TerribleDev/OwinOAuthProviders
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security BugFix.

Browse Source 
I use HttpRequestMessage.Headers.Authorization instead of httpClient.DefaultRequestHeaders
This commit is contained in:
takashi uesaka
2015-07-31 21:44:20 +09:00
parent 9ccb01fd84
commit 239a603798
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
Owin.Security.Providers/Backlog/BacklogAuthenticationHandler.cs
View File

@@ -11,6 +11,7 @@ using Microsoft.Owin.Security.Infrastructure;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using Owin.Security.Providers.Backlog;
using System.Net.Http.Headers;
namespace Owin.Security.Providers.Backlog
{
@@ -72,9 +73,12 @@ namespace Owin.Security.Providers.Backlog
body.Add(new KeyValuePair<string, string>("client_secret", Options.ClientSecret));
// Get token
httpClient.DefaultRequestHeaders.Authorization = null;
HttpResponseMessage tokenResponse =
await httpClient.PostAsync(Options.TokenEndpoint, new FormUrlEncodedContent(body));
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
tokenRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
tokenRequest.Content = new FormUrlEncodedContent(body);
HttpResponseMessage tokenResponse = await httpClient.SendAsync(tokenRequest, Request.CallCancelled);
tokenResponse.EnsureSuccessStatusCode();
string text = await tokenResponse.Content.ReadAsStringAsync();
@@ -88,12 +92,13 @@ namespace Owin.Security.Providers.Backlog
string tokenType = (string)response.token_type;
// Get the Backlog user
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue(tokenType, Uri.EscapeDataString(accessToken));
HttpResponseMessage graphResponse = await httpClient.GetAsync(
Options.UserInfoEndpoint, Request.CallCancelled);
var userRequest = new HttpRequestMessage(HttpMethod.Get, Options.UserInfoEndpoint);
userRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
userRequest.Headers.Authorization = new AuthenticationHeaderValue(tokenType, Uri.EscapeDataString(accessToken));
HttpResponseMessage userResponse = await httpClient.SendAsync(userRequest, Request.CallCancelled);
graphResponse.EnsureSuccessStatusCode();
text = await graphResponse.Content.ReadAsStringAsync();
userResponse.EnsureSuccessStatusCode();
text = await userResponse.Content.ReadAsStringAsync();
JObject user = JObject.Parse(text);
var context = new BacklogAuthenticatedContext(Context, user, accessToken, expires, refreshToken);