0

I have created a POST API under UmbracoApiController.

    [HttpPost]
    [ActionName("SaveData")]       
    public HttpResponseMessage SaveData([FromBody]JObject data)
    {
      if (!authorized)
        {             
            return Request.CreateResponse(HttpStatusCode.Unauthorized, 
                      "Unauthorized access. Please check your credentials");
        }
    }

Instead of returning 401, it is going to the login page with 302 status.

I have created a custom attribute as well - 

 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
public class BasicAuthorization : AuthorizationFilterAttribute
{
    private const string _authorizedToken = "Authorization";

    public override void OnAuthorization(HttpActionContext filterContext)
    {
        var authorizedToken = string.Empty;

        try
        {
            var headerToken = filterContext.Request.Headers.FirstOrDefault(x => x.Key == _authorizedToken);
            if (headerToken.Key != null)
            {
                authorizedToken = Convert.ToString(headerToken.Value.SingleOrDefault());
                if (!IsAuthorize(authorizedToken))
                {
                    var httpContext = HttpContext.Current;
                    var httpResponse = httpContext.Response;

                    filterContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
                    {
                        Content = new StringContent("Unauthorized access. Please check your credentials")
                    };

                    httpResponse.StatusCode = (int) HttpStatusCode.Unauthorized;
                    httpResponse.SuppressFormsAuthenticationRedirect = true;
                    return;
                }                    
            }
            else
            {
                filterContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
                return;
            }
        }
        catch (Exception)
        {
            filterContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
            return;
        }

        base.OnAuthorization(filterContext);
    }

    private static bool IsAuthorize(string authorizedToken)
    {
        return authorizedToken == ConfigurationManager.AppSettings["VideoIngestionKey"];
    }
}

But this also does not work. I am using Umbraco 7.6.13

Any help greatly appreciated.

Thanks

Harsheet
  • 728
  • 9
  • 23
  • Is the web server itself doing the redirect? I don't see an authorize attribute on the controller. Is it on the class level? – Crowcoder Aug 08 '18 at 00:45
  • Are you able to debug the API code? – Chetan Aug 08 '18 at 00:46
  • @Crowcoder It is a basic authorization with a key. If the key does not match, I want to return 401. But instead it returns 302 with login page redirect – Harsheet Aug 08 '18 at 01:34
  • @ChetanRanpariya Yes, I am using fiddler to test this – Harsheet Aug 08 '18 at 01:34
  • Fiddler is not useful for debugging. Did you put a break point in the code and run the code in debug mode and then make a request to the API? Did it hit the break point in the code, specially in `SaveData` method? – Chetan Aug 08 '18 at 01:38
  • @ChetanRanpariya Yes it does and in Fiddler I am able to see the response easily. The data is being saved properly as well. The only problem is with unauthorized access. – Harsheet Aug 08 '18 at 02:22

1 Answers1

1

Have something similar but used with Surface Controller not Web API controller.

Override HandleUnauthorizedRequest to implement custom response / override Umbraco & .NET defaults.

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // example redirects to a 'Forbidden' doctype/view with Reponse.StatusCode set in view; 
        filterContext.Result =
            new RedirectToUmbracoPageResult(
                UmbracoContext.Current.ContentCache.GetSingleByXPath("//forbidden"));
    }

It's odd that Forms authentication seems to be kicking in and redirecting you to login page for an API request. The AuthorizationFilterAttribute should return a Http 401 by default (so could deal with via web.config customErrors or httpErrors sections instead of code).

May want to review your web.config settings?

Gavin Faux
  • 481
  • 2
  • 8
  • 1
    Perhaps the link in the 1st comment on https://stackoverflow.com/questions/11087677/prevent-formsauthenticationmodule-of-intercepting-asp-net-web-api-responses is relevant to you? – Gavin Faux Aug 08 '18 at 15:22