How to access HttpContext and Request in RequireAssersion?

0
votes

I'm trying to create a custom authorization policy. Let's say I want the URL to contain a token. For example:

https://example.com/customer/list?token=2nHxltsDOjThQJWufcGU1v36RdqYoBE9

I want to show the list of customer to the user, only if:

  1. URL has a token query string
  2. token is valid

I tried this:

services.AddAuthorization(options =>
{
    options.AddPolicy("IsPaydar", policy => policy.RequireAssertion(x => // stuck here))
});

But I don't see how can I access HttpContext or the Request object from inside the policy.RequireAssertion.

How can I implement this?

1
c#asp.net-coresecurity

1 Answers

1
votes

You can create a custom Authorization Handler, and in this handler get the token parameter from the Query string, and valid the joken. Refer the following steps:

  1. Create a JwtTokenRequirement class: here we can set the query string parameter key value. then in the handler method, we could according to it to find the token.

     //required using Microsoft.AspNetCore.Authorization;
 public class JwtTokenRequirement : IAuthorizationRequirement
 {
     public JwtTokenRequirement(string  tokenname)
     {
         TokenName = tokenname;
     }

     public string TokenName { get; set; }
 }

  2. Create the JWTTokenHandler:

     //required using Microsoft.AspNetCore.Authorization;
 //required using Microsoft.AspNetCore.Http;
 public class JWTTokenHandler : AuthorizationHandler<JwtTokenRequirement>
 {
     IHttpContextAccessor _httpContextAccessor = null;

     public JWTTokenHandler(IHttpContextAccessor httpContextAccessor)
     {
         _httpContextAccessor = httpContextAccessor;
     }
     protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, JwtTokenRequirement requirement)
     {

         HttpContext httpContext = _httpContextAccessor.HttpContext; // Access context here

         var token =  httpContext.Request.Query[requirement.TokenName].ToString();  //get the jwtkoken

         if (!string.IsNullOrEmpty(token))
         {
             if (IsValidToken(token))
             {
                 context.Succeed(requirement);

             }

         }
         else
         {
             context.Fail();
         } 
         return Task.FromResult(0);
     }

     public bool IsValidToken(string authToken)
     {
         //validate Token here  
         return true;
     }
 }

  3. Add the following code to the ConfigureServices method:

         services.AddHttpContextAccessor();
     services.AddAuthorization(options =>
     {
         options.AddPolicy("jwtpolicy",
                           policy => policy.Requirements.Add(new JwtTokenRequirement("jwttoken"))); //configure the policy and set the parameter key value. in this sample the key is "jwttoken"
     });
     services.AddSingleton<IAuthorizationHandler, JWTTokenHandler>();

  4. Apply the Authorize attribute on the API action method:

     [Authorize(Policy = "jwtpolicy")]
 [HttpGet("{id}")] 
 public string Get(int id)
 {
     return "value";
 }

Then the result is like this:

enter image description here