/// <summary>
/// Ensures that the current session contains data for the authenticated user.
/// </summary>
public static IClient CheckSession(this HttpContextBase context, IProvider provider)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (provider == null)
{
throw new ArgumentNullException("provider");
}
IClient model = null;
if (context.User.Identity.IsAuthenticated)
{
model = context.CurrentUser(provider);
}
else
{
// this provides a secret backdoor mechanism for logging in by providing the parameter
// cid in the querystring, no password required (!) - seems like a very bad idea - maybe
// this was a debugging thing that wasn't removed? added IsProduction check to be safe
if (!provider.IsProduction())
{
var qs = context.Request.QueryString;
if (qs.AllKeys.Contains("cid"))
{
if (int.TryParse(qs["cid"], out int cid))
{
model = provider.Data.Client.GetClient(cid);
if (model != null)
{
var user = new GenericPrincipal(new GenericIdentity(model.UserName), model.Roles());
context.User = user;
context.Session[SessionKeys.UserName] = model.UserName;
}
}
}
}
}
return(context.CheckSession(provider, model));
}
