ApiKey Authentication cleanup

NzbDrone.Api/Authentication/EnableBasicAuthInNancy.cs

@@ -1,15 +1,12 @@
 using Nancy;
 using Nancy.Authentication.Basic;
 using Nancy.Bootstrapper;
+using NzbDrone.Api.Extensions;
+using NzbDrone.Api.Extensions.Pipelines;
 
 namespace NzbDrone.Api.Authentication
 {
-    public interface IEnableBasicAuthInNancy
+    public class EnableBasicAuthInNancy : IRegisterNancyPipeline
-    {
-        void Register(IPipelines pipelines);
-    }
-
-    public class EnableBasicAuthInNancy : IEnableBasicAuthInNancy
     {
         private readonly IAuthenticationService _authenticationService;
 
@@ -28,7 +25,7 @@ namespace NzbDrone.Api.Authentication
         {
             Response response = null;
 
-            if (!context.Request.Path.StartsWith("/api/") &&
+            if (!context.Request.IsApiRequest() &&
                 context.CurrentUser == null &&
                 _authenticationService.Enabled)
             {

NzbDrone.Api/Authentication/EnableStatelessAuthInNancy.cs

@@ -1,17 +1,15 @@
-using System.Linq;
+using System;
+using System.Linq;
 using Nancy;
 using Nancy.Bootstrapper;
+using NzbDrone.Api.Extensions;
+using NzbDrone.Api.Extensions.Pipelines;
 using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Core.Configuration;
 
 namespace NzbDrone.Api.Authentication
 {
-    public interface IEnableStatelessAuthInNancy
+    public class EnableStatelessAuthInNancy : IRegisterNancyPipeline
-    {
-        void Register(IPipelines pipelines);
-    }
-
-    public class EnableStatelessAuthInNancy : IEnableStatelessAuthInNancy
     {
         private readonly IConfigFileProvider _configFileProvider;
 
@@ -28,18 +26,16 @@ namespace NzbDrone.Api.Authentication
         public Response ValidateApiKey(NancyContext context)
         {
             Response response = null;
-            var apiKey = context.Request.Headers["ApiKey"].FirstOrDefault();
+            
-
+            if (!RuntimeInfo.IsProduction && context.Request.IsLocalRequest())
-            if (!RuntimeInfo.IsProduction &&
-                (context.Request.UserHostAddress.Equals("localhost") ||
-                context.Request.UserHostAddress.Equals("127.0.0.1") ||
-                context.Request.UserHostAddress.Equals("::1")))
             {
                 return response;
             }
+
+            var apiKey = context.Request.Headers.Authorization;
             
-            if (context.Request.Path.StartsWith("/api/") && 
+            if (context.Request.IsApiRequest() && 
-                (apiKey == null || !apiKey.Equals(_configFileProvider.ApiKey)))
+                (String.IsNullOrWhiteSpace(apiKey) || !apiKey.Equals(_configFileProvider.ApiKey)))
             {
                 response = new Response { StatusCode = HttpStatusCode.Unauthorized };
             }

NzbDrone.Api/Extensions/RequestExtensions.cs

@@ -0,0 +1,28 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using Nancy;
+
+namespace NzbDrone.Api.Extensions
+{
+    public static class RequestExtensions
+    {
+        public static bool IsApiRequest(this Request request)
+        {
+            return request.Path.StartsWith("/api/", StringComparison.InvariantCultureIgnoreCase);
+        }
+
+        public static bool IsSignalRRequest(this Request request)
+        {
+            return request.Path.StartsWith("/signalr/", StringComparison.InvariantCultureIgnoreCase);
+        }
+
+        public static bool IsLocalRequest(this Request request)
+        {
+            return (request.UserHostAddress.Equals("localhost") ||
+                    request.UserHostAddress.Equals("127.0.0.1") ||
+                    request.UserHostAddress.Equals("::1"));
+        }
+    }
+}

NzbDrone.Api/Frontend/Mappers/IndexHtmlMapper.cs

@@ -38,21 +38,7 @@ namespace NzbDrone.Api.Frontend.Mappers
 
         public override Response GetResponse(string resourceUrl)
         {
-            string content;
             var response = base.GetResponse(resourceUrl);
-            var stream = new MemoryStream();
-            
-            response.Contents.Invoke(stream);
-            stream.Position = 0;
-
-            using (var reader = new StreamReader(stream))
-            {
-                content = reader.ReadToEnd();
-            }
-
-            content = content.Replace("API_KEY", _configFileProvider.ApiKey);
-
-            response = new StreamResponse(() => StringToStream(content), response.ContentType);
             response.Headers["X-UA-Compatible"] = "IE=edge";
 
             return response;
@@ -70,6 +56,7 @@ namespace NzbDrone.Api.Frontend.Mappers
 
             text = text.Replace(".css", ".css?v=" + BuildInfo.Version);
             text = text.Replace(".js", ".js?v=" + BuildInfo.Version);
+            text = text.Replace("API_KEY", _configFileProvider.ApiKey);
 
             return text;
         }

NzbDrone.Api/NancyBootstrapper.cs

@@ -30,8 +30,6 @@ namespace NzbDrone.Api
             RegisterPipelines(pipelines);
 
             container.Resolve<DatabaseTarget>().Register();
-            container.Resolve<IEnableBasicAuthInNancy>().Register(pipelines);
-            container.Resolve<IEnableStatelessAuthInNancy>().Register(pipelines);
             container.Resolve<IEventAggregator>().PublishEvent(new ApplicationStartedEvent());
 
             ApplicationPipelines.OnError.AddItemToEndOfPipeline(container.Resolve<NzbDroneErrorPipeline>().HandleException);

UI/Mixins/jquery.ajax.js

@@ -21,11 +21,8 @@ define(function () {
                 delete xhr.data;
             }
             if (xhr) {
-                if (!xhr.headers) {
+                xhr.headers = xhr.headers || {};
-                    xhr.headers = {};
+                xhr.headers['Authorization'] = window.NzbDrone.ApiKey;
-                }
-
-                xhr.headers["ApiKey"] = window.NzbDrone.ApiKey;
             }
 
             return original.apply(this, arguments);

UI/ServerStatus.js

@@ -5,7 +5,7 @@ var statusText = $.ajax({
     url  : window.NzbDrone.ApiRoot + '/system/status',
     async: false,
     headers: {
-        ApiKey: window.NzbDrone.ApiKey
+        Authorization: window.NzbDrone.ApiKey
     }
 }).responseText;
 

UI/index.html

@@ -62,7 +62,7 @@
 </body>
 
 <script type="text/javascript">
-    window.NzbDrone = {};
+    window.NzbDrone = window.NzbDrone || {};
     window.NzbDrone.ApiKey = 'API_KEY';
 </script>