diff --git a/src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj b/src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj
index 68bcd731..76ecc231 100644
--- a/src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj
+++ b/src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj
@@ -3,11 +3,11 @@
net10.0
InProcess
- 1.11.2
- 1.11.2
- 1.11.2
+ 1.11.3
+ 1.11.3
+ 1.11.3
Linux
- 1.11.2
+ 1.11.3
kklldog
kklldog
diff --git a/src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs b/src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs
index 1a7fefd2..daf75254 100644
--- a/src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs
+++ b/src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs
@@ -1,17 +1,18 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using AgileConfig.Server.Apisite.Controllers.api.Models;
+using AgileConfig.Server.Apisite.Controllers.api.Models;
using AgileConfig.Server.Apisite.Filters;
using AgileConfig.Server.Apisite.Metrics;
using AgileConfig.Server.Apisite.Models;
using AgileConfig.Server.Apisite.Models.Mapping;
+using AgileConfig.Server.Common;
using AgileConfig.Server.Data.Entity;
using AgileConfig.Server.IService;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Caching.Memory;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
// For more information on enabling Web API for empty projects, visit https://go.microsoft.com/fwlink/?LinkID=397860
@@ -54,6 +55,14 @@ public async Task>> GetAppConfig(string appId, [F
{
ArgumentException.ThrowIfNullOrEmpty(appId);
+ var idInHeader = Encrypt.UnboxBasicAuth(HttpContext.Request).Item1;
+
+ if (appId != idInHeader)
+ {
+ await Response.WriteAsync("The AppId does not match the ID in Basic Authentication.");
+ return BadRequest();
+ }
+
var app = await _appService.GetAsync(appId);
if (!app.Enabled) return NotFound();
diff --git a/src/AgileConfig.Server.Common/Encrypt.cs b/src/AgileConfig.Server.Common/Encrypt.cs
index 01098f79..74014ce7 100644
--- a/src/AgileConfig.Server.Common/Encrypt.cs
+++ b/src/AgileConfig.Server.Common/Encrypt.cs
@@ -1,7 +1,9 @@
using System;
+using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading;
+using Microsoft.AspNetCore.Http;
namespace AgileConfig.Server.Common;
@@ -15,4 +17,43 @@ public static string Md5(string txt)
var hashBytes = Md5Instance.Value.ComputeHash(inputBytes);
return Convert.ToHexString(hashBytes);
}
+
+ public static (string, string) UnboxBasicAuth(HttpRequest httpRequest)
+ {
+ var authorization = httpRequest.Headers["Authorization"];
+ if (string.IsNullOrEmpty(authorization)) return ("", "");
+ var authStr = authorization.First();
+ // Remove the "Basic " prefix.
+ if (!authStr.StartsWith("Basic "))
+ {
+ return ("", "");
+ ;
+ }
+
+ authStr = authStr.Substring(6, authStr.Length - 6);
+ byte[] base64Decode = null;
+ try
+ {
+ base64Decode = Convert.FromBase64String(authStr);
+ }
+ catch
+ {
+ return ("", "");
+ }
+
+ var base64Str = Encoding.UTF8.GetString(base64Decode);
+
+ if (string.IsNullOrEmpty(base64Str)) return ("", "");
+
+ var appId = "";
+ var sec = "";
+
+
+ var baseAuthArr = base64Str.Split(':');
+
+ if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
+ if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
+
+ return (appId, sec);
+ }
}
\ No newline at end of file
diff --git a/src/AgileConfig.Server.Service/AppBasicAuthService.cs b/src/AgileConfig.Server.Service/AppBasicAuthService.cs
index d544f7d0..146826e6 100644
--- a/src/AgileConfig.Server.Service/AppBasicAuthService.cs
+++ b/src/AgileConfig.Server.Service/AppBasicAuthService.cs
@@ -2,6 +2,7 @@
using System.Linq;
using System.Text;
using System.Threading.Tasks;
+using AgileConfig.Server.Common;
using AgileConfig.Server.IService;
using Microsoft.AspNetCore.Http;
@@ -23,41 +24,7 @@ public AppBasicAuthService(IAppService appService)
/// Tuple of Application ID and secret extracted from the header.
public (string, string) GetAppIdSecret(HttpRequest httpRequest)
{
- var authorization = httpRequest.Headers["Authorization"];
- if (string.IsNullOrEmpty(authorization)) return ("", "");
- var authStr = authorization.First();
- // Remove the "Basic " prefix.
- if (!authStr.StartsWith("Basic "))
- {
- return ("", "");
- ;
- }
-
- authStr = authStr.Substring(6, authStr.Length - 6);
- byte[] base64Decode = null;
- try
- {
- base64Decode = Convert.FromBase64String(authStr);
- }
- catch
- {
- return ("", "");
- }
-
- var base64Str = Encoding.UTF8.GetString(base64Decode);
-
- if (string.IsNullOrEmpty(base64Str)) return ("", "");
-
- var appId = "";
- var sec = "";
-
-
- var baseAuthArr = base64Str.Split(':');
-
- if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
- if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
-
- return (appId, sec);
+ return Encrypt.UnboxBasicAuth(httpRequest);
}
public async Task ValidAsync(HttpRequest httpRequest)