btcpayserver/BTCPayServer/Hosting/BTCpayMiddleware.cs

using System;
using System.Globalization;
using System.Linq;
using System.Net.WebSockets;
using System.Threading.Tasks;
using BTCPayServer.Abstractions.Extensions;
using BTCPayServer.Configuration;
using BTCPayServer.Logging;
using BTCPayServer.Models;
using BTCPayServer.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

namespace BTCPayServer.Hosting
{
    public class BTCPayMiddleware
    {
        readonly RequestDelegate _Next;
        readonly BTCPayServerOptions _Options;

        public Logs Logs { get; }

        readonly BTCPayServerEnvironment _Env;

        public BTCPayMiddleware(RequestDelegate next,
            BTCPayServerOptions options,
            BTCPayServerEnvironment env,
            Logs logs)
        {
            _Env = env ?? throw new ArgumentNullException(nameof(env));
            _Next = next ?? throw new ArgumentNullException(nameof(next));
            _Options = options ?? throw new ArgumentNullException(nameof(options));
            Logs = logs;
        }


        public async Task Invoke(HttpContext httpContext)
        {
            CultureInfo.CurrentCulture = CultureInfo.InvariantCulture;
            CultureInfo.CurrentUICulture = CultureInfo.InvariantCulture;
            try
            {
                var bitpayAuth = GetBitpayAuth(httpContext, out bool isBitpayAuth);
                var isBitpayAPI = IsBitpayAPI(httpContext, isBitpayAuth);
                if (isBitpayAPI && httpContext.Request.Method == "OPTIONS")
                {
                    httpContext.Response.StatusCode = 200;
                    httpContext.Response.SetHeader("Access-Control-Allow-Origin", "*");
                    if (httpContext.Request.Headers.ContainsKey("Access-Control-Request-Headers"))
                    {
                        httpContext.Response.SetHeader("Access-Control-Allow-Headers", httpContext.Request.Headers["Access-Control-Request-Headers"].FirstOrDefault());
                    }
                    return; // We bypass MVC completely
                }
                httpContext.SetIsBitpayAPI(isBitpayAPI);
                if (isBitpayAPI)
                {
                    httpContext.Response.SetHeader("Access-Control-Allow-Origin", "*");
                    httpContext.SetBitpayAuth(bitpayAuth);
                    await _Next(httpContext);
                    return;
                }

                var isHtml = httpContext.Request.Headers.TryGetValue("Accept", out var accept)
                            && accept.ToString().StartsWith("text/html", StringComparison.OrdinalIgnoreCase);
                var isModal = httpContext.Request.Query.TryGetValue("view", out var view)
                            && view.ToString().Equals("modal", StringComparison.OrdinalIgnoreCase);
                if (!string.IsNullOrEmpty(_Env.OnionUrl) &&
                    !httpContext.Request.IsOnion() &&
                    isHtml &&
                    !isModal)
                {
                    var onionLocation = _Env.OnionUrl + httpContext.Request.GetEncodedPathAndQuery();
                    httpContext.Response.SetHeader("Onion-Location", onionLocation);
                }
            }
            catch (WebSocketException)
            { }
            catch (UnauthorizedAccessException ex)
            {
                await HandleBitpayHttpException(httpContext, new BitpayHttpException(401, ex.Message));
                return;
            }
            catch (BitpayHttpException ex)
            {
                await HandleBitpayHttpException(httpContext, ex);
                return;
            }
            catch (Exception ex)
            {
                Logs.PayServer.LogCritical(new EventId(), ex, "Unhandled exception in BTCPayMiddleware");
                throw;
            }
            await _Next(httpContext);
        }

        private static (string Signature, String Id, String Authorization) GetBitpayAuth(HttpContext httpContext, out bool hasBitpayAuth)
        {
            httpContext.Request.Headers.TryGetValue("x-signature", out StringValues values);
            var sig = values.FirstOrDefault();
            httpContext.Request.Headers.TryGetValue("x-identity", out values);
            var id = values.FirstOrDefault();
            httpContext.Request.Headers.TryGetValue("Authorization", out values);
            var auth = values.FirstOrDefault();
            hasBitpayAuth = auth != null || (sig != null && id != null);
            return (sig, id, auth);
        }

        private bool IsBitpayAPI(HttpContext httpContext, bool bitpayAuth)
        {
            if (!httpContext.Request.Path.HasValue)
                return false;

            // In case of anyone can create invoice, the storeId can be set explicitly
            bitpayAuth |= httpContext.Request.Query.ContainsKey("storeid");

            var isJson = (httpContext.Request.ContentType ?? string.Empty).StartsWith("application/json", StringComparison.OrdinalIgnoreCase);
            var path = httpContext.Request.Path.Value;
            var method = httpContext.Request.Method;
            var isCors = method == "OPTIONS";

            if (
                (isCors || bitpayAuth) &&
                (path == "/invoices" || path == "/invoices/") &&
              (isCors || (method == "POST" && isJson)))
                return true;

            if (
                (isCors || bitpayAuth) &&
                 (path == "/invoices" || path == "/invoices/") &&
                 (isCors || method == "GET"))
                return true;

            if (
               path.StartsWith("/invoices/", StringComparison.OrdinalIgnoreCase) &&
               (isCors || method == "GET") &&
               (isCors || isJson || httpContext.Request.Query.ContainsKey("token")))
                return true;

            if (path.StartsWith("/rates", StringComparison.OrdinalIgnoreCase) &&
                (isCors || method == "GET"))
                return true;

            if (
                path.Equals("/tokens", StringComparison.Ordinal) &&
                (isCors || method == "GET" || method == "POST"))
                return true;

            return false;
        }

        private static async Task HandleBitpayHttpException(HttpContext httpContext, BitpayHttpException ex)
        {
            httpContext.Response.StatusCode = ex.StatusCode;
            httpContext.Response.ContentType = "application/json";
            var result = JsonConvert.SerializeObject(new BitpayErrorsModel(ex));
            await httpContext.Response.WriteAsync(result);
        }
    }
}
Cleaning up bom from cs files 2020-06-28 21:44:35 -05:00			`using System;`
Make sure BTCPayServer does not take the culture of the server 2021-05-06 20:28:02 +09:00			`using System.Globalization;`
Init 2017-09-13 15:47:34 +09:00			`using System.Linq;`
Run dotnet format 2020-06-28 17:55:27 +09:00			`using System.Net.WebSockets;`
Init 2017-09-13 15:47:34 +09:00			`using System.Threading.Tasks;`
Refactoring: Extract HttpRequest extensions 2022-03-02 18:28:12 +01:00			`using BTCPayServer.Abstractions.Extensions;`
Run dotnet format 2020-06-28 17:55:27 +09:00			`using BTCPayServer.Configuration;`
Init 2017-09-13 15:47:34 +09:00			`using BTCPayServer.Logging;`
			`using BTCPayServer.Models;`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00			`using BTCPayServer.Services;`
Run dotnet format 2020-06-28 17:55:27 +09:00			`using Microsoft.AspNetCore.Http;`
Fix onion location not always working (#1947) closes #1881 2020-10-07 10:21:18 +02:00			`using Microsoft.AspNetCore.Http.Extensions;`
Run dotnet format 2020-06-28 17:55:27 +09:00			`using Microsoft.Extensions.Logging;`
			`using Microsoft.Extensions.Primitives;`
			`using Newtonsoft.Json;`
Init 2017-09-13 15:47:34 +09:00
			`namespace BTCPayServer.Hosting`
			`{`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`public class BTCPayMiddleware`
			`{`
Removing unused usings, readonly fields where possible 2020-06-28 22:07:48 -05:00			`readonly RequestDelegate _Next;`
			`readonly BTCPayServerOptions _Options;`
Remove Logs static singletons 2021-11-22 17:16:08 +09:00
			`public Logs Logs { get; }`

Removing unused usings, readonly fields where possible 2020-06-28 22:07:48 -05:00			`readonly BTCPayServerEnvironment _Env;`
Can start without NBXplorer being ready 2017-12-17 01:04:20 +09:00
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`public BTCPayMiddleware(RequestDelegate next,`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00			`BTCPayServerOptions options,`
Remove Logs static singletons 2021-11-22 17:16:08 +09:00			`BTCPayServerEnvironment env,`
			`Logs logs)`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`{`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00			`_Env = env ?? throw new ArgumentNullException(nameof(env));`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`_Next = next ?? throw new ArgumentNullException(nameof(next));`
Can configure externalurl in case BTCPay is behind a reverse proxy 2017-12-02 23:22:23 +09:00			`_Options = options ?? throw new ArgumentNullException(nameof(options));`
Remove Logs static singletons 2021-11-22 17:16:08 +09:00			`Logs = logs;`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`}`
Init 2017-09-13 15:47:34 +09:00
Use callback to update invoice state instead of long polling 2017-10-12 16:33:53 +09:00
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`public async Task Invoke(HttpContext httpContext)`
			`{`
Make sure BTCPayServer does not take the culture of the server 2021-05-06 20:28:02 +09:00			`CultureInfo.CurrentCulture = CultureInfo.InvariantCulture;`
			`CultureInfo.CurrentUICulture = CultureInfo.InvariantCulture;`
Remove TokenRepository dependency from InvoiceControllerAPI 2018-04-28 02:51:20 +09:00			`try`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`{`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`var bitpayAuth = GetBitpayAuth(httpContext, out bool isBitpayAuth);`
			`var isBitpayAPI = IsBitpayAPI(httpContext, isBitpayAuth);`
Bypass MVC for replying to CORS requests if Bitpay API 2019-02-02 15:19:22 +09:00			`if (isBitpayAPI && httpContext.Request.Method == "OPTIONS")`
			`{`
			`httpContext.Response.StatusCode = 200;`
set CORS headers 2019-02-02 15:22:00 +09:00			`httpContext.Response.SetHeader("Access-Control-Allow-Origin", "*");`
Correctly set Access-Control-Allow-Headers 2019-02-02 15:51:38 +09:00			`if (httpContext.Request.Headers.ContainsKey("Access-Control-Request-Headers"))`
			`{`
			`httpContext.Response.SetHeader("Access-Control-Allow-Headers", httpContext.Request.Headers["Access-Control-Request-Headers"].FirstOrDefault());`
			`}`
Bypass MVC for replying to CORS requests if Bitpay API 2019-02-02 15:19:22 +09:00			`return; // We bypass MVC completely`
			`}`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`httpContext.SetIsBitpayAPI(isBitpayAPI);`
			`if (isBitpayAPI)`
Support Legacy API Key authentication to Bitpay Invoice API 2018-04-29 18:28:04 +09:00			`{`
Returns Access-Control-Allow-Origin * on all Bitpay GET and post requests. 2019-02-02 16:12:51 +09:00			`httpContext.Response.SetHeader("Access-Control-Allow-Origin", "*");`
Isolate Bitpay's code outside of middleware inside BitpayClaimsFilter 2018-04-30 22:28:00 +09:00			`httpContext.SetBitpayAuth(bitpayAuth);`
Move BitpayMiddleware up the stack 2019-10-07 12:43:17 +09:00			`await _Next(httpContext);`
			`return;`
			`}`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00
Rewrite the condition to show Onion-Location in a more readable way 2021-01-05 13:44:08 +09:00			`var isHtml = httpContext.Request.Headers.TryGetValue("Accept", out var accept)`
			`&& accept.ToString().StartsWith("text/html", StringComparison.OrdinalIgnoreCase);`
			`var isModal = httpContext.Request.Query.TryGetValue("view", out var view)`
			`&& view.ToString().Equals("modal", StringComparison.OrdinalIgnoreCase);`
			`if (!string.IsNullOrEmpty(_Env.OnionUrl) &&`
Run dotnet format (#3244) 2021-12-31 16:59:02 +09:00			`!httpContext.Request.IsOnion() &&`
Rewrite the condition to show Onion-Location in a more readable way 2021-01-05 13:44:08 +09:00			`isHtml &&`
			`!isModal)`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00			`{`
Fix onion location not always working (#1947) closes #1881 2020-10-07 10:21:18 +02:00			`var onionLocation = _Env.OnionUrl + httpContext.Request.GetEncodedPathAndQuery();`
Add Onion-Location HTTP header Closes #1626. 2020-06-04 08:53:55 +02:00			`httpContext.Response.SetHeader("Onion-Location", onionLocation);`
			`}`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`}`
hide websocket exceptions 2018-02-15 16:17:27 +09:00			`catch (WebSocketException)`
			`{ }`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`catch (UnauthorizedAccessException ex)`
			`{`
			`await HandleBitpayHttpException(httpContext, new BitpayHttpException(401, ex.Message));`
Fixing api exception handling in the pipeline 2020-02-03 02:18:36 -06:00			`return;`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`}`
			`catch (BitpayHttpException ex)`
			`{`
			`await HandleBitpayHttpException(httpContext, ex);`
Fixing api exception handling in the pipeline 2020-02-03 02:18:36 -06:00			`return;`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`}`
			`catch (Exception ex)`
			`{`
			`Logs.PayServer.LogCritical(new EventId(), ex, "Unhandled exception in BTCPayMiddleware");`
			`throw;`
			`}`
Move BitpayMiddleware up the stack 2019-10-07 12:43:17 +09:00			`await _Next(httpContext);`
Support Legacy API Key authentication to Bitpay Invoice API 2018-04-29 18:28:04 +09:00			`}`
Init 2017-09-13 15:47:34 +09:00
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`private static (string Signature, String Id, String Authorization) GetBitpayAuth(HttpContext httpContext, out bool hasBitpayAuth)`
			`{`
			`httpContext.Request.Headers.TryGetValue("x-signature", out StringValues values);`
			`var sig = values.FirstOrDefault();`
			`httpContext.Request.Headers.TryGetValue("x-identity", out values);`
			`var id = values.FirstOrDefault();`
			`httpContext.Request.Headers.TryGetValue("Authorization", out values);`
			`var auth = values.FirstOrDefault();`
			`hasBitpayAuth = auth != null \|\| (sig != null && id != null);`
			`return (sig, id, auth);`
			`}`

			`private bool IsBitpayAPI(HttpContext httpContext, bool bitpayAuth)`
			`{`
			`if (!httpContext.Request.Path.HasValue)`
			`return false;`

chore: fix typos (#5883) 2024-03-30 17:20:24 +08:00			`// In case of anyone can create invoice, the storeId can be set explicitly`
Fix: if anyone can create invoice and /invoices has storeId parameters, then it should be allowed 2019-03-25 12:59:42 +09:00			`bitpayAuth \|= httpContext.Request.Query.ContainsKey("storeid");`

Use decimals and fix invoices 2018-05-11 22:38:31 +09:00			`var isJson = (httpContext.Request.ContentType ?? string.Empty).StartsWith("application/json", StringComparison.OrdinalIgnoreCase);`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`var path = httpContext.Request.Path.Value;`
fix bitpay API not having CORS 2019-01-30 14:36:26 +09:00			`var method = httpContext.Request.Method;`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`var isCors = method == "OPTIONS";`
fix bitpay API not having CORS 2019-01-30 14:57:10 +09:00
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`if (`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| bitpayAuth) &&`
Fix: if anyone can create invoice and /invoices has storeId parameters, then it should be allowed 2019-03-25 12:59:42 +09:00			`(path == "/invoices" \|\| path == "/invoices/") &&`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| (method == "POST" && isJson)))`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`return true;`

			`if (`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| bitpayAuth) &&`
Solving the new version of btcpayserver caused btcpay-python not to create an order problem (#327) 2018-10-11 22:50:28 +08:00			`(path == "/invoices" \|\| path == "/invoices/") &&`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| method == "GET"))`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`return true;`

			`if (`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`path.StartsWith("/invoices/", StringComparison.OrdinalIgnoreCase) &&`
			`(isCors \|\| method == "GET") &&`
			`(isCors \|\| isJson \|\| httpContext.Request.Query.ContainsKey("token")))`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`return true;`

fix bitpayconstraint for rates 2018-07-27 07:55:42 +02:00			`if (path.StartsWith("/rates", StringComparison.OrdinalIgnoreCase) &&`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| method == "GET"))`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`return true;`

			`if (`
Make sure X-Forwarded-Port does not override ExternalUrl 2018-10-06 23:20:01 +09:00			`path.Equals("/tokens", StringComparison.Ordinal) &&`
Fix CORS for bitpay API again 2019-02-02 13:57:17 +09:00			`(isCors \|\| method == "GET" \|\| method == "POST"))`
Make sure that we don't authenticate call with bitpay auth methods on non bitpay calls 2018-04-29 20:32:43 +09:00			`return true;`

			`return false;`
			`}`

Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`private static async Task HandleBitpayHttpException(HttpContext httpContext, BitpayHttpException ex)`
			`{`
			`httpContext.Response.StatusCode = ex.StatusCode;`
Fixing api exception handling in the pipeline 2020-02-03 02:18:36 -06:00			`httpContext.Response.ContentType = "application/json";`
			`var result = JsonConvert.SerializeObject(new BitpayErrorsModel(ex));`
			`await httpContext.Response.WriteAsync(result);`
Adopt dotnet core editorconfig, big reformating 2017-10-27 17:53:04 +09:00			`}`
			`}`
Init 2017-09-13 15:47:34 +09:00			`}`