public async Task <APIResponse> DebugAuth(long id, string audi) { var user = await UserManager.FindByIdAsync(id.ToString()); JwtAudience audience = JwtAudience.Cabinet; if (!string.IsNullOrWhiteSpace(audi)) { if (Enum.TryParse(audi, true, out JwtAudience aud)) { audience = aud; } } // denied var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, user); if (accessRightsMask == null) { return(null); } return(APIResponse.Success( new AuthenticateView() { Token = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience, area: JwtArea.Authorized, rightsMask: accessRightsMask.Value ), TfaRequired = false, })); }
private APIResponse OnSignInResultCheck(IServiceProvider services, Microsoft.AspNetCore.Identity.SignInResult result, DAL.Models.Identity.User user, JwtAudience audience, bool tfaRequired) { if (result != null) { if (result.Succeeded || result.RequiresTwoFactor) { // tfa token if (tfaRequired || result.RequiresTwoFactor) { return(APIResponse.Success( new AuthenticateView() { Token = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience, area: JwtArea.Tfa ), TfaRequired = true, } )); } // new jwt salt UserAccount.GenerateJwtSalt(user, audience); DbContext.SaveChanges(); // auth token return(APIResponse.Success( new AuthenticateView() { Token = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience, area: JwtArea.Authorized ), TfaRequired = false, } )); } if (result.IsLockedOut) { return(APIResponse.BadRequest(APIErrorCode.AccountLocked, "Too many unsuccessful attempts to sign in. Account is locked, try to sign in later")); } if (result.IsNotAllowed) { return(APIResponse.BadRequest(APIErrorCode.AccountEmailNotConfirmed, "Email is not confirmed yet")); } } // not found return(null); }
public async Task <APIResponse> Refresh() { var user = await GetUserFromDb(); var audience = GetCurrentAudience(); if (audience == null) { return(APIResponse.BadRequest(APIErrorCode.Unauthorized)); } return(APIResponse.Success( new RefreshView() { Token = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience.Value, area: JwtArea.Authorized ), } )); }
public async Task <RedirectResult> ProcessOAuthCallback(LoginProvider provider, UserInfo userInfo) { Logger.Info($"User {userInfo.Id} - login attempt"); var audience = JwtAudience.Cabinet; var userLocale = GetUserLocale(); // find user with this ext login var user = await UserManager.FindByLoginAsync(provider.ToString(), userInfo.Id); // exists if (user != null) { Logger.Info($"User {userInfo.Id} - account {user.Id} found"); // try to sign in var signResult = await SignInManager.CanSignInAsync(user); // can't sign in if (!signResult) { Logger.Info($"User {userInfo.Id} - can't sign in"); // load options await DbContext.Entry(user).Reference(_ => _.UserOptions).LoadAsync(); } else { Logger.Info($"User {userInfo.Id} - can sign in"); // check rights var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, user); if (accessRightsMask != null) { var agent = GetUserAgentInfo(); //// notification //await EmailComposer.FromTemplate(await TemplateProvider.GetEmailTemplate(EmailTemplate.SignedIn, userLocale)) // .ReplaceBodyTag("IP", agent.Ip) // .Initiator(agent.Ip, agent.Agent, DateTime.UtcNow) // .Send(user.Email, user.UserName, EmailQueue) //; // activity var userActivity = CoreLogic.User.CreateUserActivity( user: user, type: Common.UserActivityType.Auth, comment: "Signed in with social network", ip: agent.Ip, agent: agent.Agent, locale: userLocale ); DbContext.UserActivity.Add(userActivity); await DbContext.SaveChangesAsync(); // tfa required if (user.TwoFactorEnabled) { Logger.Info($"User {userInfo.Id} - 2FA required"); var tokenForTfa = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience, area: JwtArea.Tfa, rightsMask: accessRightsMask.Value ); return(Redirect( this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthTfaPage.Replace(":token", tokenForTfa)) )); } // new jwt salt UserAccount.GenerateJwtSalt(user, audience); DbContext.SaveChanges(); Logger.Info($"User {userInfo.Id} - signed in"); // ok var token = JWT.CreateAuthToken( appConfig: AppConfig, user: user, audience: audience, area: JwtArea.Authorized, rightsMask: accessRightsMask.Value ); return(Redirect( this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthAuthorized.Replace(":token", token)) )); } else { Logger.Info($"User {userInfo.Id} - hasn't rights"); } } Logger.Info($"User {userInfo.Id} - failure 1"); // never should get here return(Redirect("/")); } // doesnt exist yet else { Logger.Info($"User {userInfo.Id} - account creation"); // try create and sign in var cuaResult = await Core.UserAccount.CreateUserAccount(HttpContext.RequestServices, userInfo.Email); if (cuaResult.User != null) { Logger.Info($"User {userInfo.Id} - account {cuaResult.User.Id} created"); // user created and external login attached if (await CreateExternalLogin(cuaResult.User, provider, userInfo)) { Logger.Info($"User {userInfo.Id} - external login created"); var accessRightsMask = Core.UserAccount.ResolveAccessRightsMask(HttpContext.RequestServices, audience, cuaResult.User); if (accessRightsMask != null) { Logger.Info($"User {userInfo.Id} - signed in"); // ok var token = JWT.CreateAuthToken( appConfig: AppConfig, user: cuaResult.User, audience: audience, area: JwtArea.Authorized, rightsMask: accessRightsMask.Value ); return(Redirect( this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteOAuthAuthorized.Replace(":token", token)) )); } } Logger.Info($"User {userInfo.Id} - failure 2"); // failed return(Redirect("/")); } Logger.Info($"User {userInfo.Id} - failure 3"); // redirect to error OR email input return(Redirect( this.MakeAppLink(audience, fragment: AppConfig.Apps.Cabinet.RouteEmailTaken) )); } }
public async Task <APIResponse> Register([FromBody] RegisterModel model) { // validate if (BaseValidableModel.IsInvalid(model, out var errFields)) { return(APIResponse.BadRequest(errFields)); } var agent = GetUserAgentInfo(); var userLocale = GetUserLocale(); // captcha if (!HostingEnvironment.IsDevelopment()) { if (!await Core.Recaptcha.Verify(AppConfig.Services.Recaptcha.SecretKey, model.Captcha, agent.Ip)) { return(APIResponse.BadRequest(nameof(model.Captcha), "Failed to validate captcha")); } } var result = await Core.UserAccount.CreateUserAccount(HttpContext.RequestServices, model.Email, model.Password); if (result.User != null) { // confirmation token var token = Core.Tokens.JWT.CreateSecurityToken( appConfig: AppConfig, entityId: result.User.UserName, audience: JwtAudience.Cabinet, securityStamp: "", area: Common.JwtArea.Registration, validFor: TimeSpan.FromDays(2) ); var callbackUrl = this.MakeAppLink(JwtAudience.Cabinet, fragment: AppConfig.Apps.Cabinet.RouteSignUpConfirmation.Replace(":token", token)); // email confirmation await EmailComposer.FromTemplate(await TemplateProvider.GetEmailTemplate(EmailTemplate.EmailConfirmation, userLocale)) .Link(callbackUrl) .Send(model.Email, "", EmailQueue) ; // auth token return(APIResponse.Success( new Models.API.v1.User.UserModels.AuthenticateView() { Token = JWT.CreateAuthToken( appConfig: AppConfig, user: result.User, audience: JwtAudience.Cabinet, area: JwtArea.Authorized ), TfaRequired = false, } )); } else { if (result.IsUsernameExists || result.IsEmailExists) { return(APIResponse.BadRequest(APIErrorCode.AccountEmailTaken, "Email is already taken")); } } throw new Exception("Registration failed"); }