protected async Task ValidateSecret(TClient client, TokenRequest tokenRequest, ClientCredentials clientCredentials)
{
if (tokenRequest.ClientId.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(tokenRequest.ClientId), tokenRequest.GetTypeName());
}
clientCredentials.Validate();
if (client?.Secrets.Count() <= 0)
{
throw new OAuthRequestException($"Invalid client secret. Secret not configured for client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidGrant
};
}
foreach (var secret in client.Secrets)
{
if (await secretHashLogic.ValidateSecretAsync(secret, clientCredentials.ClientSecret))
{
logger.ScopeTrace($"Down, OAuth Client id '{tokenRequest.ClientId}. Client secret valid.", triggerEvent: true);
return;
}
}
throw new OAuthRequestException($"Invalid client secret for client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidGrant
};
}
public async Task <User> ValidateUser(string email, string password)
{
logger.ScopeTrace($"Validating user '{email}', Route '{RouteBinding.Route}'.");
ValidateEmail(email);
var id = await User.IdFormat(new User.IdKey {
TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName, Email = email
});
var user = await tenantRepository.GetAsync <User>(id, false);
if (user == null)
{
await secretHashLogic.ValidateSecretDefaultTimeUsageAsync(password);
throw new UserNotExistsException($"User '{email}' do not exist."); // UI message: Wrong email or password / Your email was not found
}
logger.ScopeTrace($"User '{email}' exists, with user id '{user.UserId}'.");
if (await secretHashLogic.ValidateSecretAsync(user, password))
{
logger.ScopeTrace($"User '{email}', password valid.", triggerEvent: true);
return(user);
}
else
{
throw new InvalidPasswordException($"Password invalid, user '{email}'."); // UI message: Wrong email or password / Wrong password
}
}
public async Task <User> ValidateTwoFactorAppRecoveryCodeUser(string email, string twoFactorAppRecoveryCode)
{
logger.ScopeTrace(() => $"Validating two-factor app recovery code user '{email}', Route '{RouteBinding?.Route}'.");
var id = await User.IdFormat(new User.IdKey {
TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName, Email = email
});
var user = await tenantRepository.GetAsync <User>(id, required : false);
if (user == null || user.DisableAccount)
{
throw new UserNotExistsException($"User '{user.Email}' do not exist or is disabled, trying to validate two-factor app recovery code.");
}
if (user.TwoFactorAppRecoveryCode == null)
{
throw new UserNotExistsException($"User '{user.Email}' do not have a two-factor app recovery code, trying to validate two-factor app recovery code.");
}
if (await secretHashLogic.ValidateSecretAsync(user.TwoFactorAppRecoveryCode, twoFactorAppRecoveryCode))
{
logger.ScopeTrace(() => $"User '{email}' two-factor app recovery code is valid.", triggerEvent: true);
return(user);
}
else
{
throw new InvalidRecoveryCodeException($"Two-factor app recovery code invalid, user '{email}'.");
}
}