public IAuthSession CreateSessionFromPayload(IRequest req, JsonObject jwtPayload)
{
AssertJwtPayloadIsValid(jwtPayload);
var sessionId = jwtPayload.GetValue("jid", SessionExtensions.CreateRandomSessionId);
var session = SessionFeature.CreateNewSession(req, sessionId);
session.AuthProvider = Name;
session.PopulateFromMap(jwtPayload);
PopulateSessionFilter?.Invoke(session, jwtPayload, req);
HostContext.AppHost.OnSessionFilter(session, sessionId);
return(session);
}
public void PreAuthenticate(IRequest req, IResponse res)
{
var signature = req.Headers[WebhookEventConstants.SecretSignatureHeaderName];
if (signature.HasValue())
{
if (RequireSecureConnection && !req.IsSecureConnection)
{
throw HttpError.Forbidden(Resources.HmacAuthProvider_NotHttps);
}
var eventName = req.Headers[WebhookEventConstants.EventNameHeaderName];
if (OnGetSecret != null)
{
Secret = OnGetSecret(req, eventName);
}
if (!Secret.HasValue())
{
throw HttpError.Unauthorized(Resources.HmacAuthProvider_IncorrectlyConfigured);
}
var isValidSecret = req.VerifySignature(signature, Secret);
if (!isValidSecret)
{
throw new HttpError(HttpStatusCode.Unauthorized);
}
var requestId = req.Headers[WebhookEventConstants.RequestIdHeaderName];
var userId = requestId.HasValue() ? requestId : Guid.NewGuid().ToString("N");
var username = req.GetUrlHostName();
var sessionId = SessionExtensions.CreateRandomSessionId();
var session = SessionFeature.CreateNewSession(req, sessionId);
session.UserAuthId = userId;
session.UserAuthName = username;
session.UserName = username;
session.IsAuthenticated = true;
session.CreatedAt = SystemTime.UtcNow;
HostContext.AppHost.OnSessionFilter(req, session, sessionId);
req.Items[Keywords.Session] = session;
}
}
private IAuthSession CreateSessionFromPayload(IRequest req, JsonObject jwtPayload)
{
var expiresAt = GetUnixTime(jwtPayload, "exp");
var secondsSinceEpoch = DateTime.UtcNow.ToUnixTime();
if (secondsSinceEpoch >= expiresAt)
{
throw new TokenException(ErrorMessages.TokenExpired);
}
if (InvalidateTokensIssuedBefore != null)
{
var issuedAt = GetUnixTime(jwtPayload, "iat");
if (issuedAt == null || issuedAt < InvalidateTokensIssuedBefore.Value.ToUnixTime())
{
throw new TokenException(ErrorMessages.TokenInvalidated);
}
}
string audience;
if (jwtPayload.TryGetValue("aud", out audience))
{
if (audience != Audience)
{
throw new TokenException("Invalid Audience: " + audience);
}
}
var sessionId = jwtPayload.GetValue("jid", SessionExtensions.CreateRandomSessionId);
var session = SessionFeature.CreateNewSession(req, sessionId);
session.PopulateFromMap(jwtPayload);
if (PopulateSessionFilter != null)
{
PopulateSessionFilter(session, jwtPayload, req);
}
HostContext.AppHost.OnSessionFilter(session, sessionId);
return(session);
}
public object Any(GetAccessToken request)
{
var jwtAuthProvider = (JwtAuthProvider)AuthenticateService.GetRequiredJwtAuthProvider();
if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection)
{
throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection.Localize(Request));
}
if (string.IsNullOrEmpty(request.RefreshToken))
{
throw new ArgumentNullException(nameof(request.RefreshToken));
}
JsonObject jwtPayload;
try
{
jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(Request, request.RefreshToken.Split('.'));
}
catch (ArgumentException)
{
throw;
}
catch (Exception ex)
{
throw new ArgumentException(ex.Message);
}
jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload);
if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request))
{
throw new ArgumentException(ErrorMessages.RefreshTokenInvalid.Localize(Request), nameof(request.RefreshToken));
}
var userId = jwtPayload["sub"];
IAuthSession session;
IEnumerable <string> roles = null, perms = null;
var userSessionSource = AuthenticateService.GetUserSessionSource();
if (userSessionSource != null)
{
session = userSessionSource.GetUserSession(userId);
if (session == null)
{
throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request));
}
roles = session.Roles;
perms = session.Permissions;
}
else if (AuthRepository is IUserAuthRepository userRepo)
{
var userAuth = userRepo.GetUserAuth(userId);
if (userAuth == null)
{
throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request));
}
if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth))
{
throw new AuthenticationException(ErrorMessages.UserAccountLocked.Localize(Request));
}
session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId());
session.PopulateSession(userAuth, userRepo);
if (userRepo is IManageRoles manageRoles && session.UserAuthId != null)
{
roles = manageRoles.GetRoles(session.UserAuthId);
perms = manageRoles.GetPermissions(session.UserAuthId);
}
}
else
{
throw new NotSupportedException("JWT RefreshTokens requires a registered IUserAuthRepository or an AuthProvider implementing IUserSessionSource");
}
var accessToken = jwtAuthProvider.CreateJwtBearerToken(Request, session, roles, perms);
var response = new GetAccessTokenResponse
{
AccessToken = accessToken
};
if (request.UseTokenCookie != true)
{
return(response);
}
return(new HttpResult(new GetAccessTokenResponse())
{
Cookies =
{
new Cookie(Keywords.TokenCookie, accessToken, Cookies.RootPath)
{
HttpOnly = true,
Secure = Request.IsSecureConnection,
Expires = DateTime.UtcNow.Add(jwtAuthProvider.ExpireTokensIn),
}
}
});
}
public object Any(GetAccessToken request)
{
var jwtAuthProvider = (MyJwtAuthProvider)AuthenticateService.GetRequiredJwtAuthProvider();
if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection)
{
throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection.Localize(Request));
}
if (string.IsNullOrEmpty(request.RefreshToken))
{
throw new ArgumentNullException(nameof(request.RefreshToken));
}
JsonObject jwtPayload;
try
{
jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(Request, request.RefreshToken.Split(CharConstants.DOT));
}
catch (ArgumentException)
{
throw;
}
catch (Exception ex)
{
throw new ArgumentException(ex.Message);
}
jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload);
if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request))
{
throw new ArgumentException(ErrorMessages.RefreshTokenInvalid.Localize(Request), nameof(request.RefreshToken));
}
var userId = jwtPayload[TokenConstants.SUB];
CustomUserSession session;
if (AuthRepository is IUserAuthRepository userRepo)
{
var userAuth = userRepo.GetUserAuth(userId);
if (userAuth == null)
{
throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request));
}
if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth))
{
throw new AuthenticationException(ErrorMessages.UserAccountLocked.Localize(Request));
}
session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId()) as CustomUserSession;
PopulateSession(userRepo, userAuth, session, userId);
}
else
{
throw new NotSupportedException("JWT RefreshTokens requires a registered IUserAuthRepository or an AuthProvider implementing IUserSessionSource");
}
var accessToken = jwtAuthProvider.CreateJwtBearerToken(Request, session);
return(new GetAccessTokenResponse
{
AccessToken = accessToken
});
}
public object Any(GetAccessToken request)
{
var jwtAuthProvider = AuthenticateService.GetAuthProvider(JwtAuthProvider.Name) as JwtAuthProvider;
if (jwtAuthProvider == null)
{
throw new NotSupportedException("JwtAuthProvider is not registered");
}
if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection)
{
throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection);
}
if (string.IsNullOrEmpty(request.RefreshToken))
{
throw new ArgumentNullException(nameof(request.RefreshToken));
}
var userRepo = AuthRepository as IUserAuthRepository;
if (userRepo == null)
{
throw new NotSupportedException("JWT Refresh Tokens requires a registered IUserAuthRepository");
}
var jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(request.RefreshToken.Split('.'));
jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload);
if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request))
{
throw new ArgumentException(ErrorMessages.RefreshTokenInvalid, nameof(request.RefreshToken));
}
var userId = jwtPayload["sub"];
var userAuth = userRepo.GetUserAuth(userId);
if (userAuth == null)
{
throw HttpError.NotFound(ErrorMessages.UserNotExists);
}
if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth))
{
throw new AuthenticationException(ErrorMessages.UserAccountLocked);
}
var session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId());
jwtAuthProvider.PopulateSession(userRepo, userAuth, session);
IEnumerable <string> roles = null, perms = null;
var manageRoles = userRepo as IManageRoles;
if (manageRoles != null && session.UserAuthId != null)
{
roles = manageRoles.GetRoles(session.UserAuthId);
perms = manageRoles.GetPermissions(session.UserAuthId);
}
var accessToken = jwtAuthProvider.CreateJwtBearerToken(session, roles, perms);
return(new GetAccessTokenResponse
{
AccessToken = accessToken
});
}
public void PreAuthenticate(IRequest req, IResponse res)
{
var coreReq = (HttpRequest)req.OriginalRequest;
var claimsPrincipal = coreReq.HttpContext.User;
if (claimsPrincipal.Identity?.IsAuthenticated != true)
{
return;
}
var sessionId = claimsPrincipal.Claims.FirstOrDefault(x => x.Type == IdClaimType);
if (sessionId == null)
{
throw new NotSupportedException($"Claim '{IdClaimType}' is required");
}
var session = SessionFeature.CreateNewSession(req, sessionId.Value);
var meta = (session as IMeta)?.Meta;
session.AuthProvider = Name;
var sessionValues = new Dictionary <string, string>();
foreach (var claim in claimsPrincipal.Claims)
{
if (RoleClaimTypes.Contains(claim.Type))
{
if (session.Roles == null)
{
session.Roles = new List <string>();
}
session.Roles.Add(claim.Value);
}
if (PermissionClaimType == claim.Type)
{
if (session.Permissions == null)
{
session.Permissions = new List <string>();
}
session.Permissions.Add(claim.Value);
}
else if (MapClaimsToSession.TryGetValue(claim.Type, out var sessionProp))
{
sessionValues[sessionProp] = claim.Value;
}
else if (meta != null)
{
meta[claim.Type] = claim.Value;
}
}
session.PopulateFromMap(sessionValues);
if (session.UserAuthName.IndexOf('@') >= 0)
{
session.Email = session.UserAuthName;
}
PopulateSessionFilter?.Invoke(session, claimsPrincipal, req);
req.Items[Keywords.Session] = session;
}
