private async Task AttachUserToContext(HttpContext context, string accessCode,
IAccessTokenService accessTokenService, IUserApplicationService userApplicationService)
{
AccessToken accessToken = await accessTokenService.FindByCodeAsync(accessCode);
if (accessToken.Revoked || DateTime.Now > accessToken.ExpiresAt)
{
return;
}
context.Items["User"] = accessToken.User;
context.Items["Application"] = accessToken.Application;
if (accessToken.Application != null)
{
List <Scope> scopes = new List <Scope>();
UserApplication userApplication =
await userApplicationService.FindByUserAndApplicationAsync(accessToken.User,
accessToken.Application);
if (userApplication == null)
{
return;
}
foreach (UserApplicationScope scope in userApplication.Scopes)
{
scopes.Add(scope.Scope);
}
context.Items["Scopes"] = scopes;
}
}
public async Task <IActionResult> GenerateAuthorisationCode([FromBody] ConsentViewModel vm)
{
if (!ModelState.IsValid)
{
return(new JsonResult(new
{
status = 400,
message = "Validation failed",
data = ModelState
})
{
StatusCode = StatusCodes.Status400BadRequest
});
}
Application application = await _applicationService.FindAsync(vm.ApplicationId);
if (application == null)
{
return(new JsonResult(new
{
status = 400,
message =
"Invalid application id specified - please provide the application's GUID and not it's client id"
})
{
StatusCode = StatusCodes.Status400BadRequest
});
}
User user = (User)HttpContext.Items["User"];
/*
* At this point we've verified the application ID being sent back is legitimate and that user is logged
* in - indicating they have instructed us to generate an authorisation code for this application to
* access their account.
*
* At this point we must validate this claim - if there is no user application record found,
* the user has likely not been through the OAuth prompt and this request should be immediately
* dropped since this request is malicious.
*/
UserApplication userApplication =
await _userApplicationService.FindByUserAndApplicationAsync(user, application);
if (userApplication == null)
{
return(new JsonResult(new
{
status = 400,
message = "No user application link found - applications are not allowed to link to accounts " +
"without explicit user consent!"
})
{
StatusCode = StatusCodes.Status403Forbidden
});
}
AuthorisationCode authCode = await _authorisationCodeService.CreateAsync(user, application);
/*
* At this point in the process the user has consented to this application getting access
* to their account and an authorisation token has been created, the user will be sent
* back to the client with this authorisation token
*/
await _userApplicationService.AuthoriseApplicationAsync(user, application);
return(Ok(new
{
status = 200,
message = "Authorisation code generated successfully",
data = new
{
authorisationCode = authCode.Code
}
}));
}