kreta/KretaWeb/Security/ApiValidateAjaxAntiForgeryToken.cs

using System;
using System.Linq;
using System.Net.Http;
using System.Web.Helpers;
using System.Web.Http;
using System.Web.Http.Controllers;

namespace Kreta.Web.Security
{
    /// <summary>
    /// Validálja az Ajax hívások esetén a tokent csak az Ajaxhelper.js által küldött ajax hívás tartalmazza a tokent
    /// </summary>
    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
    public sealed class ApiValidateAjaxAntiForgeryToken : AuthorizeAttribute
    {
        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            var headerToken = actionContext
                 .Request
                 .Headers
                 .GetValues("X-Request-Verification-Token")
                 .FirstOrDefault();

            var cookieToken = actionContext
                .Request
                .Headers
                .GetCookies()
                .Select(c => c[AntiForgeryConfig.CookieName])
                .FirstOrDefault();

            if (cookieToken == null || headerToken == null)
            {
                return false;
            }

            try
            {
                AntiForgery.Validate(cookieToken.Value, headerToken);
            }
            catch
            {
                return false;
            }

            return base.IsAuthorized(actionContext);
        }
    }
}