asp.net-web-api2asp.net-identity-2iprincipal

Get AuthorizeAttribute to work roles with start and expiration date in web api 2 application ?


I need to modify user roles in my web api 2 project using Identity 2 by adding additional properties: DateTime StartDate and DateTime EndDate. This is required to be able to grant users roles for a limited period of time.

What do I need to do to get the Authorize attribute such as [Authorize(Role="poweruser")] etc. to understand the role dates?

According to source (https://github.com/ASP-NET-MVC/aspnetwebstack/blob/master/src/System.Web.Http/AuthorizeAttribute.cs) this filter ultimately calls IPrincipal.IsInRole:

protected virtual bool IsAuthorized(HttpActionContext actionContext)
{
    ... 

    if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
    {
        return false;
    }

    return true;
}

Looks like I need to subclass the implementation of IPrincipal in HttpActionContext.ControllerContext.RequestContext.Principal and somehow inject it somewhere in the life cycle instead of the default implementation.

How do I do this?


Solution

  • Just Create a custom implementation of of AuthorizeAttribute like UserAuthorize and instead of using [Authorize(Role="poweruser")] you will use [UserAuthorize(Role="poweruser")]. Your UserAuthorize implmentation could look like this:

    public class UserAuthorizeAttribute : AuthorizeAttribute
    {
        /// <summary>
        /// Validate User Request for selected Feature
        /// </summary>
        /// <param name="httpContext"></param>
        /// <returns></returns>
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            var isAuthorized = base.AuthorizeCore(httpContext);
            if(!isAuthorized) {
                return false; //User is Not Even Logged In
            }
            //Your custom logic here 
        }