Asp.Net WebApi 上的自定义授权属性

Question

当用户使用 ASP.Net Web Api 获得授权时，如何返回值？我尝试在 Authorize 属性上覆盖 OnAuthorize，但方法类型为“void”，因此我无法返回任何值，还是应该将我想要的值附加到标头上作为响应标头？

这是我想要实现的目标：

1. 用户传递 api 密钥和共享密钥
2. 当用户被授权时，自定义属性会返回用户的Id和Name
3. ID 将用于作为参数传递 Rest 方法

Answer 1

此代码示例可能会对您有所帮助。

public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
    base.OnAuthorization(actionContext);
    IManageUsers manageUser = new ManageUsers();
    //get authentication token from header + email
    string authenticationToken = string.Empty;
    string email = string.Empty;
    if (actionContext.Request.Headers.GetValues("email") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault()))))
    {
        if (actionContext.Request.Headers.GetValues("authenticationToken") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault()))))
        {
            authenticationToken = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
            email = Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault());
            //check if user is activated 
            User user = manageUser.GetByEmail(email);
            if (user != null)
            {
                //if user is not authentication
                if (user.AuthenticationStatus != AuthenticationStatus.Authenticated)
                {
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthenticated");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    return;
                }

                //user is authentication, now check authorization
                string authenticationTokenPersistant = user.AuthorizationToken;
                //if length is not equal to the saved token
                var authenticationTokenEncrypted = manageUser.EncryptAuthenticationTokenAes(authenticationTokenPersistant, user.Key, user.IV);
                if (authenticationToken != authenticationTokenEncrypted)
                {
                    HttpContext.Current.Response.AddHeader("Email", email);
                    HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    HttpContext.Current.Response.AddHeader("ErrorMessage", "Invalid token");
                    return;
                }

                HttpContext.Current.Response.AddHeader("Email", email);
                HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
                HttpContext.Current.Response.AddHeader("ErrorMessage", "Email does not exist");
                return;
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
            HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide authentication token");
            return;
        }
    }
    else
    {
        actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
        HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide email address");
        return;
    }
}