public async Task Validate(string sourceClass, string sourceMethod)
{
// Check if JWT token exists in session, if not redirect to login page
if (string.IsNullOrEmpty(_httpContextAccessor.HttpContext.Session.GetString("_JwtToken")))
{
throw new TokenException("You are not logged in", sourceClass, sourceMethod, "401");
}
// JWT exist in session, check if expired
if (Convert.ToDateTime(_httpContextAccessor.HttpContext.Session.GetString("_JwtExpiresOn")) < DateTime.UtcNow)
{
// Unnecesary because check is done at back-end but this client-side check saves an API call
// Check if refresh token is expired
// If expired the user needs to authenticate with credentials
if (Convert.ToDateTime(_httpContextAccessor.HttpContext.Session.GetString("_RtExpiresOn")) < DateTime.UtcNow)
{
throw new TokenException("Your session has expired", sourceClass, sourceMethod, "401");
}
// If not expired a request to /api/Users/refresh-token is required to get a new set of tokens
PostAuthenticateResponseModel postAuthenticateResponseModel = await _moviemindAPIService.RefreshToken();
// Update the session data with the new set of tokens
_stateManagementService.SetState(postAuthenticateResponseModel);
}
}
public async Task <PostAuthenticateResponseModel> Authenticate(PostAuthenticateRequestModel postAuthenticateRequestModel)
{
var postAuthenticateRequestModelJson = new StringContent(
JsonSerializer.Serialize(postAuthenticateRequestModel),
Encoding.UTF8,
"application/json");
using var httpResponse = await _httpClient.PostAsync("users/authenticate", postAuthenticateRequestModelJson);
using var httpResponseStream = await httpResponse.Content.ReadAsStreamAsync();
if (httpResponse.IsSuccessStatusCode)
{
// Get the Refresh Token details out of the response and save them in the model
string refreshToken = httpResponse.Headers.GetValues("Set-Cookie").SingleOrDefault();
PostAuthenticateResponseModel postAuthenticateResponseModel = await JsonSerializer.DeserializeAsync <PostAuthenticateResponseModel>(httpResponseStream);
postAuthenticateResponseModel.RefreshToken = refreshToken;
return(postAuthenticateResponseModel);
}
throw await JsonSerializer.DeserializeAsync <MovieMindException>(httpResponseStream);
}
public async Task <ActionResult <PostAuthenticateResponseModel> > Authenticate(PostAuthenticateRequestModel postAuthenticateRequestModel)
{
try
{
PostAuthenticateResponseModel postAuthenticateResponseModel = await _userRepository.Authenticate(postAuthenticateRequestModel, IpAddress());
SetTokenCookie(postAuthenticateResponseModel.RefreshToken);
return(postAuthenticateResponseModel);
}
catch (MovieMindException e)
{
return(Unauthorized(e.MovieMindError));
}
}
[ValidateAntiForgeryToken] // Prevents XSRF/CSRF attacks
public async Task <IActionResult> Index(PostUserModel postUserModel, string rememberMe)
{
if (postUserModel.Password != postUserModel.ConfirmPassword)
{
ModelState.AddModelError("ConfirmPassword", _localizer["Passwords are not the same"]);
}
if (ModelState.IsValid)
{
try
{
if (postUserModel.Roles == null)
{
postUserModel.Roles = new List <String>
{
"Guest"
};
}
else if (postUserModel.Roles.Count == 0)
{
postUserModel.Roles.Add("Guest");
}
// Send an API request to create the new user
GetUserModel getUserModel = await _moviemindAPIService.PostModel <PostUserModel, GetUserModel>(postUserModel, "users");
// When the user was successfully created send an API request to authenticate the new user
PostAuthenticateRequestModel postAuthenticateRequestModel = new PostAuthenticateRequestModel
{
UserName = postUserModel.UserName,
Password = postUserModel.Password,
};
PostAuthenticateResponseModel postAuthenticateResponseModel = await _moviemindAPIService.Authenticate(postAuthenticateRequestModel);
_stateManagementService.SetState(postAuthenticateResponseModel);
// Redirect to the home page
return(RedirectToRoute(new { action = "Index", controller = "Home" }));
}
catch (MovieMindException e)
{
TempData["ApiError"] = e.Message;
}
}
return(View(postUserModel));
}
public async Task <ActionResult <PostAuthenticateResponseModel> > RefreshToken()
{
try
{
string refreshToken = Request.Cookies["MovieMind.RefreshToken"];
PostAuthenticateResponseModel postAuthenticateResponseModel = await _userRepository.RefreshToken(refreshToken, IpAddress());
SetTokenCookie(postAuthenticateResponseModel.RefreshToken);
return(postAuthenticateResponseModel);
}
catch (MovieMindException e)
{
return(Unauthorized(e.MovieMindError));
}
}
public async Task InvokeAsync(HttpContext context, MoviemindAPIService movieMindAPIService, IStateManagementService stateManagementService)
{
// Token validation is not required for authentication and registration
if (!context.Request.Path.Value.Contains("Registration") && !context.Request.Path.Value.Contains("Authentication"))
{
// Check if JWT token exists in session, if not redirect to login page
if (string.IsNullOrEmpty(context.Session.GetString("_JwtToken")))
{
context.Response.Redirect("/Authentication");
return;
}
else
{
var expiresOn = Convert.ToDateTime(context.Session.GetString("_JwtExpiresOn"));
// JWT exist in session, check if expired
if (expiresOn < DateTime.UtcNow)
{
// Unnecesary because check is done at back-end but this client-side check saves an API call
// Check if refresh token is expired
// If expired the user needs to authenticate with credentials
var rtexpireson = Convert.ToDateTime(context.Session.GetString("_RtExpiresOn"));
if (rtexpireson < DateTime.UtcNow)
{
context.Session.SetString("SessionExpired", "Your session is expired");
context.Response.Redirect("/Authentication");
return;
//throw new TokenException("Uw sessie is verlopen", "TokenValidationMiddleware", "InvokeAsync", "401");
}
else
{
// If not expired a request to /api/Users/refresh-token is required to get a new set of tokens
PostAuthenticateResponseModel postAuthenticateResponseModel = await movieMindAPIService.RefreshToken();
// Update the session data with the new set of tokens
stateManagementService.SetState(postAuthenticateResponseModel);
}
}
}
}
// Call the next delegate/middleware in the pipeline
await _next(context);
}
public async Task <PostAuthenticateResponseModel> RefreshToken()
{
using var httpResponse = await _httpClient.PostAsync("users/refresh-token", null);
using var httpResponseStream = await httpResponse.Content.ReadAsStreamAsync();
if (httpResponse.IsSuccessStatusCode)
{
// Get the Refresh Token details out of the response and save them in the model
string refreshToken = httpResponse.Headers.GetValues("Set-Cookie").SingleOrDefault();
PostAuthenticateResponseModel postAuthenticateResponseModel = await JsonSerializer.DeserializeAsync <PostAuthenticateResponseModel>(httpResponseStream);
postAuthenticateResponseModel.RefreshToken = refreshToken;
return(postAuthenticateResponseModel);
}
throw await JsonSerializer.DeserializeAsync <MovieMindException>(httpResponseStream);
}
public void SetState(PostAuthenticateResponseModel postAuthenticateResponseModel)
{
string refreshToken = postAuthenticateResponseModel.RefreshToken.Split(';').Single(x => x.Contains("MovieMind.RefreshToken=")).Substring(24);
string rtExpiresOn = postAuthenticateResponseModel.RefreshToken.Split(';').Single(x => x.Contains("expires=")).Substring(9);
StateManagementModel stateManagementModel = new StateManagementModel
{
Id = postAuthenticateResponseModel.Id,
FirstName = postAuthenticateResponseModel.FirstName,
LastName = postAuthenticateResponseModel.LastName,
UserName = postAuthenticateResponseModel.UserName,
JwtToken = postAuthenticateResponseModel.JwtToken,
JwtExpiresOn = handler.ReadJwtToken(postAuthenticateResponseModel.JwtToken).ValidTo,
RefreshToken = refreshToken,
RtExpiresOn = Convert.ToDateTime(rtExpiresOn).ToUniversalTime(),
Roles = postAuthenticateResponseModel.Roles
};
SetSessionData(stateManagementModel);
}
[ValidateAntiForgeryToken] // Prevents XSRF/CSRF attacks
public async Task <IActionResult> Index(PostAuthenticateRequestModel postAuthenticateRequestModel)
{
if (ModelState.IsValid)
{
try
{
// Send an API request to authenticate the new user
PostAuthenticateResponseModel postAuthenticateResponseModel = await _moviemindAPIService.Authenticate(postAuthenticateRequestModel);
_stateManagementService.SetState(postAuthenticateResponseModel);
// Redirect to the home page
return(RedirectToRoute(new { action = "Index", controller = "Home" }));
}
catch (MovieMindException e)
{
TempData["ApiError"] = e.Message;
}
}
return(View(postAuthenticateRequestModel));
}
