public async Task SendPin([FromBody] SendPinRequest request)
{
OpContext.WebContext.MarkConfidential();
OpContext.ThrowIfNull(request, ClientFaultCodes.ContentMissing, "SendPinRequest", "Pin request object must be provided.");
OpContext.ValidateNotEmpty(request.ProcessToken, "ProcessToken", "Process token should be provided.");
OpContext.ValidateNotEmpty(request.Factor, "Factor", "Factor (email or phone) should be provided.");
OpContext.ThrowValidation();
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, request.ProcessToken, confirmedOnly: false);
if (process == null)
{
return; //no indication process exist or not
}
OpContext.ThrowIf(process.CurrentFactor != null, ClientFaultCodes.InvalidAction, "token", "The previous process step is not completed.");
var iFactor = ProcessService.FindLoginExtraFactor(process.Login, request.Factor);
//now having completed at least one extra factor, we can openly indicate that we could not find next factor
OpContext.ThrowIfNull(iFactor, ClientFaultCodes.InvalidValue, "factor", "Login factor (email or phone) is not found for a user.");
//Check that factor type is one in the pending steps
var factorOk = process.PendingFactors.IsSet(iFactor.FactorType);
OpContext.ThrowIf(!factorOk, ClientFaultCodes.InvalidValue, "factor", "Login factor type attempted (email or phone) is not pending in the process.");
await ProcessService.SendPinAsync(process, iFactor, request.Factor); //we use factor from request, to avoid unencrypting twice
}
public LoginResponse CompleteMultiFactorLogin([FromBody] MultifactorLoginRequest request)
{
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, request.ProcessToken);
OpContext.ThrowIfNull(process, ClientFaultCodes.ObjectNotFound, "processToken", "Login process not found or expired.");
OpContext.ThrowIf(process.PendingFactors != ExtraFactorTypes.None, ClientFaultCodes.InvalidValue, "PendingFactors",
"Multi-factor login process not completed, verification pending: {0}.", process.PendingFactors);
var login = process.Login;
var loginService = OpContext.App.GetService <ILoginService>();
var loginResult = loginService.CompleteMultiFactorLogin(OpContext, login);
var displayName = OpContext.App.GetUserDispalyName(OpContext.User);
session.SaveChanges();
return(new LoginResponse()
{
Status = LoginAttemptStatus.Success, SessionId = loginResult.SessionId,
UserName = login.UserName, UserDisplayName = displayName,
UserId = login.UserId, AltUserId = login.AltUserId, LoginId = login.Id,
PasswordExpiresDays = login.GetExpiresDays(), Actions = loginResult.Actions,
LastLoggedInOn = loginResult.PreviousLoginOn,
AuthenticationToken = CreateAuthToken()
});
}//method
public LoginProcess GetMultiFactorProcess(string token)
{
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, token, throwIfNotFound: false);
return(process.ToModel());
}
public string TestConnectionHandling()
{
// connection mode should be set in WebCallContextHandlerSettings, and it is reuse by default
if (OpContext.DbConnectionMode != DbConnectionReuseMode.KeepOpen)
{
return("Error: Connection mode is not KeepOpen. Mode: " + OpContext.DbConnectionMode);
}
_connectionCloseReport = "(empty)";
var session = OpContext.OpenSession();
var bk = session.EntitySet <IBook>().OrderBy(b => b.Title).First();
//this should creaet connection and attach to session
var entSession = (Vita.Entities.Runtime.EntitySession)session;
var currConn = entSession.CurrentConnection;
if (currConn == null)
{
return("Connection was not attached to entity session.");
}
var sqlConn = (SqlConnection)currConn.DbConnection;
if (sqlConn.State != ConnectionState.Open)
{
return("Connection was not kept open.");
}
sqlConn.StateChange += Conn_StateChange;
return("OK");
}
public List <SecretQuestion> GetStandardSecretQuestions()
{
var session = OpContext.OpenSession(); //opening system session, no need for authorization
var questions = LoginManager.GetAllSecretQuestions(session);
return(questions.Select(q => q.ToModel()).ToList());
}
public void UpdateStatus(Guid loginId, [FromQuery] LoginStatusUpdate update)
{
var session = OpContext.OpenSession();
var login = _adminService.GetLogin(session, loginId);
OpContext.ThrowIfNull(login, ClientFaultCodes.ObjectNotFound, "Login", "Login not found.");
_adminService.UpdateStatus(login, update.Disable, update.Suspend);
}
public IList <SecretQuestion> GetUserSecretQuestions(string token)
{
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, token);
var processService = OpContext.App.GetService <ILoginProcessService>();
var qs = processService.GetUserSecretQuestions(process.Login);
return(qs.Select(q => q.ToModel()).ToList());
}
public void AbortProcess(string token)
{
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, token, confirmedOnly: false);
if (process != null)
{
ProcessService.AbortPasswordReset(process);
}
}
public bool SubmitQuestionAnswers(string token, [FromBody] SecretQuestionAnswer[] answers)
{
OpContext.WebContext.MarkConfidential();
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, token);
var processService = OpContext.App.GetService <ILoginProcessService>();
var result = processService.CheckAllSecretQuestionAnswers(process, answers);
return(result);
}
public LoginProcess GetProcess(string token)
{
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, token);
if (process == null)
{
return(null);
}
return(process.ToModel());
}
public LoginInfo GetLogin(Guid id)
{
var session = OpContext.OpenSession();
var login = session.GetEntity <ILogin>(id);
if (login == null)
{
return(null);
}
return(login.ToModel());
}
public void VerifyPin([FromBody] VerifyPinRequest request)
{
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, request.ProcessToken, confirmedOnly: false);
OpContext.ThrowIfEmpty(request.Pin, ClientFaultCodes.ValueMissing, "pin", "Pin value missing");
if (process != null)
{
ProcessService.SubmitPin(process, request.Pin);
}
}
public bool VerifyPinForMultiFactor([FromBody] VerifyPinRequest request)
{
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, request.ProcessToken);
OpContext.ThrowIfNull(process, ClientFaultCodes.ObjectNotFound, "Process", "Process not found or expired.");
OpContext.ThrowIfEmpty(request.Pin, ClientFaultCodes.ValueMissing, "Pin", "Pin value missing.");
var processService = OpContext.App.GetService <ILoginProcessService>();
var result = processService.SubmitPin(process, request.Pin);
session.SaveChanges();
return(result);
}
public bool SubmitQuestionAnswer(string token, [FromBody] SecretQuestionAnswer answer)
{
OpContext.WebContext.MarkConfidential();
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, token);
var storedAnswer = process.Login.SecretQuestionAnswers.FirstOrDefault(a => a.Question.Id == answer.QuestionId);
OpContext.ThrowIfNull(storedAnswer, ClientFaultCodes.InvalidValue, "questionId", "Question is not registered user question.");
var processService = OpContext.App.GetService <ILoginProcessService>();
var success = processService.CheckSecretQuestionAnswer(process, storedAnswer.Question, answer.Answer);
return(success);
}
public string Start([FromBody] PasswordResetStartRequest request)
{
var loginStt = OpContext.App.GetConfig <LoginModuleSettings>();
var obscured = loginStt.Options.IsSet(LoginModuleOptions.ConcealMembership);
var processToken = ProcessService.GenerateProcessToken();
var session = OpContext.OpenSession();
var emailFactor = ProcessService.FindLoginExtraFactor(session, ExtraFactorTypes.Email, request.Factor);
if (emailFactor == null)
{
// If we need to conceal membership (we are a public p**n site), we have to pretend it went ok, and return processToken
// so that we do not disclose if user's email is/is not in our database
if (obscured)
{
return(processToken);
}
else
{
//if we are a specialized site and do not need to conceal membership (this might be annoying in a business system) -
// we return error
OpContext.ThrowIf(true, ClientFaultCodes.ObjectNotFound, "email", "Email {0} not found in database.", request.Factor);
}
}
//check we can start login
var login = emailFactor.Login;
if (login.Flags.IsSet(LoginFlags.DoNotConcealMembership))
{
obscured = false;
}
bool accountBlocked = login.Flags.IsSet(LoginFlags.Disabled) || (login.Flags.IsSet(LoginFlags.Suspended) &&
!loginStt.Options.IsSet(LoginModuleOptions.AllowPasswordResetOnSuspended));
if (accountBlocked)
{
if (obscured)
{
return(processToken);
}
else
{
OpContext.ThrowIf(true, LoginFaultCodes.LoginDisabled, "Login", "Login is disabled.");
}
}
//A flag in login entity may override default conceal settings - to allow more convenient disclosure for
// special members (stuff members or partners)
var process = ProcessService.StartProcess(login, LoginProcessType.PasswordReset, processToken);
return(processToken);
}
public async Task <bool> SetNewPassword(string token, [FromBody] PasswordChangeInfo changeInfo)
{
OpContext.WebContext.MarkConfidential();
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, token);
if (process == null)
{
return(false);
}
await ProcessService.ResetPasswordAsync(process, changeInfo.NewPassword);
return(true);
}
public bool SubmitAllQuestionAnswers(string token, [FromBody] SecretQuestionAnswer[] answers)
{
OpContext.WebContext.MarkConfidential();
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, token);
if (process == null)
{
return(false);
}
var result = ProcessService.CheckAllSecretQuestionAnswers(process, answers);
return(result);
}
public IList <SecretQuestion> GetUserQuestions(string token)
{
var session = OpContext.OpenSession();
var process = GetActiveProcess(session, token);
if (process == null)
{
return(new List <SecretQuestion>());
}
var qs = ProcessService.GetUserSecretQuestions(process.Login);
var list = qs.Select(q => q.ToModel()).ToList();
return(list);
}
public bool VerifyEmailPin(string processToken, string pin)
{
OpContext.ThrowIfEmpty(processToken, ClientFaultCodes.ValueMissing, "processToken", "ProcessToken value missing");
OpContext.ThrowIfEmpty(pin, ClientFaultCodes.ValueMissing, "pin", "Pin value missing");
var session = OpContext.OpenSession();
var processService = OpContext.App.GetService <ILoginProcessService>();
var process = processService.GetActiveProcess(session, LoginProcessType.FactorVerification, processToken);
OpContext.ThrowIfNull(process, ClientFaultCodes.ObjectNotFound, "processToken", "Login process not found or expired.");
var result = processService.SubmitPin(process, pin);
session.SaveChanges();
return(result);
}
public OneTimePasswordInfo SetOneTimePassword(Guid loginId)
{
var session = OpContext.OpenSession();
var login = _adminService.GetLogin(session, loginId);
OpContext.ThrowIfNull(login, ClientFaultCodes.ObjectNotFound, "Login", "Login not found.");
var loginSettings = OpContext.App.GetConfig <LoginModuleSettings>();
string password = _adminService.GenerateTempPassword();
_adminService.SetOneTimePassword(login, password);
return(new OneTimePasswordInfo()
{
Password = password, ExpiresHours = (int)loginSettings.OneTimePasswordExpiration.TotalHours
});
}
public async Task SendPinForMultiFactor([FromBody] SendPinRequest pinRequest)
{
var session = OpContext.OpenSession();
var process = GetMutiFactorProcess(session, pinRequest.ProcessToken);
OpContext.ThrowIf(process.CurrentFactor != null, ClientFaultCodes.InvalidAction, "token", "Factor verification pending, the previous process step is not completed.");
var pendingFactorTypes = process.PendingFactors;
OpContext.ThrowIf(!pendingFactorTypes.IsSet(pinRequest.FactorType), ClientFaultCodes.InvalidValue, "factortype", "Factor type is not pending in login process");
var factor = process.Login.ExtraFactors.FirstOrDefault(f => f.FactorType == pinRequest.FactorType);
OpContext.ThrowIfNull(factor, ClientFaultCodes.ObjectNotFound, "factor",
"Login factor (email or phone) not setup in user account; factor type: {0}", pinRequest.FactorType);
var processService = OpContext.App.GetService <ILoginProcessService>();
await processService.SendPinAsync(process, factor);
}
protected virtual IEntitySession OpenSession()
{
return(OpContext.OpenSession());
}