public virtual async Task <JwtSignInResult> TwoFactorRecoveryCodeSignInAsync(string recoveryCode)
{
var twoFactorInfo = RetrieveTwoFactorInfoAsync();
if (twoFactorInfo == null || twoFactorInfo.UserId == null)
{
return(JwtSignInResult.Failed());
}
var user = await UserManager.FindByIdAsync(twoFactorInfo.UserId);
if (user == null)
{
return(JwtSignInResult.Failed());
}
var result = await UserManager.RedeemTwoFactorRecoveryCodeAsync(user, recoveryCode);
if (result.Succeeded)
{
return(await DoTwoFactorSignInAsync(user, twoFactorInfo, rememberClient : false));
}
// We don't protect against brute force attacks since codes are expected to be random.
return(JwtSignInResult.Failed());
}
public virtual async Task <JwtSignInResult> RefreshTokenAsync(string refreshToken)
{
var result = _tokenFactoryService.ValidateAndGetRefreshTokenUserIdAndSecurity(refreshToken);
if (result.UserId == null || result.SecurityStamp == null)
{
return(JwtSignInResult.Failed("invalid token"));
}
var user = await UserManager.FindByIdAsync(result.UserId);
if (user == null || !await ValidateSecurityStampAsync(user, result.SecurityStamp))
{
return(JwtSignInResult.Failed("token expired"));
}
IList <Claim> additionalClaims;
if (!string.IsNullOrEmpty(result.AmrCliam))
{
additionalClaims = new List <Claim>();
additionalClaims.Add(new Claim("amr", result.AmrCliam));
}
else
{
additionalClaims = Array.Empty <Claim>();
}
var tokens = await SignInWithClaimsAsync(user, additionalClaims);
return(JwtSignInResult.Success(tokens));
}
public virtual async Task <JwtSignInResult> TwoFactorSignInAsync(string provider, string code, bool rememberClient = false)
{
if (rememberClient)
{
throw new NotSupportedException(nameof(rememberClient));
}
var twoFactorInfo = RetrieveTwoFactorInfoAsync();
if (twoFactorInfo == null || twoFactorInfo.UserId == null)
{
return(JwtSignInResult.Failed());
}
var user = await UserManager.FindByIdAsync(twoFactorInfo.UserId);
if (user == null)
{
return(JwtSignInResult.Failed());
}
var error = await PreSignInCheck(user);
if (error != null)
{
return(error);
}
if (await UserManager.VerifyTwoFactorTokenAsync(user, provider, code))
{
return(await DoTwoFactorSignInAsync(user, twoFactorInfo, rememberClient));
}
// If the token is incorrect, record the failure which also may cause the user to be locked out
await UserManager.AccessFailedAsync(user);
return(JwtSignInResult.Failed());
}
public virtual async Task <JwtSignInResult> PasswordSignInAsync(string userName, string password, bool isPersistent, bool lockoutOnFailure)
{
TUser val = await UserManager.FindByNameAsync(userName);
if (val == null)
{
return(JwtSignInResult.Failed("invalid user name or password"));
}
return(await PasswordSignInAsync(val, password, isPersistent, lockoutOnFailure));
}
public virtual async Task <JwtSignInResult> CheckPasswordSignInAsync(TUser user, string password, bool lockoutOnFailure)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
var error = await PreSignInCheck(user);
if (error != null)
{
return(error);
}
if (await UserManager.CheckPasswordAsync(user, password))
{
var alwaysLockout = AppContext.TryGetSwitch("Microsoft.AspNetCore.Identity.CheckPasswordSignInAlwaysResetLockoutOnSuccess", out var enabled) && enabled;
// Only reset the lockout when not in quirks mode if either TFA is not enabled or the client is remembered for TFA.
if (alwaysLockout || !await IsTfaEnabled(user) || await IsTwoFactorClientRememberedAsync(user))
{
await ResetLockout(user);
}
return(JwtSignInResult.Success(null));
}
Logger.LogWarning(2, "User failed to provide the correct password.");
if (UserManager.SupportsUserLockout && lockoutOnFailure)
{
// If lockout is requested, increment access failed count which might lock out the user
await UserManager.AccessFailedAsync(user);
if (await UserManager.IsLockedOutAsync(user))
{
return(await LockedOut(user));
}
}
return(JwtSignInResult.Failed());
}