public override async Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
var identity = actionContext.RequestContext.Principal.Identity as ClaimsIdentity;
// User has not authenticated / signed in
if (identity != null && !identity.IsAuthenticated)
{
var requestErrorModel = new ResponseErrorModel
{
Error = Core.Constants.ErrorCodes.Unauthorized,
ErrorDescription = "not authorized for request"
};
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new List <ResponseErrorModel> {
requestErrorModel
});
}
else if (identity != null && !identity.HasClaim(ClaimType, ClaimValue))
{
Log.Logger
.ForContext <ClaimAuthorizeAttribute>()
.Information("({eventCode:l}) {user} does not have claim {claimType}.{claimValue}", EventCodes.Authorization, identity.Name, ClaimType, ClaimValue);
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
}
// Implicit authentication will need to verify if user is either locked or need verification
if (identity?.Name != null)
{
await ValidateUser(actionContext, identity);
}
}
public async Task <IActionResult> Login(LoginRequestDto request)
{
var encryptedPassword = _cryptographer.Encrypt(request.Password);
request.Password = encryptedPassword;
var resultData = await _authenticationService.Login(request);
if (!resultData.IsSuccessfulLogin)
{
var responseErrorModel = new ResponseErrorModel(400, "Incorrect Username or Password");
return(BadRequest(responseErrorModel));
}
var token = BuildToken(resultData);
return(Ok(token));
}
public static ResponseErrorModel ToModel(this ModelError error, string field)
{
var model = new ResponseErrorModel {
Field = field
};
var codedMessage = error.ErrorMessage.Split(new[] { "::" }, StringSplitOptions.RemoveEmptyEntries);
if (codedMessage.Length == 2)
{
model.Error = codedMessage[0];
model.ErrorDescription = codedMessage[1];
}
else
{
model.ErrorDescription = error.ErrorMessage;
}
return(model);
}
public static List <ResponseErrorModel> ToRequestErrorModel(this string message)
{
var model = new ResponseErrorModel();
var codedMessage = message.Split(new[] { "::" }, StringSplitOptions.RemoveEmptyEntries);
if (codedMessage.Length == 2)
{
model.Error = codedMessage[0];
model.ErrorDescription = codedMessage[1];
}
else
{
model.ErrorDescription = message;
}
return(new List <ResponseErrorModel> {
model
});
}
public async void OnException(ExceptionContext context)
{
context = context ?? throw new ArgumentNullException(nameof(context));
if (context.Exception is KeyNotFoundException)
{
var response = new ResponseErrorModel(404, context.Exception.Message);
var responseJson = JsonConvert.SerializeObject(response);
var responseBytes = Encoding.UTF8.GetBytes(responseJson);
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound;
context.HttpContext.Response.ContentType = "application/json";
context.HttpContext.Response.ContentLength = responseBytes.Length;
await HttpResponseWritingExtensions.WriteAsync(context.HttpContext.Response, responseJson);
context.ExceptionHandled = true;
return;
}
}
private static Task HandleExceptionAsync(HttpContext context, Exception exception) //, ILogger logger)
{
var code = HttpStatusCode.InternalServerError; // 500 if unexpected
ResponseErrorModel rem;
if (exception is DomainValidationException validationException)
{
rem = new ResponseErrorModel()
{
ErrorCode = validationException.ErrorCode, ErrorMessage = validationException.Message
};
code = HttpStatusCode.BadRequest;
}
else if (exception is DomainEntityNotFoundException notFoundException)
{
rem = new ResponseErrorModel()
{
ErrorCode = notFoundException.Code, ErrorMessage = notFoundException.Message
};
code = HttpStatusCode.NotFound;
}
else
{
rem = new ResponseErrorModel()
{
ErrorCode = code.ToString(), ErrorMessage = exception.Message
};
}
//if (exception is BadRequestException) code = HttpStatusCode.BadRequest;
//else if (exception is MyUnauthorizedException) code = HttpStatusCode.Unauthorized;
//else if (exception is MyException) code = HttpStatusCode.BadRequest;
//logger.LogError(exception, exception.Message);
var result = JsonConvert.SerializeObject(rem);
context.Response.ContentType = "application/json";
context.Response.StatusCode = (int)code;
return(context.Response.WriteAsync(result));
}
private async Task ValidateUser(HttpActionContext context, ClaimsIdentity identity)
{
// Check if log in user needs to be verify or inactive
var container = context.Request.GetOwinContext().GetAutofacLifetimeScope();
var userService = container.Resolve <IUserService>();
var user = await userService.GetUserByNameAsync(identity.Name);
if (!user.IsActive)
{
Log.Logger
.ForContext <ClaimAuthorizeAttribute>()
.Information("({eventCode:l}) {user} is not active.", EventCodes.UserDisabled, identity.Name);
var requestErrorModel = new ResponseErrorModel
{
Error = EventCodes.UserDisabled,
ErrorDescription = "User has been disabled."
};
context.Response = context.Request.CreateResponse(HttpStatusCode.Unauthorized, new List <ResponseErrorModel> {
requestErrorModel
});
}
else if (user.IsVerifyRequired)
{
Log.Logger
.ForContext <ClaimAuthorizeAttribute>()
.Information("({eventCode:l}) {user} need a verification.", EventCodes.RequireVerification, identity.Name);
var requestErrorModel = new ResponseErrorModel
{
Error = EventCodes.RequireVerification,
ErrorDescription = "User verification is required."
};
context.Response = context.Request.CreateResponse(HttpStatusCode.Unauthorized, new List <ResponseErrorModel> {
requestErrorModel
});
}
}
public override void OnAuthorization(HttpActionContext actionContext)
{
var identity = actionContext.RequestContext.Principal.Identity as ClaimsIdentity;
if (identity != null && !identity.IsAuthenticated)
{
var requestErrorModel = new ResponseErrorModel
{
Error = Core.Constants.ErrorCodes.Unauthorized,
ErrorDescription = "not authorized for request"
};
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, new List <ResponseErrorModel> {
requestErrorModel
});
}
else if (identity != null && !identity.HasClaim(ClaimType, ClaimValue))
{
Log.Logger
.ForContext <ClaimAuthorizeAttribute>()
.Information("({eventCode:l}) {user} does not have claim {claimType}.{claimValue}", EventCodes.Authorization, identity.Name, ClaimType, ClaimValue);
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
}
}
public HttpResponseException(HttpStatusCode statusCode, ResponseErrorModel error)
{
StatusCode = statusCode;
Error = error;
}
public ConflictException(string message)
: base(message)
{
this.ResponseErrorModel = new ResponseErrorModel(409, message);
}
