0

I am planning to use the codes below for my web api security but i am not sure that is enough safe and logical way. I don't want to use OWIN and AspNet.Identity because it's very complicated for me and i don't understand completely and I don't know how i customize db tables, user roles etc. But my way is simple and very customizable for me.

This is CustomAuthorizeAttribute;

public class CustomAuthorize : AuthorizeAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if ((actionContext.Request.Headers.GetValues("Host").FirstOrDefault().Contains("localhost:15742")))
        {
            IEnumerable<string> access_token;
            if (actionContext.Request.Headers.TryGetValues("Authorization", out access_token))
            {
                var user = GetUserByToken(access_token);
                if (user!=null && !user.TokenIsExpired)
                {
                    HttpContext.Current.Response.AddHeader("WWW-Authenticate", "Custom " + access_token.FirstOrDefault());
                    return;
                }
                else
                {
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
                    HttpContext.Current.Response.AddHeader("WWW-Authenticate", "Custom");
                    return;
                }
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
        }
    }
}

And this is front end using

<script type="text/javascript">
    $(function () {
        var access_token = $.cookie('access_token');
        if (access_token == undefined) {
            $.cookie('access_token', 'test-token');
        }


        $.ajax({
            url: '/api/account',
            headers: { access_token: access_token },
            success: function (data) {
                document.write(data.name + " " + data.lastname);
            }
        });
    });
</script>

By the way i am sorry about for my English. I hope you understand my problem and i am waiting for your suggestions.

Hari Lubovac
  • 622
  • 4
  • 14
  • Check my answer: http://stackoverflow.com/questions/40281050/jwt-authentication-for-asp-net-web-api/40284152#40284152 – cuongle Dec 05 '16 at 17:45
  • It scares me when people build something themselves due to lack of knowledge / incorrect assumptions and not wanting to invest time into learning as framework the depend on. Everything seems complicated at first sight. Dive in a bit and learn. Also, you do not *have* to use a db for token authentication. Please read this and try it out at least: https://offering.solutions/articles/asp-net/token-authentication-with-claims-and-asp-net-webapi/ – Peter Bons Dec 05 '16 at 19:00
  • the link is broken or site down – Hari Lubovac Dec 05 '16 at 20:33
  • Hmm works here. You get a 404? – Peter Bons Dec 05 '16 at 21:02
  • this is what i want!OWIN and AspNet.Identity are so complex!i just want add access_token into header ,and check in the backend,that is it,why so complex – 12343954 Nov 27 '17 at 09:03

1 Answers1

0

I would suggest you invest time into learning a proper way of doing these things. There is a reason libraries are used and that's to make sure you don't create something which is easy to hack. Security is paramount for such things.

I happen to have an extensive article on this subject and I hope it can help you understand a bit more about this subject. By all means, do your own research as well, find other resources, look into using Claims for example, but don't try to shortcut these things as you'll end up with something not secure at all.

Hopefully this helps : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32