Add token protection middleware (#966)

* Creating middleware and options

* Adding extension method for middleware

* Configure middleware at startup

* Fixing async bits and token provider

* Using clean up and fixing policy name

Author: MisterJames

AllReadyApp/Web-App/AllReady/Security/Middleware/TokenProtectedResource.cs

@@ -0,0 +1,59 @@
+using AllReady.Models;
+using Microsoft.AspNet.Builder;
+using Microsoft.AspNet.Http;
+using Microsoft.AspNet.Identity;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace AllReady.Security.Middleware
+{
+    public static class TokenProtectedResourceExtensions
+    {
+        // extension method for easy wiring of middleware
+        public static IApplicationBuilder UseTokenProtection(
+            this IApplicationBuilder builder, TokenProtectedResourceOptions options)
+        {
+            return builder.UseMiddleware<TokenProtectedResource>(options);
+        }
+    }
+
+    public class TokenProtectedResource
+    {
+        private RequestDelegate _next;
+        private TokenProtectedResourceOptions _options;
+
+        public TokenProtectedResource(RequestDelegate next, TokenProtectedResourceOptions options)
+        {
+            _next = next;
+            _options = options;
+        }
+
+        public async Task Invoke(HttpContext httpContext, UserManager<ApplicationUser> manager)
+        {
+            if (httpContext.Request.Path.StartsWithSegments(_options.Path))
+            {
+                var headers = httpContext.Request.Headers;
+                if (!(headers.ContainsKey("ApiUser") && headers.ContainsKey("ApiToken")))
+                {
+                    await httpContext.Authentication.ChallengeAsync();
+                    return;
+                }
+
+                var apiUser = headers.FirstOrDefault(h => h.Key == "ApiUser").Value;
+                var token = headers.FirstOrDefault(h => h.Key == "ApiToken").Value;
+
+                var user = await manager.FindByNameAsync(apiUser).ConfigureAwait(false);
+                var authorized = await manager.VerifyUserTokenAsync(user, "Default", "api-request-injest", token).ConfigureAwait(false);
+
+                if (!authorized)
+                {
+                    await httpContext.Authentication.ChallengeAsync();
+                    return;
+                }
+            }
+
+            await _next(httpContext);
+        }
+
+    }
+}

AllReadyApp/Web-App/AllReady/Security/Middleware/TokenProtectedResourceOptions.cs

@@ -0,0 +1,10 @@
+using Microsoft.AspNet.Http;
+
+namespace AllReady.Security.Middleware
+{
+    public class TokenProtectedResourceOptions
+    {
+        public PathString Path { get; set; }
+        public string PolicyName { get; set; }
+    }
+}

AllReadyApp/Web-App/AllReady/Startup.cs

@@ -20,6 +20,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.PlatformAbstractions;
+using AllReady.Security.Middleware;
 
 namespace AllReady
 {
@@ -237,6 +238,13 @@ public async void Configure(IApplicationBuilder app,
             // Add cookie-based authentication to the request pipeline.
             app.UseIdentity();
 
+            // Add token-based protection to the request inject pipeline
+            app.UseTokenProtection(new TokenProtectedResourceOptions
+            {
+                Path = "api/request",
+                PolicyName = "api-request-injest"
+            });
+
             // Add authentication middleware to the request pipeline. You can configure options such as Id and Secret in the ConfigureServices method.
             // For more information see http://go.microsoft.com/fwlink/?LinkID=532715
             if (Configuration["Authentication:Facebook:AppId"] != null)