I have written a WCF API. It runs (ran) just fine.
Now that I need to open it up to public access I tried to implement API Key verification following the example of Ron Jacobs and the accompanying video on endpoint.tv
This basically just uses a list of GUIDs stored in an xml file that represent the valid API keys. The authorization request key is passed via query string and validated in a custom ServiceAuthorizationManager like this:
protected override bool CheckAccessCore(OperationContext operationContext)
{
return IsValidAPIKey(operationContext);
}
public static bool IsValidAPIKey(OperationContext operationContext)
{
string key = TvinQuery.GetAPIKey(operationContext);
Guid apiKey;
// Convert the string into a Guid and validate it
if (Guid.TryParse(key, out apiKey) && TvinQuery.APIKeys.Contains(apiKey))
{
return true;
}
else
{
return false;
}
}
TvinQuery.APIKeysis a simple List<string> containing the valid guids from the xml file.
The solution compiles, but when I publish it on my server and try to access the service there, I get a FileNotFound exception for file or assembly "WCFWebHttp" or one of its dependencies.
The cause for this is very obviously this part in the service behavior node of web.config:
<serviceAuthorization serviceAuthorizationManagerType="WCFWebHttp.APIKeyAuthorization, WCFWebHttp" />
Unfortunately, neither a search through my assemblies nor through my file system nor an internet search nor a nuget package search came up with an assembly of that name.
Event viewer and enabled tracing did not reveal any further information either.
What is it? How can I solve this error? Is there anything wrong or missing with the example? It worked just fine in the video and that was a live presentation. :-?
As from this picture:
at https://blogs.msdn.microsoft.com/rjacobs/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4/
it looks like WCFWebHttp is an assembly implemented in the source code of the sample you've used (which I can't download right now to make sure because of server error).
Related
We have a library that is shared in .net between both Web and Windows (forms and console) applications. When used as a Web application, a couple of variables need to be read from cookies. Otherwise it needs to read the same variables from the Windows registry. I cannot seem to work out a good solution to doing this such that the same library compiles for all environments. Specifically, the web libraries for reading cookies would not be included in the Windows apps (and thus break the compile), let alone detecting one environment vs another. Does anyone have a solution to this?
If you host in IIS you can read Environment.GetEnvironmentVariables("APP_POOL_ID") and then act accordingly if the variable exists
Depending on architecture of your library, this information should be provided by the client code. I.e you provide some abstraction layer that will be up to client code to fill in.
I'll show a simple example of what I mean. In your library you have an interface like this:
public interface ISettingsProvider
{
public string GetSettingA();
public string GetSettingB();
}
And then your library code that needs access to settings will have to take a dependency on ISettingsProvider:
public class MyLibraryClient
{
private readonly ISettingsProvider settingsProvider;
public MyLibraryClient(ISettingsProvider settingsProvider)
{
this.settingsProvider = settingsProvider;
}
public void MyAwesomeMethod()
{
var settingA = settingsProvider.GetSettingA();
// do more stuff with your settings
}
}
Then your client code should implement ISettingsProvider:
public class WebSettingsProvider : ISettingsProvider
{
public string GetSettingA()
{
// go get the value from cookies
return Cookies["MyCookie1"];
}
public string GetSettingB()
{
// go get the value from cookies
return Cookies["MyCookie2"];
}
}
And very similar thing goes for settings stored in registry.
And when client code is accessing your library, they will have to instantite an instance of settings provider and give it to you.
This way your library does not know anything about web or Windows. You got to keep your code cleaner and it is all a lot more testable. And you don't have to take dependencies on System.Web and ultimately push that depdency on client code that does not work with web, i.e. Windows applications.
I know you have said you are limited in the amount of changes you can do. My answer to this is: you can't make an omlet without breaking eggs. This will be the most clean way to do what you want, everything else will have drawbacks.
In a Web-Environment you should have HttpContext.Current. If you are calling the same from the Console (or a WinForms-Application) this should be null instead of the Context.
To access this you need a reference to Sytem.Web. There should be no issue when you add this reference and access your backend from the Winforms-Application.
Example:
public bool ImInDaWeb() {
return System.Web.HttpContext.Current!=null;
}
Even in a web-application, HttpContext.Current can be null, but as you are needing this detection for reading/writing cookies you will have to detect this within a valid request already (and not on Application start for example).
I am trying to create a WebHookHandler for Webhooks send from WordPress WooCommerce in ASP.NET C#.
I started with creating a ASP.NET C# Azure API App WebApplication Project and adding the relevant references (Microsoft.AspNet.WebHooks.Common, Microsoft.AspNet.WebHooks.Receivers, Microsoft.AspNet.WebHooks.Receivers.WordPress). Added the WebHookConfig, WordPressWebHookHandler and registered the WebHookConfig in the GlobalAsax.
I then published the application as an Azure App Service.
My WordPressWebHookHandler is still the default of the examples and looks like this:
public class WordPressWebHookHandler : WebHookHandler
{
public override Task ExecuteAsync(string receiver, WebHookHandlerContext context)
{
// make sure we're only processing the intended type of hook
if("WordPress".Equals(receiver, System.StringComparison.CurrentCultureIgnoreCase))
{
// todo: replace this placeholder functionality with your own code
string action = context.Actions.First();
JObject incoming = context.GetDataOrDefault<JObject>();
}
return Task.FromResult(true);
}
}
When testing a User Creation WebHook in WooCommerce I can see the request in the log as below.
But unfortunately it is never received while debugging and I see below error.
I am thinking maybe I need a custom WebHook instead of the WordPress specific one as this is a WooCommerce Webhook. Or possibly it is handled wrong in the routing and ends up in another controller.
Any help is much appreciated.
Your WebHookReceiver is wrong
There is a mismatch of expecting HTML Form Data, when in fact it should be expecting JSON.
WordPressWebHookHandler is still the default
This is what is causing your error. If you look at the WordPressWebHookReceiver, the ReceiveAsync() method implementation, calls out to ReadAsFormDataAsync() method, which is not what you want, as your Content-Type is json. So, you want to be doing ReadAsJsonAsync().
Solution: Don't use the WordPressWebHookReceiver and switch it to another one that will call ReadAsJsonAsync().
Looking at the code
I am thinking maybe I need a custom WebHook instead of the WordPress specific one as this is a WooCommerce Webhook.
You had the right idea, so I dug up some of the code to explain exactly why this was happening.
The code block below is the ReceiveAsync() method that is overridden in the WordPressWebHookReceiver. You can see that it is calling the ReadAsFormDataAsync() which is not what you want...
public override async Task<HttpResponseMessage> ReceiveAsync(
string id, HttpRequestContext context, HttpRequestMessage request)
{
...
if (request.Method == HttpMethod.Post)
{
// here is what you don't want to be called
// you want ReadAsJsonAsync(), In short, USE A DIFFERENT RECEIVER.
NameValueCollection data = await ReadAsFormDataAsync(request);
...
}
else
{
return CreateBadMethodResponse(request);
}
}
A quick search through the repository for classes that call the ReadAsJsonAsync() method, shows that the following recievers implement it:
DynamicsCrmWebHookReceiver
ZendeskWebHookReceiver
AzureAlertWebHookReceiver
KuduWebHookReceiver
MyGetWebHookReceiver
VstsWebHookReceiver
BitbucketWebHookReceiver
CustomWebHookReceiver
DropboxWebHookReceiver
GitHubWebHookReceiver
PaypalWebHookReceiver
StripeWebHookReceiver
PusherWebHookReceiver
I assumed that the CustomWebHookReceiver would fit your requirements, so can grab the NuGet here. Otherwise you can implement your own, or derive it from this class, etc.
Configuring a WebHook Recevier
(Copied from the Microsoft Documentation)
Microsoft.AspNet.WebHooks.Receivers.Custom provides support for
receiving WebHooks generated by ASP.NET WebHooks
Out of the box you can find support for Dropbox, GitHub, MailChimp,
PayPal, Pusher, Salesforce, Slack, Stripe, Trello, and WordPress but
it is possible to support any number of other providers
Initializing a WebHook Receiver
WebHook Receivers are initialized by registering them, typically in
the WebApiConfig static class, for example:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
...
// Load receivers
config.InitializeReceiveGitHubWebHooks();
}
}
There is a problem with the data format that you send in your request. You must use format of HTML Form as your error message said.
Proper POST data format is described here: How are parameters sent in an HTTP POST request?
Don't forget to set Content-Length header and correct Content-Type if your library doesn't do it. Usually the content type is application/x-www-form-urlencoded.
I would like to make some additions to Svek's answer as I now got my Proof-of-concept completed and understand a bit more about the receivers.
His answer pointed me in the right direction, but needs a little addition.
WordpressWebHookReceiver
Can take in Wordpress Webhooks of type HttpPost. This does not work with Woocommerce as Woocommerce sends Json Webhook messages and will fail the HttpPost validation which is build into the WordpressWebHookReceiver class.
CustomWebHookReceiver
Can take in custom ASP.NET Webhooks. The custom ASP.NET webhooks have a specific partner for validation which includes but is not limited to the 'ms-signature'. Even adding the header will not suffice as the signature is also used in a different way from out of the box Woocommerce to encrypt the message. Basically coming to a point that you can't integrate Woocommerce with the CustomWebHookReceiver without changing the Webhook classes of Woocommerce.
GenericWebHookReceiver
This is the receiver you want, which accepts basically a generic set of Json data and will be able to use the "code" query parameter to verify the secret which you can add in the web.config of your asp.net api application. I used this receiver to finish the Proof-of-concept and got both the signature validation as well as the deciphering of the message working right of the bat.
My basic class which I will start to build into a real solution can be viewed below and changes the JObject into a dynamic object in the methods I call from the class. As you can see I have two methods currently added, one for the customer create and one for the order create to call the respective methods which do an insert into Dynamics 365 (former CRM).
public class GenericJsonWebHookHandler : WebHookHandler
{
public GenericJsonWebHookHandler()
{
this.Receiver = "genericjson";
}
public override Task ExecuteAsync(string generator, WebHookHandlerContext context)
{
var result = false;
try
{
// Get JSON from WebHook
var data = context.GetDataOrDefault<JObject>();
if(context.Id != "crcu" && context.Id != "cror")
return Task.FromResult(true);
if (context.Id == "crcu")
{
result = WoocommerceCRMIntegrations.Entities.Contact.CreateContactInCRM(data);
}
else if (context.Id == "cror")
{
result = WoocommerceCRMIntegrations.Entities.Order.CreateOrderInCRM(data);
}
}
catch (Exception ex)
{
result = false;
}
return Task.FromResult(result);
}
}
I am making an iPhone app where I am using .NET webservice.
Let's say below is the URL I have.
http://www.myweb.com/wser.asmx/listOfStudents?class=12
Here I was getting list of students with below fields in it.
Name
Roll Number
Class
Now client asked to make arabic version. So we update the query to below.
http://www.myweb.com/wser.asmx/listOfStudents?class=12&appLang=ar
^^^^^^^^^^^^
For testing we update webservice on another server & checked and all is working fine.
Now while uploading app on App store, I noticed if I update actual webservice current app won't work as appLang variable is missing in current app that is there on app store.
If I don't update webservice & apple go in testing, the app will crash as it will throw error of missing parameter appLang.
So what I was thinking is,
I will upload new webservice, BUT appLang will be arabic BY-DEFAULT.
Like if I execute url http://www.myweb.com/wser.asmx/listOfStudents?class=12 with updated webservice (appLang added in webservice but not in url), it will not throw error of parameter missing appLang?
Is there any way to make default parameter?
while using GET isn't that pretty in this case (POST could be more suitable), you could do this :
//by specifying a messageName, you can do overloading with webmethods
[WebMethod (MessageName = "listOfStudentsDefault")]
[ScriptMethod(UseHttpGet=true)]
public string listOfStudents(int class, string appLang)
{
// code here...
}
[WebMethod (MessageName = "listOfStudents")]
[ScriptMethod(UseHttpGet=true)]
public string listOfStudents(int class)
{
return listOfStudents(class, "ar");
}
I've looked at both URLRewriting and Redirecting and I'm mostly convinced it's not the way to go.
What I have is a web form that takes in a search string, and then outputs results as links to different PDF files that are hosted on a web share. These files are not local or apart of the web forms at all. When you click a link to a pdf you get the direct web link to the pdf, for example:
http://www.mywebsite.com/portfolios/employees/evaluations/test1.pdf
If a user gets that link and backspaces to:
http://www.mywebsite.com/portfolios/employees
They could potentially have access to all other records. The example is a little bad because I can't apply explicit permissions to the page at hand. So what I'd like to know if it's somehow possible to re-write
http://www.mywebsite.com/portfolios/employees/evaluations/test1.pdf
to something like
http://www.mywbesite.com/test1.pdf
and have it still be valid?
Add a generic handler to your website, lets call it FileRetriever.ashx. This will allow us to use some logic to make sure the user is authorized to access the file they're requesting. This assumes your users have logged into the site (else how will you know whether they are allowed to access the file or not?)
public void ProcessRequest(HttpContext context)
{
if(String.IsNullOrEmpty(context.Request.QueryString["file"]))
{
//return error status code telling them to provide a file
context.Response.End();
}
string requestedfile=context.Request.QueryString["file"];
if(!File.Exists(Server.MapPath(requestedfile)))
{
//write error status code telling them the file doesn't exist. Probably a 404 error.
context.Response.End();
}
if(HasAccess(context.User.Identity.Name, requestedfile))
{
//write the file to the response
context.Response.ContentType= "";//replace with MIME type of requested file
context.Response.WriteFile(context.Server.MapPath(requestedfile));
context.Response.End();
}
else
{
//return error status code telling them they're unauthorized
context.Response.End();
}
}
public static bool HasAccess(string username, string file)
{
//if user has access to the file, return true. Else return false. This might involve database lookups etc
}
The real magic is going to happen in the HasAccess function where you'll have to implement your checks to make sure they're authorized to access the file. All the other stuff is just handling common things like forgetting to specify the file or specifying an invalid file.
User then accesses a file by requesting this url: mysite.com/FileRetriever.ashx?file=path/to/document/document.pdf
You should never and i emphasize ever have sensitive files exposed to the web. Not knowing the url is not a security/authentication method. All the files you wish to protect should live outside of IIS/Web and need to be retrieved and served by your application. The application would control access to the files based on some level of authorization.
The reason for this as it has been seen in many large companies such as AT&T it takes one user to brute force all links on your site and obtain all your employee information just by trying different url combinations. Do not go down this road.
I want to replace an old ISAPI filter that ran on IIS6. This filter checks if the request is of a special kind, then manipulates the header and continues with the request. Two headers are added in the manipulating method that I need for calling another special ISAPI module.
So I have ISAPI C++ code like:
DWORD OnPreProc(HTTP_FILTER_CONTEXT *pfc, HTTP_FILTER_PREPROC_HEADERS *pHeaders)
{
if (ManipulateHeaderInSomeWay(pfc, pHeaders))
{
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
return SF_STATUS_REQ_FINISHED;
}
I now want to rewrite this ISAPI filter as a managed module for the IIS7. So I have something like this:
private void OnMapRequestHandler(HttpContext context)
{
ManipulateHeaderInSomeWay(context);
}
And now what? The request seems not to do what it should?
I already wrote an IIS7 native module that implements the same method. But this method has a return value with which I can tell what to do next:
REQUEST_NOTIFICATION_STATUS CMyModule::OnMapRequestHandler(IN IHttpContext *pHttpContext, OUT IMapHandlerProvider *pProvider)
{
if (DoSomething(pHttpContext))
{
return RQ_NOTIFICATION_CONTINUE;
}
return RQ_NOTIFICATION_FINISH_REQUEST;
}
So is there a way to send my manipulated context again?
I finally found it. As I stated in the comments I add two headers to the request that are needed by my DLL that finally handles the request. The url header contains the path to the DLL. So I have to do a redirect to that DLL.
This is done with the following code:
private void OnMapRequestHandler(HttpContext context)
{
ManipulateHeaderInSomeWay(context);
string url = context.Request.Header["url"]; // path of the DLL
// now this is the important call!
context.Server.TransferRequest(url, true);
}