Merge pull request #231 from dotnetcore/bugfix/fix-230

Fixbug #230

Author: kklldog

src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj

@@ -3,11 +3,11 @@
 	<PropertyGroup>
 		<TargetFramework>net10.0</TargetFramework>
 		<AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
-		<AssemblyVersion>1.11.2</AssemblyVersion>
-		<Version>1.11.2</Version>
-		<PackageVersion>1.11.2</PackageVersion>
+		<AssemblyVersion>1.11.3</AssemblyVersion>
+		<Version>1.11.3</Version>
+		<PackageVersion>1.11.3</PackageVersion>
 		<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
-		<FileVersion>1.11.2</FileVersion>
+		<FileVersion>1.11.3</FileVersion>
 		<Authors>kklldog</Authors>
 		<Company>kklldog</Company>
 	</PropertyGroup>

src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs

@@ -1,17 +1,18 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using AgileConfig.Server.Apisite.Controllers.api.Models;
+using AgileConfig.Server.Apisite.Controllers.api.Models;
 using AgileConfig.Server.Apisite.Filters;
 using AgileConfig.Server.Apisite.Metrics;
 using AgileConfig.Server.Apisite.Models;
 using AgileConfig.Server.Apisite.Models.Mapping;
+using AgileConfig.Server.Common;
 using AgileConfig.Server.Data.Entity;
 using AgileConfig.Server.IService;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Caching.Memory;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
 
 // For more information on enabling Web API for empty projects, visit https://go.microsoft.com/fwlink/?LinkID=397860
 
@@ -54,6 +55,14 @@ public async Task<ActionResult<List<ApiConfigVM>>> GetAppConfig(string appId, [F
     {
         ArgumentException.ThrowIfNullOrEmpty(appId);
 
+        var idInHeader = Encrypt.UnboxBasicAuth(HttpContext.Request).Item1;
+
+        if (appId != idInHeader)
+        {
+            await Response.WriteAsync("The AppId does not match the ID in Basic Authentication.");
+            return BadRequest();
+        }
+
         var app = await _appService.GetAsync(appId);
         if (!app.Enabled) return NotFound();
 

src/AgileConfig.Server.Common/Encrypt.cs

@@ -1,7 +1,9 @@
 using System;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
+using Microsoft.AspNetCore.Http;
 
 namespace AgileConfig.Server.Common;
 
@@ -15,4 +17,43 @@ public static string Md5(string txt)
         var hashBytes = Md5Instance.Value.ComputeHash(inputBytes);
         return Convert.ToHexString(hashBytes);
     }
+
+    public static (string, string) UnboxBasicAuth(HttpRequest httpRequest)
+    {
+        var authorization = httpRequest.Headers["Authorization"];
+        if (string.IsNullOrEmpty(authorization)) return ("", "");
+        var authStr = authorization.First();
+        // Remove the "Basic " prefix.
+        if (!authStr.StartsWith("Basic "))
+        {
+            return ("", "");
+            ;
+        }
+
+        authStr = authStr.Substring(6, authStr.Length - 6);
+        byte[] base64Decode = null;
+        try
+        {
+            base64Decode = Convert.FromBase64String(authStr);
+        }
+        catch
+        {
+            return ("", "");
+        }
+
+        var base64Str = Encoding.UTF8.GetString(base64Decode);
+
+        if (string.IsNullOrEmpty(base64Str)) return ("", "");
+
+        var appId = "";
+        var sec = "";
+
+
+        var baseAuthArr = base64Str.Split(':');
+
+        if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
+        if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
+
+        return (appId, sec);
+    }
 }

src/AgileConfig.Server.Service/AppBasicAuthService.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
+using AgileConfig.Server.Common;
 using AgileConfig.Server.IService;
 using Microsoft.AspNetCore.Http;
 
@@ -23,41 +24,7 @@ public AppBasicAuthService(IAppService appService)
     /// <returns>Tuple of Application ID and secret extracted from the header.</returns>
     public (string, string) GetAppIdSecret(HttpRequest httpRequest)
     {
-        var authorization = httpRequest.Headers["Authorization"];
-        if (string.IsNullOrEmpty(authorization)) return ("", "");
-        var authStr = authorization.First();
-        // Remove the "Basic " prefix.
-        if (!authStr.StartsWith("Basic "))
-        {
-            return ("", "");
-            ;
-        }
-
-        authStr = authStr.Substring(6, authStr.Length - 6);
-        byte[] base64Decode = null;
-        try
-        {
-            base64Decode = Convert.FromBase64String(authStr);
-        }
-        catch
-        {
-            return ("", "");
-        }
-
-        var base64Str = Encoding.UTF8.GetString(base64Decode);
-
-        if (string.IsNullOrEmpty(base64Str)) return ("", "");
-
-        var appId = "";
-        var sec = "";
-
-
-        var baseAuthArr = base64Str.Split(':');
-
-        if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
-        if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
-
-        return (appId, sec);
+        return Encrypt.UnboxBasicAuth(httpRequest);
     }
 
     public async Task<bool> ValidAsync(HttpRequest httpRequest)