init

2024-03-13 00:33:46 +01:00 · 2024-03-13 00:33:46 +01:00 · e124a47765
commit e124a47765
19374 changed files with 9806149 additions and 0 deletions
--- a/KretaWeb/Security/ApiValidateAjaxAntiForgeryToken.cs
+++ b/KretaWeb/Security/ApiValidateAjaxAntiForgeryToken.cs
@ -0,0 +1,48 @@
+using System;
+using System.Linq;
+using System.Net.Http;
+using System.Web.Helpers;
+using System.Web.Http;
+using System.Web.Http.Controllers;
+
+namespace Kreta.Web.Security
+{
+    /// <summary>
+    /// Validálja az Ajax hívások esetén a tokent csak az Ajaxhelper.js által küldött ajax hívás tartalmazza a tokent
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
+    public sealed class ApiValidateAjaxAntiForgeryToken : AuthorizeAttribute
+    {
+        protected override bool IsAuthorized(HttpActionContext actionContext)
+        {
+            var headerToken = actionContext
+                 .Request
+                 .Headers
+                 .GetValues("X-Request-Verification-Token")
+                 .FirstOrDefault();
+
+            var cookieToken = actionContext
+                .Request
+                .Headers
+                .GetCookies()
+                .Select(c => c[AntiForgeryConfig.CookieName])
+                .FirstOrDefault();
+
+            if (cookieToken == null || headerToken == null)
+            {
+                return false;
+            }
+
+            try
+            {
+                AntiForgery.Validate(cookieToken.Value, headerToken);
+            }
+            catch
+            {
+                return false;
+            }
+
+            return base.IsAuthorized(actionContext);
+        }
+    }
+}