this code somewhere else, it's going to be needed for backup as well
|
||||
// //consider the 1 hour thing, is this legit depending on client?
|
||||
|
||||
// /// <summary>
|
||||
// /// Get download token
|
||||
// /// A download token is good for 1 hour from issue
|
||||
// /// </summary>
|
||||
// /// <returns>Current download token for user</returns>
|
||||
// [HttpGet("DownloadToken")]
|
||||
// public async Task<IActionResult> GetDownloadTokenAsync()
|
||||
// {
|
||||
// if (!serverState.IsOpen)
|
||||
// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
|
||||
//LOOKAT: Centralize this code somewhere else, it's going to be needed for backup as well
|
||||
//consider the 1 hour thing, is this legit depending on client?
|
||||
// long lUserId = UserIdFromContext.Id(HttpContext.Items);
|
||||
// var u = await ct.User.FirstOrDefaultAsync(a => a.Id == lUserId);
|
||||
// if (u == null)
|
||||
// return NotFound();
|
||||
// else
|
||||
// {
|
||||
|
||||
/// <summary>
|
||||
/// Get download token
|
||||
/// A download token is good for 1 hour from issue
|
||||
/// </summary>
|
||||
/// <returns>Current download token for user</returns>
|
||||
[HttpGet("DownloadToken")]
|
||||
public async Task<IActionResult> GetDownloadTokenAsync()
|
||||
{
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
// //Generate a download token and store it with the user account
|
||||
// //users who are authenticated can get their token via download route
|
||||
// Guid g = Guid.NewGuid();
|
||||
// string dlkey = Convert.ToBase64String(g.ToByteArray());
|
||||
// dlkey = dlkey.Replace("=", "");
|
||||
// dlkey = dlkey.Replace("+", "");
|
||||
|
||||
long lUserId = UserIdFromContext.Id(HttpContext.Items);
|
||||
var u = await ct.User.FirstOrDefaultAsync(a => a.Id == lUserId);
|
||||
if (u == null)
|
||||
return NotFound();
|
||||
else
|
||||
{
|
||||
// //get expiry date for download token
|
||||
// var exp = new DateTimeOffset(DateTime.Now.AddHours(1).ToUniversalTime(), TimeSpan.Zero);
|
||||
|
||||
//Generate a download token and store it with the user account
|
||||
//users who are authenticated can get their token via download route
|
||||
Guid g = Guid.NewGuid();
|
||||
string dlkey = Convert.ToBase64String(g.ToByteArray());
|
||||
dlkey = dlkey.Replace("=", "");
|
||||
dlkey = dlkey.Replace("+", "");
|
||||
// u.DlKey = dlkey;
|
||||
// u.DlKeyExpire = exp.DateTime;
|
||||
// ct.User.Update(u);
|
||||
// try
|
||||
// {
|
||||
// await ct.SaveChangesAsync();//triggering concurrency exception here
|
||||
// }
|
||||
// catch (Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException)
|
||||
// {
|
||||
// log.LogInformation("Auth retry dlkey");
|
||||
// };
|
||||
|
||||
//get expiry date for download token
|
||||
var exp = new DateTimeOffset(DateTime.Now.AddHours(1).ToUniversalTime(), TimeSpan.Zero);
|
||||
// return Ok(ApiOkResponse.Response(new { dlkey = u.DlKey, expires = u.DlKeyExpire }, true));
|
||||
// }
|
||||
|
||||
u.DlKey = dlkey;
|
||||
u.DlKeyExpire = exp.DateTime;
|
||||
ct.User.Update(u);
|
||||
try
|
||||
{
|
||||
await ct.SaveChangesAsync();//triggering concurrency exception here
|
||||
}
|
||||
catch (Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException)
|
||||
{
|
||||
log.LogInformation("Auth retry dlkey");
|
||||
};
|
||||
|
||||
return Ok(ApiOkResponse.Response(new { dlkey = u.DlKey, expires = u.DlKeyExpire }, true));
|
||||
}
|
||||
|
||||
}
|
||||
// }
|
||||
|
||||
|
||||
|
||||
@@ -336,21 +335,25 @@ namespace AyaNova.Api.Controllers
|
||||
var dlkeyUser = await ct.User.SingleOrDefaultAsync(m => m.DlKey == dlkey);
|
||||
if (dlkeyUser == null)
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token not valid"));
|
||||
//don't want to leak information so just say not found
|
||||
//return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token not valid"));
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
|
||||
//Make sure the token provided is for the current user
|
||||
long UserId = UserIdFromContext.Id(HttpContext.Items);
|
||||
if (UserId != dlkeyUser.Id)
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token not valid"));
|
||||
// return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token not valid"));
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
|
||||
|
||||
var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
|
||||
if (dlkeyUser.DlKeyExpire < utcNow.DateTime)
|
||||
{
|
||||
return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token has expired"));
|
||||
// return BadRequest(new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "dlkey", "Download token has expired"));
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
|
||||
//Ok, user has a valid download key and it's not expired yet so get the attachment record
|
||||
|
||||
Reference in New Issue
Block a user