Base solution for your next web application
Open Closed

Token on query string and Multi Tenant #4418

User avatar
0
khai created

Hello,

I am developing the download file module which provides a way to get authorized file by Encrypted Token (using ASPNETZero Encrypted Token) with its information.

Currently, I am stuck at getting data from the right tenant database from the encrypted token (After decrypted the token to get the real token, how can I initialize IRepository for the right tenant database?)

private readonly IAppFolders _appFolders;
private readonly IRepository < OnePlaceFile, Guid > _fileRepository;

public FileController(IAppFolders appFolders, IRepository < OnePlaceFile, Guid > fileRepository) {
 _appFolders = appFolders;
 _fileRepository = fileRepository;
}

[DisableAuditing]
[AllowAnonymous]
public async Task < ActionResult > OnePlaceDownloadFileWithToken(Guid fileId, string encToken) {
 if (!ValidateToken(encToken)) throw new UserFriendlyException(L("RequestedFileDoesNotExists"));

 var file = await _fileRepository.FirstOrDefaultAsync(fileId);
 if (file == null) throw new UserFriendlyException(L("RequestedFileDoesNotExists"));

 var filePath = Path.Combine(_appFolders.TempFileDownloadFolder,
  file.TenantId.ToString(),
  file.ModuleName,
  file.ReferenceId,
  file.Id.ToString());

 if (!System.IO.File.Exists(filePath)) {
  throw new UserFriendlyException(L("RequestedFileDoesNotExists"));
 }

 var fileBytes = System.IO.File.ReadAllBytes(filePath);
 return File(fileBytes, file.MimeType, file.FileName);
}

private bool ValidateToken(string encToken) {
 try {
  var token = SimpleStringCipher.Instance.Decrypt(encToken, AppConsts.DefaultPassPhrase);
  return true;
 } catch (Exception e) {
  return false;
 }
}
Go to accepted answer
5 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    You can use AbpSession.TenantId to filter your data. ABP should set TenantId on session.

  • User Avatar
    0
    khai created

    So in case that I just have the encrypted Token without any session in the browser, can I initialize IRepository<> for the right tenant? I need this because those files could be read from outside the ABP Application (using Google Docs Online reader, Office Web App)

    And do you provide a method to verify the token in this case?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @Khai,

    It is used here <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Host/Startup/AuthConfigurer.cs#L81">https://github.com/aspnetzero/aspnet-ze ... rer.cs#L81</a>.

    And do you provide a method to verify the token in this case?

    I couldn't understand this, can you elaborate more ?

    Thanks.

  • User Avatar
    0
    khai created

    Hello ismcagdas,

    I did all those things well with your reference now. My question about "And do you provide a method to verify the token in this case?" is also in your reference (context.Token = SimpleStringCipher.Instance.Decrypt(encToken, AppConsts.DefaultPassPhrase);)

    Thank you.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Great @Khai :)

Assignee
No one
Labels
Non yet