Beispiel #1
0
        public string GeneratePasswordResetToken(GeneratePasswordResetTokenParameters parameters)
        {
            if (parameters == null)
            {
                throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
            }
            _logger.Trace(() => "GeneratePasswordResetToken: " + parameters.UserName);
            CheckPermissions(AuthenticationServiceClaims.GeneratePasswordResetTokenClaim);
            parameters.Validate();

            return(GeneratePasswordResetTokenInternal(parameters));
        }
Beispiel #2
0
        public void SendPasswordResetToken(SendPasswordResetTokenParameters parameters)
        {
            if (parameters == null)
            {
                throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
            }
            _logger.Trace("SendPasswordResetToken " + parameters.UserName);
            parameters.Validate();

            const string logErrorFormat = "SendPasswordResetToken failed for {0}: {1}";

            try
            {
                string passwordResetToken;
                try
                {
                    var tokenParameters = new GeneratePasswordResetTokenParameters
                    {
                        UserName = parameters.UserName,
                        TokenExpirationInMinutesFromNow = Int32.Parse(ConfigUtility.GetAppSetting("AspNetFormsAuth.SendPasswordResetToken.ExpirationInMinutes") ?? "1440")
                    };
                    passwordResetToken = GeneratePasswordResetTokenInternal(tokenParameters);
                }
                // Providing an error information to the client might be a security issue, because this method allows anonymous access.
                catch (UserException ex)
                {
                    _logger.Trace(logErrorFormat, parameters.UserName, ex);
                    return;
                }
                catch (ClientException ex)
                {
                    _logger.Info(logErrorFormat, parameters.UserName, ex);
                    return;
                }

                // The plugin may choose it's own client error messages (UserException and ClientException will not be suppressed).
                _sendPasswordResetTokenPlugin.Value.SendPasswordResetToken(parameters.UserName, parameters.AdditionalClientInfo, passwordResetToken);
            }
            catch (Exception ex)
            {
                if (ex is UserException || ex is ClientException)
                {
                    ExceptionsUtility.Rethrow(ex);
                }

                // Don't return an internal error to the client. Log it and return a generic error message:
                _logger.Error(logErrorFormat, parameters.UserName, ex);
                throw new FrameworkException(FrameworkException.GetInternalServerErrorMessage(_localizer, ex));
            }
        }
Beispiel #3
0
        private string GeneratePasswordResetTokenInternal(GeneratePasswordResetTokenParameters parameters)
        {
            if (!WebSecurity.UserExists(parameters.UserName)) // Providing this information is not a security issue, because this method requires admin credentials (GeneratePasswordResetTokenClaim).
            {
                throw new UserException("User '{0}' is not registered.", new[] { parameters.UserName }, null, null);
            }

            if (!IsAccountCreated(parameters.UserName))
            {
                _logger.Trace(() => "GeneratePasswordResetTokenInternal creating security account: " + parameters.UserName);
                WebSecurity.CreateAccount(parameters.UserName, Guid.NewGuid().ToString());
            }

            return(parameters.TokenExpirationInMinutesFromNow != 0
                ? WebSecurity.GeneratePasswordResetToken(parameters.UserName, parameters.TokenExpirationInMinutesFromNow)
                : WebSecurity.GeneratePasswordResetToken(parameters.UserName, GeneratePasswordResetTokenParameters.DefaultTokenExpirationInMinutes));
        }
        public void SendPasswordResetToken(SendPasswordResetTokenParameters parameters)
        {
            if (parameters == null)
                throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
            _logger.Trace("SendPasswordResetToken " + parameters.UserName);
            parameters.Validate();

            const string logErrorFormat = "SendPasswordResetToken failed for {0}: {1}";

            try
            {
                string passwordResetToken;
                try
                {
                    var tokenParameters = new GeneratePasswordResetTokenParameters
                    {
                        UserName = parameters.UserName,
                        TokenExpirationInMinutesFromNow = Int32.Parse(ConfigUtility.GetAppSetting("AspNetFormsAuth.SendPasswordResetToken.ExpirationInMinutes") ?? "1440")
                    };
                    passwordResetToken = GeneratePasswordResetTokenInternal(tokenParameters);
                }
                // Providing an error information to the client might be a security issue, because this method allows anonymous access.
                catch (UserException ex)
                {
                    _logger.Trace(logErrorFormat, parameters.UserName, ex);
                    return;
                }
                catch (ClientException ex)
                {
                    _logger.Info(logErrorFormat, parameters.UserName, ex);
                    return;
                }

                // The plugin may choose it's own client error messages (UserException and ClientException will not be suppressed).
                _sendPasswordResetTokenPlugin.Value.SendPasswordResetToken(parameters.UserName, parameters.AdditionalClientInfo, passwordResetToken);
            }
            catch (Exception ex)
            {
                if (ex is UserException || ex is ClientException)
                    ExceptionsUtility.Rethrow(ex);

                _logger.Error(logErrorFormat, parameters.UserName, ex);
                throw new FrameworkException("Internal server error occurred. See RhetosServer.log for more information.");
            }
        }
        private string GeneratePasswordResetTokenInternal(GeneratePasswordResetTokenParameters parameters)
        {
            if (!WebSecurity.UserExists(parameters.UserName)) // Providing this information is not a security issue, because this method requires admin credentials (GeneratePasswordResetTokenClaim).
                throw new UserException("User '" + parameters.UserName + "' is not registered.");

            if (!IsAccountCreated(parameters.UserName))
            {
                _logger.Trace(() => "GeneratePasswordResetTokenInternal creating security account: " + parameters.UserName);
                WebSecurity.CreateAccount(parameters.UserName, Guid.NewGuid().ToString());
            }

            return parameters.TokenExpirationInMinutesFromNow != 0
                ? WebSecurity.GeneratePasswordResetToken(parameters.UserName, parameters.TokenExpirationInMinutesFromNow)
                : WebSecurity.GeneratePasswordResetToken(parameters.UserName, GeneratePasswordResetTokenParameters.DefaultTokenExpirationInMinutes);
        }
        public string GeneratePasswordResetToken(GeneratePasswordResetTokenParameters parameters)
        {
            if (parameters == null)
                throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
            _logger.Trace(() => "GeneratePasswordResetToken: " + parameters.UserName);
            CheckPermissions(AuthenticationServiceClaims.GeneratePasswordResetTokenClaim);
            parameters.Validate();

            return GeneratePasswordResetTokenInternal(parameters);
        }
Beispiel #7
0
 public async Task <string> GeneratePasswordResetToken([FromBody] GeneratePasswordResetTokenParameters parameters)
 {
     ValidateForEmptyParameters(parameters);
     return(await _authenticationService.GeneratePasswordResetTokenAsync(parameters.UserName));
 }