TsgcWSAPIKeyManager › Methods › IsRequestAuthorized
One-shot authorization check: extracts the key from headers or query string and validates it.
function IsRequestAuthorized(const aHeaders: string; const aQueryString: string = ''; const aIP: string = ''; const aRequiredScope: string = ''): Boolean;| Name | Type | Description |
|---|---|---|
aHeaders | const string | Raw HTTP header block (typically Connection.HeadersRequest.Text). ExtractKeyFromHeaders reads Validation.HeaderName (X-API-Key by default) from it. |
aQueryString | const string | Raw query string (or full URL). Used as a fallback when the header is absent — ExtractKeyFromQuery reads Validation.QueryParamName (api_key by default). |
aIP | const string | Requester IP used for the IPAllowlist check and recorded on the audit entry. |
aRequiredScope | const string | Optional scope the key must carry (leave empty for a presence-only check). |
True when a key was found in the headers or query string and passed ValidateKey with the given scope and IP constraints. False otherwise (no key present, invalid, revoked, expired, wrong scope, IP not allowlisted, RequireHTTPS failed). (Boolean)
The recommended integration point — call it from the server's OnConnect event where Connection.HeadersRequest is first populated. Combines ExtractKeyFromHeaders / ExtractKeyFromQuery with ValidateKey in one call, honouring Validation.RequireHTTPS (header block must contain evidence of HTTPS transport), Validation.IPAllowlist and Validation.FailClosed. Returns False (and appends a kaaValidationFailed audit entry) whenever no key can be located — exactly what FailClosed demands. Disconnect the client when this returns False.
procedure TForm1.WSServerConnect(Connection: TsgcWSConnection);
begin
if not sgcWSAPIKeyManager1.IsRequestAuthorized(
Connection.HeadersRequest.Text, Connection.URL, Connection.IP, 'read:orders') then
Connection.Disconnect;
end;