public override async Task LoadResource()
{
try
{
var ott = await Context.GetDatabase().TokenForToken(oneTimeToken) ?? null;
if (ott == null || !ott.IsValid())
{
throw new HttpError(HttpStatusCode.NotFound, BadPasswordResetResponse.InvalidToken);
}
OneTimeToken = ott;
}
catch (HttpError httpError)
{
throw new HttpError(httpError.Status, BadPasswordResetResponse.InvalidToken);
}
User = await Load <User>(OneTimeToken.UserId) ??
throw new HttpError(HttpStatusCode.BadRequest, BadPasswordResetResponse.UserNotFound);
try
{
usernameCredentials = await Load <UsernameCredential>(u => u.UserId == OneTimeToken.UserId);
}
catch (HttpError httpError)
{
throw new HttpError(httpError.Status, BadPasswordResetResponse.UserNotFound);
}
}
public static async Task <User> UserForUsernameCredential(this Database db, UsernameCredential credential, string password, Database.Session?session = null)
{
DateTime?until = await db.UserLockedOut(credential.UserId !, session);
if (until != null)
{
throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.Locked(until.GetValueOrDefault()));
}
if (!credential.IsValidPassword(password))
{
var lockedOut = await db.BadPasswordAuthAttempt(credential.UserId !);
if (lockedOut)
{
// no need to log anything. BadPasswordLockout.BadAuthAttempt() already did.
BadAuthCounter.Labels("UserLockedOut").Inc();
}
else
{
db.logger.LogInformation("{UserId} InvalidPassword", credential.UserId);
BadAuthCounter.Labels("InvalidPassword").Inc();
}
throw new HttpError(HttpStatusCode.BadRequest, BadUserAuthResponse.InvalidCredentials);
}
var user = await db.Get <User>(credential.UserId !);
if (user == null)
{
// Not sure how this could happen: It means we have a credential for the user, but no user!
// How did the credential get there if there's no user?
db.logger.LogError("{UserId} UserNotFound from credential", credential.UserId);
BadAuthCounter.Labels("UserNotFound").Inc();
throw new HttpError(HttpStatusCode.InternalServerError);
}
return(user);
}
