Changed filter from resource to authorization, fixed kestrel init exc…

…eption

FileWinSvcWebApi/Controllers/FilesController.cs

@@ -11,10 +11,10 @@ public class FilesController : Controller
         const string FOLDER = @"C:\Temp\";
 
         // GET api/files/test.txt
-        [HttpGet("{id}")]
-        public string Get(string id)
+        [HttpGet("{fileName}")]
+        public string Get([FromRoute] string fileName)
         {
-            string file = Path.Combine(FOLDER, id);
+            string file = Path.Combine(FOLDER, fileName);
             string contents = "";
 
             if (System.IO.File.Exists(file))

FileWinSvcWebApi/OnlyLocalHostAttribute.cs

@@ -5,26 +5,23 @@
 
 namespace FileWinSvcWebApi.Filters
 {
-    public class OnlyLocalHostAttribute : Attribute, IResourceFilter
+    public class OnlyLocalHostAttribute : Attribute, IAuthorizationFilter
     {
         //string _allowedIP = null;
 
-        //public OnlyLocalHostAttribute(string allowedIP)
+        //public OnlyLocalHostFilter(string allowedIP)
         //{
         //    _allowedIP = allowedIP;
         //}
 
-        public void OnResourceExecuting(ResourceExecutingContext context)
+        public void OnAuthorization(AuthorizationFilterContext context)
         {
             // If IP is not localhost, show 403.
-            if (!IPAddress.IsLoopback(context.HttpContext.Connection.RemoteIpAddress))
+            bool isLocalHost = IPAddress.IsLoopback(context.HttpContext.Connection.RemoteIpAddress);
+            if (!isLocalHost)
             {
                 context.Result = new StatusCodeResult((int)HttpStatusCode.Forbidden);
             }
         }
-
-        public void OnResourceExecuted(ResourceExecutedContext context)
-        {
-        }
     }
 }

FileWinSvcWebApi/Program.cs

@@ -2,14 +2,9 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Hosting.WindowsServices;
 using Microsoft.Extensions.Configuration;
-using System;
-using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
-using System.ServiceProcess;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace FileWinSvcWebApi
 {
@@ -25,13 +20,17 @@ public static void Main(string[] args)
 
         public static IWebHost BuildWebHost(string[] args)
         {
+            string exePath = Process.GetCurrentProcess().MainModule.FileName;
+            string directoryPath = Path.GetDirectoryName(exePath);
+
             var config = new ConfigurationBuilder()
                .AddJsonFile("hosting.json", optional: false)
                .Build();
 
             var host = WebHost.CreateDefaultBuilder(args)
                 .UseConfiguration(config)
                 //.UseUrls(new ConfigurationBuilder().AddEnvironmentVariables().Build()["server.urls"])
+                .UseContentRoot(directoryPath) // Avoid System.InvalidOperationException.
                 .UseStartup<Startup>()
                 .Build();
 
@@ -47,4 +46,4 @@ public static IWebHost BuildWebHost(string[] args)
             return host;
         }
     }
-}
+}

FileWinSvcWebApi/Startup.cs

@@ -78,4 +78,4 @@ private async Task Echo(WebSocket webSocket)
             await webSocket.CloseAsync(result.CloseStatus.Value, result.CloseStatusDescription, CancellationToken.None);
         }
     }
-}
+}

README.md

@@ -8,9 +8,9 @@
   - Access specialized hardware such as printers, scanners etc.
 - Security:
   - There are three obvious attack vectors (the may be more):
-  - 1. An Internet/Intranet website could try to contact the local server: Cross-domain access would be blocked by the browser by default. CORS should be used to restrict browser access to approved domains (white list), sample included.
-  - 2. A device on the network could try to access the local server: Use a firewall to protect the port on which the local server is running. Also, a sample MVC filter to allow only requests from localhost is included.
-  - 3. Virus/trojan on the local machine could try to access the local server to perform actions as the account running the service. This scenario is more difficult to defend, as the attacker already has a process running on the target machine. A pre-shared key or related cryptographic mechanism involving authentication could be used to avoid this attack.
+  1. An Internet/Intranet website could try to contact the local server: Cross-domain access would be blocked by the browser by default. CORS should be used to restrict browser access to approved domains (white list), sample included.
+  2. A device on the network could try to access the local server: Use a firewall to protect the port on which the local server is running. Also, a sample MVC filter to allow only requests from localhost is included.
+  3. Virus/trojan on the local machine could try to access the local server to perform actions as the account running the service. This scenario is more difficult to defend, as the attacker already has a process running on the target machine. A pre-shared key or related cryptographic mechanism involving authentication could be used to avoid this attack.
 
 ## Steps
 1. Create projects