private async Task <AppUser> UpdateStorageWithUserPayload(GoogleJsonWebSignature.Payload googleAuthPayload)
{
var user = (await _appUserStorage.ReadAll(u => u.EmailAddress.ToLower() == googleAuthPayload.Email.ToLower())).SingleOrDefault();
if (user == null)
{
user = new AppUser
{
EmailAddress = googleAuthPayload.Email,
FirstName = googleAuthPayload.GivenName,
LastName = googleAuthPayload.FamilyName,
LastLoggedInDate = _dateTimeService.GetEasternNow(),
CreateDate = _dateTimeService.GetEasternNow(),
UpdateDate = _dateTimeService.GetEasternNow()
};
user.Id = await _appUserStorage.Create(user);
}
else
{
user.LastLoggedInDate = _dateTimeService.GetEasternNow();
await _appUserStorage.Update(user);
}
return(user);
}
/// <summary>
/// Creates a JWT access token than can be used in request headers instead of an OAuth2 token.
/// This is achieved by signing a special JWT using this service account's private key.
/// <param name="authUri">The URI for which the access token will be valid.</param>
/// <param name="issueUtc">The issue time of the JWT.</param>
/// <param name="expiryUtc">The expiry time of the JWT.</param>
/// </summary>
private string CreateJwtAccessToken(string authUri, DateTime issueUtc, DateTime expiryUtc)
{
JsonWebSignature.Payload payload;
if (HasExplicitScopes)
{
payload = new GoogleJsonWebSignature.Payload()
{
Scope = string.Join(" ", Scopes)
};
}
else
{
payload = new JsonWebSignature.Payload()
{
Audience = authUri
};
}
payload.Issuer = Id;
payload.Subject = Id;
payload.IssuedAtTimeSeconds = (long)(issueUtc - UnixEpoch).TotalSeconds;
payload.ExpirationTimeSeconds = (long)(expiryUtc - UnixEpoch).TotalSeconds;
return(CreateAssertionFromPayload(payload));
}
/// <summary>
/// Validate <paramref name="idToken"/> is Google Id Token and then Login the user. An account will be auto-created if the google user does not have an account yet.
/// Returns a Jwt Token for authorizing later requests.
/// </summary>
/// <param name="idToken"> Google Id Token provided by google when signing in with OAuth (e.g. from mobile app) </param>
/// <returns> Jwt Token for authorizing later requests to API. </returns>
/// <exception cref="AccountException"> Thrown when <paramref name="idToken"/> is not valid or user can not be created or login </exception>
public async Task <string> LoginUsingGoogleIdToken(string idToken)
{
bool isValid = await IsGoogleTokenValidAsync(idToken).ConfigureAwait(false);
if (!isValid)
{
throw new AccountException("Google Id token is invalid");
}
GoogleJsonWebSignature.Payload validPayload = await GoogleJsonWebSignature.ValidateAsync(idToken).ConfigureAwait(false);
PantryPlannerUser appUser = _userManager.Users.SingleOrDefault(u => u.Email == validPayload.Email);
if (appUser == null)
{
// user doesn't exist so we'll auto create them
appUser = await AutoCreateAccountFromGoogleAsync(validPayload).ConfigureAwait(false);
}
if (appUser != null)
{
// sign the user in and return a Jwt Token
await _signInManager.SignInAsync(appUser, false).ConfigureAwait(false);
string token = GenerateJwtToken(appUser, _configuration);
return(token);
}
// reached here then the user could not be created/found
throw new AccountException($"Could not login with google user for email {validPayload.Email}");
}
public async Task <ActionResult> GoogleLogin(string id_token)
{
GoogleJsonWebSignature.Payload payload = null;
try
{
payload = await GoogleJsonWebSignature.ValidateAsync(id_token, GoogleValidationSetting);
}
catch (Google.Apis.Auth.InvalidJwtException ex)
{
return(Content($"Google.Apis.Auth.InvalidJwtException: { ex.Message}"));
}
catch (Newtonsoft.Json.JsonReaderException ex)
{
return(Content($"Newtonsoft.Json.JsonReaderException: {ex.Message}"));
}
catch (Exception ex)
{
return(Content($"Exception: {ex.Message}"));
}
if (payload == null)
{
return(null);
}
string email = payload.Email;
if (_dbContext.Users.Where(u => u.Email == email).Any()) // if 使用者已存在
{
return(Content(Url.Action("Index", "Users")));
}
return(Content(Url.Action("Register", routeValues: new { email = email })));
}
private static void ValidateToken(GoogleJsonWebSignature.Payload userInfo)
{
if (userInfo == null)
{
throw new ArgumentException(ErrorMessages.INVALID_TOKEN);
}
}
/*admin authentication => check account, if there is admin account in the system, generate the token*/
public async Task <Account> AuthenticateAsync(string _token)
{
try
{
//get admin information from google account
GoogleJsonWebSignature.Payload validPayload = await GoogleJsonWebSignature.ValidateAsync(_token);
var admin = _dbContext.accounts.FirstOrDefault(x => x.Email.ToLower() == validPayload.Email.ToLower() && x.Role == Role.Admin);
//if there is admin account in this system
if (admin != null)
{
//generate token
var _user = GetToken(admin.Id_account);
return(_user);
}
//if there is no admin account in this system
else
{
return(null);
}
}
catch (Exception)
{
//error
Console.WriteLine("Error check admin");
return(null);
}
}
public async Task <IActionResult> AdminAuthenticate([FromBody] Token token)
{
TimeZoneInfo zone = TimeZoneInfo.FindSystemTimeZoneById("SE Asia Standard Time");
DateTime dateTime = TimeZoneInfo.ConvertTime(DateTime.Now, zone);
try
{
GoogleJsonWebSignature.Payload validPayload = await GoogleJsonWebSignature.ValidateAsync(token._Token);
var admin = await _adminService.AuthenticateAsync(token._Token);
//there is admin account return back to this function
//if there is admin return to this function
if (admin != null)
{
Log.Information("Admin access {name}., {DateTime}.", admin.Name, dateTime);
return(Ok(admin.Token));
}
// there is no admin return to this function
else
{
Log.Information("Access Denied {DateTime}.", dateTime);
return(BadRequest("Access Denied."));
}
}
catch
{
//error
Log.Information("Error Admin Authentication");
return(NotFound("Error Admin Authentication"));
}
}
public async System.Threading.Tasks.Task <ENTITIES.CustomModels.Authen.Gmail> GetUserDetailsAsync(string providerToken)
{
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(providerToken);
if (!payload.Audience.Equals("24917390994-co652l6gu3eeoqaf96oc9h4av23eprot.apps.googleusercontent.com"))
{
return(null);
}
if (!payload.Issuer.Equals("accounts.google.com") && !payload.Issuer.Equals("https://accounts.google.com"))
{
return(null);
}
if (payload.ExpirationTimeSeconds == null)
{
return(null);
}
else
{
DateTime now = DateTime.Now.ToUniversalTime();
DateTime expiration = DateTimeOffset.FromUnixTimeSeconds((long)payload.ExpirationTimeSeconds).DateTime;
if (now > expiration)
{
return(null);
}
}
return(new ENTITIES.CustomModels.Authen.Gmail
{
email = payload.Email,
id = payload.Subject,
name = payload.Name,
imageurl = payload.Picture
});
}
public async Task <IActionResult> Google([FromBody] GoogleAuthModel model)
{
Log.Information("userView = " + model.tokenId);
GoogleJsonWebSignature.Payload payload =
await GoogleJsonWebSignature.ValidateAsync(model.tokenId, new GoogleJsonWebSignature.ValidationSettings());
var authRequest = new AuthentificateRequestGoogle()
{
User = payload,
GroupId = model.GroupId
};
var authResult = await _userSerice.AuthentificateWithGoogle(authRequest, ipAddress());
if (authResult == null)
{
return(BadRequest("Group is not match user group!"));
}
setTokenCookie(authResult.RefreshToken);
return(Ok(new AuthentificateDto
{
Id = authResult.Student.Id,
Group = authResult.Student.Group.Group_Name,
Username = authResult.Student.Username,
FirstName = authResult.Student.FirstName,
LastName = authResult.Student.LastName,
Token = authResult.JwtToken,
RefreshToken = authResult.RefreshToken
}));
}
public async Task <WikiUser> CreateUser(GoogleJsonWebSignature.Payload payload)
{
var user = new WikiUser
{
Id = Guid.NewGuid(),
Name = payload.Name,
Email = payload.Email,
Subject = payload.Subject,
Issuer = payload.Issuer
};
await using var conn = new NpgsqlConnection(m_ConnectionString);
await conn.OpenAsync();
await using var cmd = conn.CreateCommand();
cmd.CommandText = @"INSERT INTO users(id, name, email, subject, issuer)
VALUES (@id, @name, @email, @subject, @issuer);";
cmd.Parameters.AddWithValue("id", NpgsqlDbType.Uuid, user.Id);
cmd.Parameters.AddWithValue("name", NpgsqlDbType.Text, user.Name);
cmd.Parameters.AddWithValue("email", NpgsqlDbType.Text, user.Email);
cmd.Parameters.AddWithValue("subject", NpgsqlDbType.Text, user.Subject);
cmd.Parameters.AddWithValue("issuer", NpgsqlDbType.Text, user.Issuer);
var rowsChanged = await cmd.ExecuteNonQueryAsync();
if (rowsChanged != 1)
{
throw new NpgsqlException("Added more than one user, something has gone seriously wrong. ");
}
return(user);
}
public async Task <string> GenerateToken(GoogleJsonWebSignature.Payload payload)
{
var signingCredentials = await GetSigningCredentials(_appSettings.JWTSettings.SecurityKey);
var tokenDescriptor = await GenerateTokenOptions(signingCredentials);
return(await Task.FromResult(new JwtSecurityTokenHandler().WriteToken(tokenDescriptor)));
}
/*user authentication => check account, if there is user account in the system, generate the token
* if there is no user account in the system, create account in the system then generate the token
*/
public async Task <Account> AuthenticateAsync(string _token)
{
try
{
//get user information from google account
GoogleJsonWebSignature.Payload validPayload = await GoogleJsonWebSignature.ValidateAsync(_token);
string id = "";
string domainmail = "@kmitl.ac.th";
//if domain account is not "@kmitl.ac.th"
if (!validPayload.Email.Contains(domainmail))
{
// detect domain email
return(null);
}
id = validPayload.Email.Replace(domainmail, "");
//if id account is not numberic
if (!int.TryParse(id, out int numberic))
{
//before email is not studentID
return(null);
}
//if account already exist
if (_dbContext.accounts.FirstOrDefault(x => x.Id_account == id) != null)
{
//generate token
var _user = GetToken(id);
Console.WriteLine("already exist");
return(_user);
}
//create account to store in database
Account account = new Account()
{
Id_account = id,
Email = validPayload.Email,
Name = validPayload.Name,
Phone = "",
Point = 100,
Role = Role.User
};
//add account into database
_dbContext.accounts.Add(account);
//save database
_dbContext.SaveChanges();
//generate token
var user = GetToken(id);
return(user);
}
catch
{
//error
Console.WriteLine("AddUserAccount Error");
return(null);
}
}
public async Task <AuthenticateResponse> GoogleLogin(GoogleJsonWebSignature.Payload payload, string ipAddress, string origin)
{
var account = await _context.Users.FirstOrDefaultAsync(x => x.Email == payload.Email);
var isFirstAccount = _context.Users.Count() == 0;
if (account == null)
{
// map model to new account object
account = new User
{
Email = payload.Email,
Name = payload.Name,
AvatarPath = payload.Picture,
// first registered account is an admin
Role = isFirstAccount ? UserRole.Admin : UserRole.User,
Created = DateTime.Now,
VerificationToken = randomTokenString(),
//UserName = "******" + Guid.NewGuid().ToString()
// hash password
PasswordHash = BC.HashPassword(Guid.NewGuid().ToString())
};
// save account
_context.Users.Add(account);
await _context.SaveChangesAsync();
//var result = await _context.UserClaims.CreateAsync(account, Guid.NewGuid().ToString());
//if (!result.Succeeded) throw new AppException("Some thing wrong");
// send email
sendVerificationEmail(account, origin);
}
if (!account.IsVerified)
{
throw new AppException("Email not verified");
}
// authentication successful so generate jwt and refresh tokens
var jwtToken = _tokenService.generateJwtToken(account);
//var jwtToken = payload.JwtId;
var refreshToken = generateRefreshToken(ipAddress);
account.RefreshTokens.Add(refreshToken);
// remove old refresh tokens from account
removeOldRefreshTokens(account);
// save changes to db
_context.Update(account);
await _context.SaveChangesAsync();
//await _userManager.UpdateAsync(account);
var response = _mapper.Map <AuthenticateResponse>(account);
response.JwtToken = jwtToken;
response.RefreshToken = refreshToken.Token;
return(response);
}
public ApplicationUser(GoogleJsonWebSignature.Payload model)
{
EmailConfirmed = model.EmailVerified;
Picture = model.Picture;
Email = model.Email;
UserName = model.Email;
Name = model.Name;
SurName = model.FamilyName;
}
private async Task <UserDetailResponse> FindOrAddUser(GoogleJsonWebSignature.Payload payload)
{
var user = new UserCreateRequest
{
Name = payload.Name,
Email = payload.Email,
Avatar = payload.Picture
};
return(await _service.FindOrAddUserAsync(user));
}
public async Task <IActionResult> LoginWithGoogle([FromBody] LoginWithGoogleModel model)
{
GoogleJsonWebSignature.Payload googlePayload = new GoogleJsonWebSignature.Payload();
try { googlePayload = await GoogleJsonWebSignature.ValidateAsync(model.TokenId, new GoogleJsonWebSignature.ValidationSettings()); }
catch (Exception exception) { return(BadRequest(exception.Message)); }
var user = CreateUserIfNotExists(googlePayload.Name, googlePayload.Email);
return(GenerateLoginResponse(user));
}
public async Task <WikiUser> GetOrCreateUser(GoogleJsonWebSignature.Payload payload)
{
var user = await _userStore.GetUser(payload);
if (user == null)
{
return(await _userStore.CreateUser(payload));
}
return(user);
}
public async Task AutoCreateAccountFromGoogleAsync_Valid_UserReturnedAsync()
{
GoogleJsonWebSignature.Payload payload = new GoogleJsonWebSignature.Payload()
{
Email = "*****@*****.**"
};
PantryPlannerUser newUser = await _service.AutoCreateAccountFromGoogleAsync(payload);
Assert.NotNull(newUser);
Assert.Equal(payload.Email, newUser.Email);
}
public async Task <IActionResult> SocialLoginAsync([FromQuery] string _token, [FromQuery] bool _existe, [FromBody] Usuario _usuario)
{
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(_token);
if (_existe)
{
bl.UsuarioController userLogic = new bl.UsuarioController();
var buscarUsuario = userLogic.BuscarUsuario(_usuario.Email);
if (buscarUsuario == null)
{
return(Unauthorized());
}
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Role, Enum.GetName(typeof(RolUsuario), buscarUsuario.Rol))
}),
Expires = DateTime.UtcNow.AddDays(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var returnToken = tokenHandler.WriteToken(token);
return(Ok(new { buscarUsuario.Email, token = returnToken }));
}
else
{
bl.UsuarioController userLogic = new bl.UsuarioController();
userLogic.AgregarUsuario(_usuario);
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Role, Enum.GetName(typeof(RolUsuario), RolUsuario.UsuarioFinal))
}),
Expires = DateTime.UtcNow.AddDays(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var returnToken = tokenHandler.WriteToken(token);
return(Ok(new { _usuario.Email, token = returnToken }));
}
}
/// <summary>
/// Validates the <paramref name="id_token"/> and is signed by Google
/// </summary>
/// <param name="id_token"></param>
/// <remarks>
/// from: https://stackoverflow.com/questions/39061310/validate-google-id-token
/// </remarks>
/// <returns> true if token is valid; false otherwise </returns>
public static async Task <bool> IsGoogleTokenValidAsync(string id_token)
{
try
{
GoogleJsonWebSignature.Payload tokenPayload = await GoogleJsonWebSignature.ValidateAsync(id_token);
return(tokenPayload != null);
}
catch (Exception)
{
return(false);
}
}
public async Task <GoogleUserDto> Handle(GetGoogleUser request, CancellationToken cancellationToken)
{
var settings = new GoogleJsonWebSignature.ValidationSettings
{
Audience = new List <string> {
_audience
}
};
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(request.IdToken, settings);
return(new GoogleUserDto(payload.Email));
}
public IActionResult Authenticate([FromBody] AuthenticateRequest data)
{
GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings();
// Change this to your google client ID
settings.Audience = new List <string>()
{
"425874635785-9qbseena0h69r9f6jbe7o84qpfjk6krr.apps.googleusercontent.com"
};
GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(data.IdToken, settings).Result;
return(Ok(new { AuthToken = _jwtGenerator.CreateUserAuthToken(payload.Email) }));
}
public void ValidateToken(string token)
{
Guard.Against.NullOrWhiteSpace(token, nameof(token));
try
{
_jwtPayload = GoogleJsonWebSignature.ValidateAsync(token).Result;
IsAuthenticated = true;
}
catch (Exception ex)
{
IsAuthenticated = false;
}
}
/// <summary>
/// Gets the user's information from Google Sign in
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
private async Task <UserResponse> GetGoogleUser(AuthorizedUserRequest request)
{
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(request.AccessToken);
if (!payload.Audience.Equals(Environment.GetEnvironmentVariable(EnvironmentConstants.GOOGLE_CLIENTID)))
{
throw new StatusCodeException(HttpStatusCode.Forbidden, $"{nameof(EnvironmentConstants.GOOGLE_CLIENTID)} not valid");
}
if (!payload.EmailVerified)
{
throw new StatusCodeException(HttpStatusCode.Forbidden, $"{nameof(payload.EmailVerified)} is false");
}
return(_mapper.Map <UserResponse>(payload));
}
/// <summary>
/// Creates a serialized claim set as specified in
/// https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset.
/// </summary>
private string GetSerializedPayload()
{
var issued = (int)(Clock.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
var payload = new GoogleJsonWebSignature.Payload()
{
Issuer = Id,
Audience = TokenServerUrl,
IssuedAtTimeSeconds = issued,
ExpirationTimeSeconds = issued + 3600,
Subject = User,
Scope = String.Join(" ", Scopes)
};
return(NewtonsoftJsonSerializer.Instance.Serialize(payload));
}
public void ValidateGoogleIdTokenTest_CaseValid()
{
// wrong audience
options.SetupGet(x => x.Value).Returns(TestHelper.CreateAuthSettings());
var expectedPayload = new GoogleJsonWebSignature.Payload {
Issuer = AuthService.Issuers.First(), EmailVerified = true, ExpirationTimeSeconds = ExtensionMethods.ConvertToUnixTimestamp(DateTime.Now.AddHours(1)), Audience = options.Object.Value.GoogleClientId
};
googleAuthService.Setup(x => x.ValidateAsync(It.IsAny <string>()))
.Returns(Task.FromResult(expectedPayload));
var service = new AuthService(options.Object, logger.Object, googleAuthService.Object);
Assert.IsTrue(service.ValidateGoogleIdToken(It.IsAny <string>(), out var payload, out var err));
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var token = context.HttpContext.Request.Headers["authorization"];
GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings();
settings.Audience = new List <string>()
{
"419273351615-a2kp1blvs5f3idt3mlr5vbkeqtqgjvr6.apps.googleusercontent.com"
};
GoogleJsonWebSignature.Payload payload = GoogleJsonWebSignature.ValidateAsync(token, settings).Result;
context.ActionArguments["nome"] = payload.Name;
context.ActionArguments["email"] = payload.Email;
base.OnActionExecuting(context);
}
public async Task <GoogleJsonWebSignature.Payload> ValidateToken([FromQuery] string idToken, CancellationToken cancellationToken)
{
//var validPayload = await GoogleJsonWebSignature.ValidateAsync(idToken);
//Assert.NotNull(validPayload, "GoogleValidationResponse", "Id_Token is not valid!");
//return Ok("Token is Valid");
GoogleJsonWebSignature.ValidationSettings settings = new GoogleJsonWebSignature.ValidationSettings();
settings.Audience = new List <string>()
{
_configuration.GetSection("Authentication:Google")["ClientId"]
};
GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(idToken, settings);
return(payload);
}
public void ValidateGoogleIdTokenTest_CaseEmailNotVerified()
{
// email not verified
var expectedPayload = new GoogleJsonWebSignature.Payload {
EmailVerified = false
};
options.SetupGet(x => x.Value).Returns(TestHelper.CreateAuthSettings());
googleAuthService.Setup(x => x.ValidateAsync(It.IsAny <string>()))
.Returns(Task.FromResult(expectedPayload));
var service = new AuthService(options.Object, logger.Object, googleAuthService.Object);
Assert.IsFalse(service.ValidateGoogleIdToken(It.IsAny <string>(), out var payload, out var err));
Assert.IsFalse(payload.EmailVerified);
Assert.AreEqual(AuthError.EmailNotVerified, err);
}
async Task <IdentityUser> Register(GoogleJsonWebSignature.Payload payload)
{
var user = new IdentityUser()
{
UserName = payload.Email
};
// save
var result = await _userManager.CreateAsync(user);
if (result.Succeeded)
{
await _userManager.AddToRoleAsync(user, "Player");
}
_context.SaveChanges();
return(user);
}
/// <summary>
/// Creates a serialized claim set as specified in
/// https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset.
/// </summary>
private string GetSerializedPayload()
{
var issued = (int)(Clock.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
var payload = new GoogleJsonWebSignature.Payload()
{
Issuer = Id,
Audience = TokenServerUrl,
IssuedAtTimeSeconds = issued,
ExpirationTimeSeconds = issued + 3600,
Subject = User,
Scope = String.Join(" ", Scopes)
};
return NewtonsoftJsonSerializer.Instance.Serialize(payload);
}
