logo标签列表

如何在未授权时本地化错误信息

c#asp.net-core-webapiasp.net-core-localization
5

这是一个asp.net core webapi项目,我只需要在那些接口上放置[Authorize]属性就可以保护它们。如果用户未被授权,则API将返回“401未经授权”的消息。

我的问题是,如果没有获得授权,如何本地化“401未经授权”消息。

对于其他数据注释,我可以设置DataAnnotaion属性的ErrorMessage属性,比如[Required(ErrorMessage = "xxx")]。但是,AuthorizeAttribute没有这样的属性。

感谢@Athanasios,我想出了我的解决方案,希望它能帮助某些人。(ErrorMessages仅是一个共享类)。

using System;
using System.Threading.Tasks;

using YourNamespace.Messages;

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Localization;
using Microsoft.Extensions.Logging;

namespace YourNamespace.Attributes
{
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
    public class LocalizedAuthorizeAttribute : AuthorizeAttribute, IAsyncAuthorizationFilter
    {
        public string UnauthorizedErrorMessage { get; set; }
        public string ForbiddenErrorMessage { get; set; }

        public LocalizedAuthorizeAttribute()
        {
        }

        public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            var user = context.HttpContext.User;
            var localizer = context.HttpContext.RequestServices.GetService<IStringLocalizer<ErrorMessages>>();
            var logger = context.HttpContext.RequestServices.GetService<ILogger<LocalizedAuthorizeAttribute>>();

            string url = $"{context.HttpContext.Request.Scheme}://{context.HttpContext.Request.Host}{context.HttpContext.Request.Path}{context.HttpContext.Request.QueryString}";
            if (!user.Identity.IsAuthenticated)
            {
                logger.LogInformation($"Unauthroized access to '{url}' from {context.HttpContext.Connection.RemoteIpAddress.ToString()}");

                UnauthorizedErrorMessage = UnauthorizedErrorMessage ?? "Unauthorized";
                ProblemDetails problemDetails = new ProblemDetails()
                {
                    Title = localizer[UnauthorizedErrorMessage],
                    Detail = localizer[UnauthorizedErrorMessage + "_Detail"],
                    Status = StatusCodes.Status401Unauthorized
                };
                context.Result = new ObjectResult(problemDetails)
                {
                    StatusCode = StatusCodes.Status401Unauthorized,
                    DeclaredType = problemDetails.GetType(),
                };
            }
            else
            {
                ForbiddenErrorMessage = ForbiddenErrorMessage ?? "Forbidden";
                var authorizeService = context.HttpContext.RequestServices.GetService<IAuthorizationService>();

                if (!String.IsNullOrWhiteSpace(Policy))
                {
                    AuthorizationResult result = await authorizeService.AuthorizeAsync(user, Policy);

                    if (!result.Succeeded)
                    {
                        logger.LogWarning($"Forbidden access to '{url}' from {context.HttpContext.Connection.RemoteIpAddress.ToString()}");

                        ProblemDetails problemDetails = new ProblemDetails()
                        {
                            Title = localizer[ForbiddenErrorMessage],
                            Detail = localizer[ForbiddenErrorMessage + "_Detail"],
                            Status = StatusCodes.Status403Forbidden
                        };
                        context.Result = new ObjectResult(problemDetails)
                        {
                            StatusCode = StatusCodes.Status403Forbidden,
                            DeclaredType = problemDetails.GetType(),
                        };
                    }
                }
            }
        }
    }
}

上述代码将向客户端返回问题详情。
我认为你可能会在这个问题的答案中找到答案。https://dev59.com/UVPTa4cB1Zd3GeqPoP_Z#4938764 - Torbjörn Hansson
1个回答
3
您需要创建一个自定义属性,类似于这样:https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-filters
public class AuthenticationFailureResult : IHttpActionResult
{
    public AuthenticationFailureResult(string reasonPhrase, HttpRequestMessage request)
    {
        ReasonPhrase = reasonPhrase;
        Request = request;
    }

    public string ReasonPhrase { get; private set; }

    public HttpRequestMessage Request { get; private set; }

    public Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
    {
        return Task.FromResult(Execute());
    }

    private HttpResponseMessage Execute()
   {
        HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
        response.RequestMessage = Request;
        response.ReasonPhrase = ReasonPhrase;
        return response;
   }
}

然后,您可以使用自己的属性,而不是Authorize属性。
如果需要更具体的示例,请查看此处的SO答案
如果您查看此处的文档,您会发现除了创建自定义属性之外,没有其他方法可以实现。
谢谢提供链接,非常有帮助。但仅为更改消息而创建自定义属性有些可惜。 - Charlie
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接