public string CreateToken(SecurityTokenRequest request)
{
var tokenHandler = new JwtSecurityTokenHandler();
var identity = CreateIdentity(request);
var symmetricKey = Options.Security.SecretKey;
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = identity,
Issuer = Options.Security.Issuer,
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow,
Expires = DateTime.UtcNow.AddSeconds(request.Duration ?? Options.Security.Duration),
// Create Signing Credentials
// Param 1 : signing key
// Param 2 : signature algorithm
// Param 3 : digest algorithm
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(symmetricKey)), Options.Security.Algorithm)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return(tokenHandler.WriteToken(token));
}
public ClaimsPrincipal CreateSystemPrincipal(Guid siteId)
{
var request = new SecurityTokenRequest
{
Name = "system",
SiteId = siteId
};
var identity = CreateIdentity(request);
return(new ClaimsPrincipal(identity));
}
private ClaimsIdentity CreateIdentity(SecurityTokenRequest request)
{
var claims = new List <Claim>();
if (!string.IsNullOrEmpty(request.Name))
{
claims.Add(new Claim(ClaimTypes.Name, request.Name, ClaimValueTypes.String));
}
if (request.Id != null)
{
claims.Add(new Claim("userId", request.Id.ToString(), ClaimValueTypes.String));
}
if (request.PersonId != null)
{
claims.Add(new Claim("personId", request.PersonId.ToString(), ClaimValueTypes.String));
}
if (request.SiteId != null)
{
claims.Add(new Claim("siteId", request.SiteId.ToString(), ClaimValueTypes.String));
}
if (request.SuperUser)
{
claims.Add(new Claim("superUser", request.SuperUser.ToString(), ClaimValueTypes.Boolean));
}
if (request.Roles != null)
{
foreach (var role in request.Roles)
{
claims.Add(new Claim("roleId", role.ToString(), ClaimValueTypes.String));
}
}
return(new ClaimsIdentity(claims, "PIPware"));
}
public async Task <ClaimsPrincipal> CreatePrincipalAsync(Guid userId)
{
var user = await DataContext.Users
.Include(x => x.Person)
.FirstOrDefaultAsync(x => x.Id == userId);
if (user == null)
{
return(null);
}
var request = new SecurityTokenRequest
{
Id = user.Id,
Name = user.Person.Name,
PersonId = user.PersonId,
//Roles = user.Person.
};
var identity = CreateIdentity(request);
return(new ClaimsPrincipal(identity));
}
public async Task <AuthenticateResponse> AuthenticateAsync(AuthenticateRequest request)
{
var criteria = new UserCriteria {
UserName = request.Email, Deleted = false
};
var user = await DataContext.Users.Query(criteria)
.Include(x => x.Person)
.FirstOrDefaultAsync();
// User does not exist
if (user == null)
{
await CreateLoginHistory(null, request.Email, request.DomainName, request.SuperUser, LoginResults.InvalidUserName);
throw new AuthenticateException {
UserName = request.Email, Reason = AuthenticateFailureReason.InvalidCredentials
};
}
// User is flagged as a system account
if (user.Flags.HasFlag(UserFlags.SystemAccount))
{
await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.SystemAccount);
throw new AuthenticateException {
UserName = request.Email, Reason = AuthenticateFailureReason.SystemAccount
};
}
// User is flagged as disabled
if (user.Flags.HasFlag(UserFlags.Disabled))
{
await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.Disabled);
throw new AuthenticateException {
UserName = request.Email, Reason = AuthenticateFailureReason.Disabled
};
}
if (user.Password == null || user.PasswordSalt == null)
{
await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser,
LoginResults.PasswordNotSet);
throw new AuthenticateException
{
UserName = request.Email,
Reason = AuthenticateFailureReason.InvalidCredentials
};
}
var hasPasswordBug = user.Flags.HasFlag(UserFlags.PasswordBug);
if (request.Password == null)
{
request.Password = "";
}
var checkPassword =
PasswordHelper.EncryptPassword(request.Password, user.PasswordSalt, hasPasswordBug);
if (user.Password != checkPassword)
{
await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser,
LoginResults.InvalidPassword);
await ProcessFailedLoginAttemptAsync(user);
throw new AuthenticateException
{
UserName = request.Email,
Reason = AuthenticateFailureReason.InvalidCredentials
};
}
// Check if the account is locked out
if (user.Flags.HasFlag(UserFlags.Locked))
{
await CreateLoginHistory(user.Id, request.Email, request.DomainName, request.SuperUser, LoginResults.LockedOut);
var locked = CheckLockoutDurationAsync(user);
if (locked)
{
throw new AuthenticateException
{
UserName = user.UserName,
Reason = AuthenticateFailureReason.LockedOut
};
}
}
// Set values for successful authentication
user.LastLoginDate = DateTime.UtcNow;
user.FailedPasswordCount = 0;
user.Flags &= ~UserFlags.Locked;
user.LockoutDate = null;
await DataContext.SaveChangesAsync();
// Get the person roles
var roles = await DataContext.PersonRoles
.AsNoTracking()
.Where(x => x.PersonId == user.PersonId && !x.Deleted && !x.Role.Deleted)
.Select(x => x.Role)
.ToArrayAsync();
var tokenRequest = new SecurityTokenRequest
{
Id = user.Id,
PersonId = user.PersonId,
Name = user.UserName,
SuperUser = request.SuperUser,
Roles = roles.Select(r => r.Id).Distinct().ToArray()
};
var token = SecurityProvider.CreateToken(tokenRequest);
// Get the list of permissions
IEnumerable <string> permissions = new List <string>();
foreach (var role in roles)
{
var rolePermissions = JsonConvert.DeserializeObject <string[]>(role.Permissions);
permissions = permissions.Union(rolePermissions);
}
// Convert roles to string array
var roleValues = roles.Select(x => x.Id.ToString()).ToArray();
return(new AuthenticateResponse
{
UserId = user.Id,
PersonId = user.PersonId,
Name = user.UserName,
DisplayName = user.Person?.Name,
PersonPositionName = "",
Token = token,
Roles = roleValues,
Permissions = permissions.ToArray(),
});
}
