public IAuthSession CreateSessionFromPayload(IRequest req, JsonObject jwtPayload) { AssertJwtPayloadIsValid(jwtPayload); var sessionId = jwtPayload.GetValue("jid", SessionExtensions.CreateRandomSessionId); var session = SessionFeature.CreateNewSession(req, sessionId); session.AuthProvider = Name; session.PopulateFromMap(jwtPayload); PopulateSessionFilter?.Invoke(session, jwtPayload, req); HostContext.AppHost.OnSessionFilter(session, sessionId); return(session); }
public void PreAuthenticate(IRequest req, IResponse res) { var signature = req.Headers[WebhookEventConstants.SecretSignatureHeaderName]; if (signature.HasValue()) { if (RequireSecureConnection && !req.IsSecureConnection) { throw HttpError.Forbidden(Resources.HmacAuthProvider_NotHttps); } var eventName = req.Headers[WebhookEventConstants.EventNameHeaderName]; if (OnGetSecret != null) { Secret = OnGetSecret(req, eventName); } if (!Secret.HasValue()) { throw HttpError.Unauthorized(Resources.HmacAuthProvider_IncorrectlyConfigured); } var isValidSecret = req.VerifySignature(signature, Secret); if (!isValidSecret) { throw new HttpError(HttpStatusCode.Unauthorized); } var requestId = req.Headers[WebhookEventConstants.RequestIdHeaderName]; var userId = requestId.HasValue() ? requestId : Guid.NewGuid().ToString("N"); var username = req.GetUrlHostName(); var sessionId = SessionExtensions.CreateRandomSessionId(); var session = SessionFeature.CreateNewSession(req, sessionId); session.UserAuthId = userId; session.UserAuthName = username; session.UserName = username; session.IsAuthenticated = true; session.CreatedAt = SystemTime.UtcNow; HostContext.AppHost.OnSessionFilter(req, session, sessionId); req.Items[Keywords.Session] = session; } }
private IAuthSession CreateSessionFromPayload(IRequest req, JsonObject jwtPayload) { var expiresAt = GetUnixTime(jwtPayload, "exp"); var secondsSinceEpoch = DateTime.UtcNow.ToUnixTime(); if (secondsSinceEpoch >= expiresAt) { throw new TokenException(ErrorMessages.TokenExpired); } if (InvalidateTokensIssuedBefore != null) { var issuedAt = GetUnixTime(jwtPayload, "iat"); if (issuedAt == null || issuedAt < InvalidateTokensIssuedBefore.Value.ToUnixTime()) { throw new TokenException(ErrorMessages.TokenInvalidated); } } string audience; if (jwtPayload.TryGetValue("aud", out audience)) { if (audience != Audience) { throw new TokenException("Invalid Audience: " + audience); } } var sessionId = jwtPayload.GetValue("jid", SessionExtensions.CreateRandomSessionId); var session = SessionFeature.CreateNewSession(req, sessionId); session.PopulateFromMap(jwtPayload); if (PopulateSessionFilter != null) { PopulateSessionFilter(session, jwtPayload, req); } HostContext.AppHost.OnSessionFilter(session, sessionId); return(session); }
public object Any(GetAccessToken request) { var jwtAuthProvider = (JwtAuthProvider)AuthenticateService.GetRequiredJwtAuthProvider(); if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection.Localize(Request)); } if (string.IsNullOrEmpty(request.RefreshToken)) { throw new ArgumentNullException(nameof(request.RefreshToken)); } JsonObject jwtPayload; try { jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(Request, request.RefreshToken.Split('.')); } catch (ArgumentException) { throw; } catch (Exception ex) { throw new ArgumentException(ex.Message); } jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload); if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request)) { throw new ArgumentException(ErrorMessages.RefreshTokenInvalid.Localize(Request), nameof(request.RefreshToken)); } var userId = jwtPayload["sub"]; IAuthSession session; IEnumerable <string> roles = null, perms = null; var userSessionSource = AuthenticateService.GetUserSessionSource(); if (userSessionSource != null) { session = userSessionSource.GetUserSession(userId); if (session == null) { throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request)); } roles = session.Roles; perms = session.Permissions; } else if (AuthRepository is IUserAuthRepository userRepo) { var userAuth = userRepo.GetUserAuth(userId); if (userAuth == null) { throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request)); } if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth)) { throw new AuthenticationException(ErrorMessages.UserAccountLocked.Localize(Request)); } session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId()); session.PopulateSession(userAuth, userRepo); if (userRepo is IManageRoles manageRoles && session.UserAuthId != null) { roles = manageRoles.GetRoles(session.UserAuthId); perms = manageRoles.GetPermissions(session.UserAuthId); } } else { throw new NotSupportedException("JWT RefreshTokens requires a registered IUserAuthRepository or an AuthProvider implementing IUserSessionSource"); } var accessToken = jwtAuthProvider.CreateJwtBearerToken(Request, session, roles, perms); var response = new GetAccessTokenResponse { AccessToken = accessToken }; if (request.UseTokenCookie != true) { return(response); } return(new HttpResult(new GetAccessTokenResponse()) { Cookies = { new Cookie(Keywords.TokenCookie, accessToken, Cookies.RootPath) { HttpOnly = true, Secure = Request.IsSecureConnection, Expires = DateTime.UtcNow.Add(jwtAuthProvider.ExpireTokensIn), } } }); }
public object Any(GetAccessToken request) { var jwtAuthProvider = (MyJwtAuthProvider)AuthenticateService.GetRequiredJwtAuthProvider(); if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection.Localize(Request)); } if (string.IsNullOrEmpty(request.RefreshToken)) { throw new ArgumentNullException(nameof(request.RefreshToken)); } JsonObject jwtPayload; try { jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(Request, request.RefreshToken.Split(CharConstants.DOT)); } catch (ArgumentException) { throw; } catch (Exception ex) { throw new ArgumentException(ex.Message); } jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload); if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request)) { throw new ArgumentException(ErrorMessages.RefreshTokenInvalid.Localize(Request), nameof(request.RefreshToken)); } var userId = jwtPayload[TokenConstants.SUB]; CustomUserSession session; if (AuthRepository is IUserAuthRepository userRepo) { var userAuth = userRepo.GetUserAuth(userId); if (userAuth == null) { throw HttpError.NotFound(ErrorMessages.UserNotExists.Localize(Request)); } if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth)) { throw new AuthenticationException(ErrorMessages.UserAccountLocked.Localize(Request)); } session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId()) as CustomUserSession; PopulateSession(userRepo, userAuth, session, userId); } else { throw new NotSupportedException("JWT RefreshTokens requires a registered IUserAuthRepository or an AuthProvider implementing IUserSessionSource"); } var accessToken = jwtAuthProvider.CreateJwtBearerToken(Request, session); return(new GetAccessTokenResponse { AccessToken = accessToken }); }
public object Any(GetAccessToken request) { var jwtAuthProvider = AuthenticateService.GetAuthProvider(JwtAuthProvider.Name) as JwtAuthProvider; if (jwtAuthProvider == null) { throw new NotSupportedException("JwtAuthProvider is not registered"); } if (jwtAuthProvider.RequireSecureConnection && !Request.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection); } if (string.IsNullOrEmpty(request.RefreshToken)) { throw new ArgumentNullException(nameof(request.RefreshToken)); } var userRepo = AuthRepository as IUserAuthRepository; if (userRepo == null) { throw new NotSupportedException("JWT Refresh Tokens requires a registered IUserAuthRepository"); } var jwtPayload = jwtAuthProvider.GetVerifiedJwtPayload(request.RefreshToken.Split('.')); jwtAuthProvider.AssertJwtPayloadIsValid(jwtPayload); if (jwtAuthProvider.ValidateRefreshToken != null && !jwtAuthProvider.ValidateRefreshToken(jwtPayload, Request)) { throw new ArgumentException(ErrorMessages.RefreshTokenInvalid, nameof(request.RefreshToken)); } var userId = jwtPayload["sub"]; var userAuth = userRepo.GetUserAuth(userId); if (userAuth == null) { throw HttpError.NotFound(ErrorMessages.UserNotExists); } if (jwtAuthProvider.IsAccountLocked(userRepo, userAuth)) { throw new AuthenticationException(ErrorMessages.UserAccountLocked); } var session = SessionFeature.CreateNewSession(Request, SessionExtensions.CreateRandomSessionId()); jwtAuthProvider.PopulateSession(userRepo, userAuth, session); IEnumerable <string> roles = null, perms = null; var manageRoles = userRepo as IManageRoles; if (manageRoles != null && session.UserAuthId != null) { roles = manageRoles.GetRoles(session.UserAuthId); perms = manageRoles.GetPermissions(session.UserAuthId); } var accessToken = jwtAuthProvider.CreateJwtBearerToken(session, roles, perms); return(new GetAccessTokenResponse { AccessToken = accessToken }); }
public void PreAuthenticate(IRequest req, IResponse res) { var coreReq = (HttpRequest)req.OriginalRequest; var claimsPrincipal = coreReq.HttpContext.User; if (claimsPrincipal.Identity?.IsAuthenticated != true) { return; } var sessionId = claimsPrincipal.Claims.FirstOrDefault(x => x.Type == IdClaimType); if (sessionId == null) { throw new NotSupportedException($"Claim '{IdClaimType}' is required"); } var session = SessionFeature.CreateNewSession(req, sessionId.Value); var meta = (session as IMeta)?.Meta; session.AuthProvider = Name; var sessionValues = new Dictionary <string, string>(); foreach (var claim in claimsPrincipal.Claims) { if (RoleClaimTypes.Contains(claim.Type)) { if (session.Roles == null) { session.Roles = new List <string>(); } session.Roles.Add(claim.Value); } if (PermissionClaimType == claim.Type) { if (session.Permissions == null) { session.Permissions = new List <string>(); } session.Permissions.Add(claim.Value); } else if (MapClaimsToSession.TryGetValue(claim.Type, out var sessionProp)) { sessionValues[sessionProp] = claim.Value; } else if (meta != null) { meta[claim.Type] = claim.Value; } } session.PopulateFromMap(sessionValues); if (session.UserAuthName.IndexOf('@') >= 0) { session.Email = session.UserAuthName; } PopulateSessionFilter?.Invoke(session, claimsPrincipal, req); req.Items[Keywords.Session] = session; }