[Web API]以Attribute加上Header驗證

[Web API]以Attribute加上Header驗證

建立新FilterAttribute繼承AuthorizationFilterAttribute,覆寫OnAuthorization攔截傳入的HttpActionContext內容判斷是否有傳入指定的資料

public override void OnAuthorization(HttpActionContext filterContext)
{
    var identity = FetchAuthHeader(filterContext); //取得資料內容
    if (identity == null)
    {
        ChallengeAuthRequest(filterContext); //回傳錯誤訊息
        return;
    }
    var genericPrincipal = new GenericPrincipal(identity, null);
    //針對目前連線的使用者做授權 
    Thread.CurrentPrincipal = genericPrincipal;
    if (!OnAuthorizeUser(identity.Name, identity.Password, filterContext)) //驗證
    {
        ChallengeAuthRequest(filterContext);
        return;
    }
    base.OnAuthorization(filterContext);
}

解析HttpActionContext內容取得指定的資料

 protected virtual BasicAuthenticationIdentity FetchAuthHeader(HttpActionContext filterContext)
{
    string customer = "";
    string pwd = "";
    IEnumerable<string> authRequest = filterContext.Request.Headers.GetValues("指定的資料名稱");
    IEnumerable<string> authRequest2 = filterContext.Request.Headers.GetValues("指定的資料名稱2");
    try
    {
        customer = authRequest.FirstOrDefault();
        pwd = authRequest2.FirstOrDefault();
    }
    catch { }
    return new BasicAuthenticationIdentity(customer, pwd);
}

驗證解析出來的資料是否符合需求

protected override bool OnAuthorizeUser(string username, string password, HttpActionContext actionContext)
{
    if (username == "驗證資料" && password == "驗證碼")
        return true;
    return false;
}

建立驗證失敗時要回傳的訊息

private static void ChallengeAuthRequest(HttpActionContext filterContext)
{
    var dnsHost = filterContext.Request.RequestUri.DnsSafeHost;
    filterContext.Response = filterContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
    filterContext.Response.Headers.Add("WWW-Authenticate", string.Format("validate failed", dnsHost));
}

於WebApiConfig.cs中註冊新增的Filter

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        GlobalConfiguration.Configuration.Filters.Add(new WebApi.Filters.ApiAuthenticationFilter());
    }
}

最後在需要驗證的API加上該Filter即可

[WebApi.Filters.ApiAuthenticationFilter]
public object QueryApi(string pInput)
{ 
    return null; 
}