A simple key based AuthorizeAttribute

n this example, we'll be setting up a custom authorization scheme based on a key which will be validated using a very simple algorithm. This isn't secure for any number of reasons, but with some minor modifications (e.g. expiring a key once it is used) it would be sufficient for things like simple beta program for a pre-release website.

We'll accept a parameter called X-Key and validate that it's a number that passes a simple check.

To start with, we'll create a new class called KeyAuthorizeAttribute that inherits from AuthorizeAttribute:

12345678910111213141516171819202122

public class KeyAuthorizeAttribute : AuthorizeAttribute {    protected override bool AuthorizeCore(HttpContextBase httpContext)    {        string key = httpContext.Request["X-Key"];        return ApiValidatorService.IsValid(key);    }} public static class ApiValidatorService{    public static bool IsValid(string key)    {        int keyvalue;         if (int.TryParse(key, out keyvalue))        {            return keyvalue % 2137 == 7;        }        return false;    }}

This AuthorizeCore method checks a value (via header, querystring, form post, etc.) and calls into a service to validate it. In this case, validation is a simple static method that runs our validation algorithm. In your case, you'd probably want to check against a list of pre-issued keys in a database, call out to an external service, etc. AuthorizeCore returns a boolean value - pass or fail.

We can then slap that [KeyAuthorize] attribute on any action or controller in the site, or register it globally (as shown in my previous post).

This request would be allowed: http://localhost:8515/?X-Key=26381272 (because 26381272 mod 2137 equals 7)

This request would be denied: http://localhost:8515/?X-Key=12345