From 74cb595128c4abb599e41f8c76359a17644ac92f Mon Sep 17 00:00:00 2001 From: Developer 02 Date: Tue, 16 Apr 2024 13:52:09 +0200 Subject: [PATCH] =?UTF-8?q?Autorisierungspr=C3=BCfung=20zu=20Envelope=20un?= =?UTF-8?q?d=20Document=20Controllern=20hinzuf=C3=BCgen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implementiere eine Signaturverifizierung in den EnvelopeController.Update (api/envelope/{envelopeKey}) und DocumentController.Open (api/document/{envelopeKey}) Methoden, die beide mit dem HTTPPost-Attribut gekennzeichnet sind. Diese Prüfung stellt sicher, dass nur der authentifizierte Empfänger mit einer übereinstimmenden Signatur Zugriff auf die spezifizierten Ressourcen hat oder diese ändern kann. Dies erhöht die Sicherheit, indem unautorisierten Zugriff verhindert wird. --- .../Controllers/ControllerBaseExtensions.cs | 22 +++++++++++++++++++ .../Controllers/DocumentController.cs | 6 +++++ .../Controllers/EnvelopeController.cs | 6 +++++ 3 files changed, 34 insertions(+) diff --git a/EnvelopeGenerator.Web/Controllers/ControllerBaseExtensions.cs b/EnvelopeGenerator.Web/Controllers/ControllerBaseExtensions.cs index 3729af00..6616b3fa 100644 --- a/EnvelopeGenerator.Web/Controllers/ControllerBaseExtensions.cs +++ b/EnvelopeGenerator.Web/Controllers/ControllerBaseExtensions.cs @@ -16,5 +16,27 @@ namespace EnvelopeGenerator.Web.Controllers } return null; } + + public static string? GetAuthenticatedEnvelopeUuid(this ControllerBase controller) + { + if (controller?.User?.Identity?.IsAuthenticated ?? false) + { + var envelopeUuid = controller.User.FindFirst(ClaimTypes.NameIdentifier)?.Value; + if (!string.IsNullOrEmpty(envelopeUuid)) + return envelopeUuid; + } + return null; + } + + public static string? GetAuthenticatedReceiverSignature(this ControllerBase controller) + { + if (controller?.User?.Identity?.IsAuthenticated ?? false) + { + var receiverSignature = controller.User.FindFirst(ClaimTypes.Hash)?.Value; + if (!string.IsNullOrEmpty(receiverSignature)) + return receiverSignature; + } + return null; + } } } diff --git a/EnvelopeGenerator.Web/Controllers/DocumentController.cs b/EnvelopeGenerator.Web/Controllers/DocumentController.cs index cd23da89..6da7f1c9 100644 --- a/EnvelopeGenerator.Web/Controllers/DocumentController.cs +++ b/EnvelopeGenerator.Web/Controllers/DocumentController.cs @@ -3,6 +3,7 @@ using EnvelopeGenerator.Common; using EnvelopeGenerator.Web.Services; using EnvelopeGenerator.Application.Contracts; using Microsoft.AspNetCore.Authorization; +using EnvelopeGenerator.Application.Services; namespace EnvelopeGenerator.Web.Controllers { @@ -52,6 +53,11 @@ namespace EnvelopeGenerator.Web.Controllers { try { + var authSignature = this.GetAuthenticatedReceiverSignature(); + + if (authSignature != envelopeKey.GetReceiverSignature()) + return Forbid(); + // Validate Envelope Key and load envelope envelopeService.EnsureValidEnvelopeKey(envelopeKey); EnvelopeResponse response = await envelopeService.LoadEnvelope(envelopeKey); diff --git a/EnvelopeGenerator.Web/Controllers/EnvelopeController.cs b/EnvelopeGenerator.Web/Controllers/EnvelopeController.cs index 82e56d1e..9cfe0335 100644 --- a/EnvelopeGenerator.Web/Controllers/EnvelopeController.cs +++ b/EnvelopeGenerator.Web/Controllers/EnvelopeController.cs @@ -1,5 +1,6 @@  using EnvelopeGenerator.Application.Contracts; +using EnvelopeGenerator.Application.Services; using EnvelopeGenerator.Common; using EnvelopeGenerator.Web.Services; using Microsoft.AspNetCore.Authorization; @@ -51,6 +52,11 @@ namespace EnvelopeGenerator.Web.Controllers { try { + var authSignature = this.GetAuthenticatedReceiverSignature(); + + if (authSignature != envelopeKey.GetReceiverSignature()) + return Forbid(); + // Validate Envelope Key and load envelope envelopeService.EnsureValidEnvelopeKey(envelopeKey); EnvelopeResponse response = await envelopeService.LoadEnvelope(envelopeKey);