Menu
Here is the code for my base controller, the idea is that if the Authorization string is not in the HTTP Headers we kick them out. I swear it was working properly and now suddenly it does not work. Strangely when I debug it is actually stepping INTO the if statement so it is indeed true that the HTTP Header I am requesting is a NULL OR EMPTY string, HOWEVER, it is not exiting early and returning 403 Access Denied anymore... it was working fine and suddenly it is just ignoring the entire thing and eventually crashing later on in the app when I try to parse the Authorization String that WAS NOT ACTUALLY FOUND.
public class AuthController : Controller
{
protected int AccountID;
protected override void OnAuthorization(AuthorizationContext filterContext)
{
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
int getAccountID = 0;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
UPDATE: Just tried filterContext.Result = new HttpUnauthorizedResult(); instead, same results. Controller action continues and throws error when trying to parse the header string that was not found.
UPDATE 2: Added "return;" after each of the base.OnAuthorization() calls besides the last one, now when it fails I get a 302 moved from MVC followed by a 404, which turns out is the app trying to redirect to a default login page URL that does not actually exist... could this be good enough? Maybe but I'd rather block it straight out rather than letting some wonky redirect happen as the way of blocking them, doesn't feel secure to me.
510
AH HA!
I was calling the base.OnAuthorization() too many times, apparently it's not actually a permanent goodbye from the thread... not sure why I thought it was now that I think about it... here is the working code:
protected override void OnAuthorization(AuthorizationContext filterContext)
{
int getAccountID = 0;
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
else
{
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With