public async Task <APIResponse> DebugAuth(long id, string audi)
{
var user = await UserManager.FindByIdAsync(id.ToString());
JwtAudience audience = JwtAudience.Cabinet;
if (!string.IsNullOrWhiteSpace(audi))
{
if (Enum.TryParse(audi, true, out JwtAudience aud))
{
audience = aud;
}
}
// denied
var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, user);
if (accessRightsMask == null)
{
return(null);
}
return(APIResponse.Success(
new AuthenticateView()
{
Token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience,
area: JwtArea.Authorized,
rightsMask: accessRightsMask.Value
),
TfaRequired = false,
}));
}
private APIResponse OnSignInResultCheck(IServiceProvider services, Microsoft.AspNetCore.Identity.SignInResult result, DAL.Models.Identity.User user, JwtAudience audience, bool tfaRequired)
{
if (result != null)
{
if (result.Succeeded || result.RequiresTwoFactor)
{
// tfa token
if (tfaRequired || result.RequiresTwoFactor)
{
return(APIResponse.Success(
new AuthenticateView()
{
Token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience,
area: JwtArea.Tfa
),
TfaRequired = true,
}
));
}
// new jwt salt
UserAccount.GenerateJwtSalt(user, audience);
DbContext.SaveChanges();
// auth token
return(APIResponse.Success(
new AuthenticateView()
{
Token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience,
area: JwtArea.Authorized
),
TfaRequired = false,
}
));
}
if (result.IsLockedOut)
{
return(APIResponse.BadRequest(APIErrorCode.AccountLocked, "Too many unsuccessful attempts to sign in. Account is locked, try to sign in later"));
}
if (result.IsNotAllowed)
{
return(APIResponse.BadRequest(APIErrorCode.AccountEmailNotConfirmed, "Email is not confirmed yet"));
}
}
// not found
return(null);
}
public async Task <APIResponse> Refresh()
{
var user = await GetUserFromDb();
var audience = GetCurrentAudience();
if (audience == null)
{
return(APIResponse.BadRequest(APIErrorCode.Unauthorized));
}
return(APIResponse.Success(
new RefreshView()
{
Token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience.Value,
area: JwtArea.Authorized
),
}
));
}
public async Task <RedirectResult> ProcessOAuthCallback(LoginProvider provider, UserInfo userInfo)
{
Logger.Info($"User {userInfo.Id} - login attempt");
var audience = JwtAudience.Cabinet;
var userLocale = GetUserLocale();
// find user with this ext login
var user = await UserManager.FindByLoginAsync(provider.ToString(), userInfo.Id);
// exists
if (user != null)
{
Logger.Info($"User {userInfo.Id} - account {user.Id} found");
// try to sign in
var signResult = await SignInManager.CanSignInAsync(user);
// can't sign in
if (!signResult)
{
Logger.Info($"User {userInfo.Id} - can't sign in");
// load options
await DbContext.Entry(user).Reference(_ => _.UserOptions).LoadAsync();
}
else
{
Logger.Info($"User {userInfo.Id} - can sign in");
// check rights
var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, user);
if (accessRightsMask != null)
{
var agent = GetUserAgentInfo();
//// notification
//await EmailComposer.FromTemplate(await TemplateProvider.GetEmailTemplate(EmailTemplate.SignedIn, userLocale))
// .ReplaceBodyTag("IP", agent.Ip)
// .Initiator(agent.Ip, agent.Agent, DateTime.UtcNow)
// .Send(user.Email, user.UserName, EmailQueue)
//;
// activity
var userActivity = CoreLogic.User.CreateUserActivity(
user: user,
type: Common.UserActivityType.Auth,
comment: "Signed in with social network",
ip: agent.Ip,
agent: agent.Agent,
locale: userLocale
);
DbContext.UserActivity.Add(userActivity);
await DbContext.SaveChangesAsync();
// tfa required
if (user.TwoFactorEnabled)
{
Logger.Info($"User {userInfo.Id} - 2FA required");
var tokenForTfa = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience,
area: JwtArea.Tfa,
rightsMask: accessRightsMask.Value
);
return(Redirect(
this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthTfaPage.Replace(":token", tokenForTfa))
));
}
// new jwt salt
UserAccount.GenerateJwtSalt(user, audience);
DbContext.SaveChanges();
Logger.Info($"User {userInfo.Id} - signed in");
// ok
var token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: user,
audience: audience,
area: JwtArea.Authorized,
rightsMask: accessRightsMask.Value
);
return(Redirect(
this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthAuthorized.Replace(":token", token))
));
}
else
{
Logger.Info($"User {userInfo.Id} - hasn't rights");
}
}
Logger.Info($"User {userInfo.Id} - failure 1");
// never should get here
return(Redirect("/"));
}
// doesnt exist yet
else
{
Logger.Info($"User {userInfo.Id} - account creation");
// try create and sign in
var cuaResult = await Core.UserAccount.CreateUserAccount(HttpContext.RequestServices, userInfo.Email);
if (cuaResult.User != null)
{
Logger.Info($"User {userInfo.Id} - account {cuaResult.User.Id} created");
// user created and external login attached
if (await CreateExternalLogin(cuaResult.User, provider, userInfo))
{
Logger.Info($"User {userInfo.Id} - external login created");
var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, cuaResult.User);
if (accessRightsMask != null)
{
Logger.Info($"User {userInfo.Id} - signed in");
// ok
var token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: cuaResult.User,
audience: audience,
area: JwtArea.Authorized,
rightsMask: accessRightsMask.Value
);
return(Redirect(
this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthAuthorized.Replace(":token", token))
));
}
}
Logger.Info($"User {userInfo.Id} - failure 2");
// failed
return(Redirect("/"));
}
Logger.Info($"User {userInfo.Id} - failure 3");
// redirect to error OR email input
return(Redirect(
this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteEmailTaken)
));
}
}
public async Task <APIResponse> Register([FromBody] RegisterModel model)
{
// validate
if (BaseValidableModel.IsInvalid(model, out var errFields))
{
return(APIResponse.BadRequest(errFields));
}
var agent = GetUserAgentInfo();
var userLocale = GetUserLocale();
// captcha
if (!HostingEnvironment.IsDevelopment())
{
if (!await Core.Recaptcha.Verify(AppConfig.Services.Recaptcha.SecretKey, model.Captcha, agent.Ip))
{
return(APIResponse.BadRequest(nameof(model.Captcha), "Failed to validate captcha"));
}
}
var result = await Core.UserAccount.CreateUserAccount(HttpContext.RequestServices, model.Email, model.Password);
if (result.User != null)
{
// confirmation token
var token = Core.Tokens.JWT.CreateSecurityToken(
appConfig: AppConfig,
entityId: result.User.UserName,
audience: JwtAudience.Cabinet,
securityStamp: "",
area: Common.JwtArea.Registration,
validFor: TimeSpan.FromDays(2)
);
var callbackUrl = this.MakeAppLink(JwtAudience.Cabinet, fragment: AppConfig.Apps.Cabinet.RouteSignUpConfirmation.Replace(":token", token));
// email confirmation
await EmailComposer.FromTemplate(await TemplateProvider.GetEmailTemplate(EmailTemplate.EmailConfirmation, userLocale))
.Link(callbackUrl)
.Send(model.Email, "", EmailQueue)
;
// auth token
return(APIResponse.Success(
new Models.API.v1.User.UserModels.AuthenticateView()
{
Token = JWT.CreateAuthToken(
appConfig: AppConfig,
user: result.User,
audience: JwtAudience.Cabinet,
area: JwtArea.Authorized
),
TfaRequired = false,
}
));
}
else
{
if (result.IsUsernameExists || result.IsEmailExists)
{
return(APIResponse.BadRequest(APIErrorCode.AccountEmailTaken, "Email is already taken"));
}
}
throw new Exception("Registration failed");
}
