74cb595128
Implementiere eine Signaturverifizierung in den EnvelopeController.Update (api/envelope/{envelopeKey}) und DocumentController.Open (api/document/{envelopeKey}) Methoden, die beide mit dem HTTPPost-Attribut gekennzeichnet sind. Diese Prüfung stellt sicher, dass nur der authentifizierte Empfänger mit einer übereinstimmenden Signatur Zugriff auf die spezifizierten Ressourcen hat oder diese ändern kann. Dies erhöht die Sicherheit, indem unautorisierten Zugriff verhindert wird.
93 lines
3.4 KiB
C#
93 lines
3.4 KiB
C#
|
|
using EnvelopeGenerator.Application.Contracts;
|
|
using EnvelopeGenerator.Application.Services;
|
|
using EnvelopeGenerator.Common;
|
|
using EnvelopeGenerator.Web.Services;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
namespace EnvelopeGenerator.Web.Controllers
|
|
{
|
|
[Authorize]
|
|
public class EnvelopeController : BaseController
|
|
{
|
|
private readonly EnvelopeOldService envelopeService;
|
|
private readonly ActionService? actionService;
|
|
private readonly IEnvelopeService _envelopeService;
|
|
|
|
public EnvelopeController(DatabaseService database, EnvelopeOldService envelope, ILogger<EnvelopeController> logger, IEnvelopeService envService) : base(database, logger)
|
|
{
|
|
envelopeService = envelope;
|
|
actionService = database?.Services?.actionService;
|
|
_envelopeService = envService;
|
|
}
|
|
|
|
[NonAction]
|
|
[HttpGet("api/envelope/{envelopeKey}")]
|
|
public async Task<IActionResult> Get([FromRoute] string envelopeKey)
|
|
{
|
|
try
|
|
{
|
|
// Validate Envelope Key and load envelope
|
|
envelopeService.EnsureValidEnvelopeKey(envelopeKey);
|
|
|
|
EnvelopeResponse response = await envelopeService.LoadEnvelope(envelopeKey);
|
|
|
|
if (envelopeService.ReceiverAlreadySigned(response.Envelope, response.Receiver.Id) == true)
|
|
{
|
|
return Problem(statusCode: 403);
|
|
}
|
|
|
|
_logger.LogInformation("Loaded envelope [{0}] for receiver [{1}]", response.Envelope.Id, response.Envelope.Id);
|
|
return Json(response);
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
return ErrorResponse(e);
|
|
}
|
|
}
|
|
|
|
[HttpPost("api/envelope/{envelopeKey}")]
|
|
public async Task<IActionResult> Update(string envelopeKey, int index)
|
|
{
|
|
try
|
|
{
|
|
var authSignature = this.GetAuthenticatedReceiverSignature();
|
|
|
|
if (authSignature != envelopeKey.GetReceiverSignature())
|
|
return Forbid();
|
|
|
|
// Validate Envelope Key and load envelope
|
|
envelopeService.EnsureValidEnvelopeKey(envelopeKey);
|
|
EnvelopeResponse response = await envelopeService.LoadEnvelope(envelopeKey);
|
|
|
|
// Again check if receiver has already signed
|
|
if (envelopeService.ReceiverAlreadySigned(response.Envelope, response.Receiver.Id) == true)
|
|
{
|
|
return Problem(statusCode: 403);
|
|
}
|
|
|
|
var document = envelopeService.GetDocument(index, envelopeKey);
|
|
|
|
string? annotationData = await envelopeService.EnsureValidAnnotationData(Request);
|
|
|
|
envelopeService.InsertDocumentStatus(new DocumentStatus()
|
|
{
|
|
EnvelopeId = response.Envelope.Id,
|
|
ReceiverId = response.Receiver.Id,
|
|
Value = annotationData,
|
|
Status = Common.Constants.DocumentStatus.Signed
|
|
});
|
|
|
|
var signResult = actionService?.SignEnvelope(response.Envelope, response.Receiver);
|
|
|
|
return Ok(new object());
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
return ErrorResponse(e);
|
|
}
|
|
}
|
|
}
|
|
}
|