public async Task <IActionResult> Edit(string id, [Bind("UserName,Password,IsAdmin")] MyOwnUser myOwnUser) { if (id != myOwnUser.UserName) { return(NotFound()); } if (ModelState.IsValid) { try { _context.Update(myOwnUser); await _context.SaveChangesAsync(); } catch (DbUpdateConcurrencyException) { if (!MyOwnUserExists(myOwnUser.UserName)) { return(NotFound()); } else { throw; } } return(RedirectToAction(nameof(Index))); } return(View(myOwnUser)); }
public async Task <IActionResult> SignIn([Bind("UserName,Password")] MyOwnUser user) { if (!ModelState.IsValid) { // Blank out the password so we don't send it back user.Password = null; return(View(user)); } if (!await LoginIsValid(user)) { ModelState.AddModelError("", "Invalid UserName/Password"); return(View()); } var claims = new List <Claim> { new Claim(ClaimTypes.Name, user.UserName), new Claim(ClaimTypes.Role, user.IsAdmin ? "Admin" : "User"), }; var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme); var principal = new ClaimsPrincipal(identity); await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties { IsPersistent = true, AllowRefresh = true, ExpiresUtc = DateTime.Now.AddMinutes(10) }); return(RedirectToAction("Index", "Issue")); }
public async Task <IActionResult> Create([Bind("UserName,Password,IsAdmin")] MyOwnUser myOwnUser) { if (ModelState.IsValid) { _context.Add(myOwnUser); await _context.SaveChangesAsync(); return(RedirectToAction(nameof(Index))); } return(View(myOwnUser)); }
private async Task <bool> LoginIsValid(MyOwnUser user) { using (var cancellationTokenSource = new CancellationTokenSource(1000)) { var foundUserTask = _context.Users.FirstOrDefaultAsync(x => x.UserName == user.UserName && x.Password == user.Password, cancellationTokenSource.Token); var loginTookTooLong = false; try { // crude way of making sure no one knows if the user exists or not. // this also lets the login process take a while so no one can brute force it quickly await Task.WhenAll(foundUserTask, Task.Delay(1000)); } catch (TaskCanceledException) { loginTookTooLong = true; } // here we check if login took longer than expected or if the username and password were wrong (aka: didn't return a record) return(!loginTookTooLong && foundUserTask.Result != null); } }