/// <summary> /// Try and auth the user from the HTTP headers on the request to the API /// Look for bearer token aka JWT token & try to verify & deserialise it /// </summary> /// <param name="request"></param> /// <returns>If success auth'd return the associated Umbraco backoffice user</returns> private static IUser Authenticate(HttpRequestMessage request) { //Try to get the Authorization header in the request var ah = request.Headers.Authorization; //If no Auth header sent or the scheme is not bearer aka TOKEN if (ah == null || ah.Scheme.ToLower() != "bearer") { //Return null (by returning null, base method above will return it as HTTP 401) return(null); } //Get the JWT token from auth HTTP header param param (Base64 encoded - username:password) var jwtToken = ah.Parameter; try { //Decode & verify token was signed with our secret var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken); //Ensure our token is not null (was decoded & valid) if (decodeJwt != null) { //Just the presence of the token & being deserialised with correct SECRET key is a good sign //Get the user from userService from it's username var user = ApplicationContext.Current.Services.UserService.GetUserById(decodeJwt.IdentityId); //var user = ApplicationContext.Current.Services.UserService.GetByProviderKey(decodeJwt.IdentityId); //If user is NOT Approved OR the user is Locked Out if (!user.IsApproved || user.IsLockedOut) { //Return null (by returning null, base method above will return it as HTTP 401) return(null); } //Verify token is what we have on the user var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt); //Token matches what we have in DB if (isTokenValid) { //Lets return the backoffice user from Umbraco //Can we use this user & pass down to API controller that is [Auth'd] return(user); } //Token does not match in DB return(null); } //JWT token could not be serialised to AuthToken object return(null); } catch (SignatureVerificationException ex) { //Bubble exception up throw ex; } }
public string Authorise(AuthCredentials auth) { //Verify user is valid credentials var isValidAuth = Security.ValidateBackOfficeCredentials(auth.Username, auth.Password); //Are credentials correct? if (isValidAuth) { //Get the backoffice user from username var user = ApplicationContext.Services.UserService.GetByUsername(auth.Username); //Generate AuthToken DB object var newToken = new UmbracoAuthToken(); newToken.IdentityId = user.Id; newToken.IdentityType = IdentityAuthType.User.ToString(); //Generate a new token for the user var authToken = UmbracoAuthTokenFactory.GenerateUserAuthToken(newToken); //Store in DB (inserts or updates existing) UserAuthTokenDbHelper.InsertAuthToken(authToken); //Return the JWT token as the response //This means valid login & client in our case mobile app stores token in local storage return(authToken.AuthToken); } //Throw unauthorised HTTP error var httpUnauthorised = new HttpResponseMessage(HttpStatusCode.Unauthorized); throw new HttpResponseException(httpUnauthorised); }
/// <summary> /// Try and auth the user from the HTTP headers on the request to the API /// Look for bearer token aka JWT token & try to verify & deserialise it /// </summary> /// <param name="request"></param> /// <returns>If success auth'd return the associated Umbraco backoffice user</returns> private static IMember Authenticate(HttpRequestMessage request) { // Try to get the JWT token from the request string jwtToken = GetTokenFromRequest(request); // Return null if we didn't find a token (by returning null, base method above will return it as HTTP 401) if (string.IsNullOrEmpty(jwtToken)) { return(null); } try { // Decode & verify token was signed with our secret var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken); // Ensure our token is not null (was decoded & valid) if (decodeJwt != null) { // Just the presence of the token & being deserialised with correct SECRET key is a good sign // Get the member from userService from it's id var member = ApplicationContext.Current.Services.MemberService.GetById(decodeJwt.IdentityId); // If user is NOT Approved OR the user is Locked Out if (!member.IsApproved || member.IsLockedOut) { // Return null (by returning null, base method above will return it as HTTP 401) return(null); } // Verify token is what we have on the user var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt); // Token matches what we have in DB if (isTokenValid) { // Lets return the member return(member); } // Token does not match in DB return(null); } // JWT token could not be serialised to AuthToken object return(null); } catch (SignatureVerificationException ex) { // Bubble exception up throw ex; } }
public string AuthoriseMember(AuthCredentials auth) { //Verify user is valid credentials - using current membership provider //Should be native Umbraco one var isValidAuth = Membership.ValidateUser(auth.Username, auth.Password); //Are credentials correct? if (isValidAuth) { //Get the member from username var member = ApplicationContext.Services.MemberService.GetByUsername(auth.Username); //Check if we have an Auth Token for user var hasAuthToken = UserAuthTokenDbHelper.GetAuthToken(member.Id); //If the token already exists if (hasAuthToken != null) { //Lets just return it in the request return(hasAuthToken.AuthToken); } //Else user has no token yet - so let's create one //Generate AuthToken DB object var newToken = new UmbracoAuthToken(); newToken.IdentityId = member.Id; newToken.IdentityType = IdentityAuthType.Member.ToString(); //Generate a new token for the user var authToken = UmbracoAuthTokenFactory.GenerateAuthToken(newToken); //We insert authToken as opposed to newToken //As authToken now has DateTime & JWT token string on it now //Store in DB (inserts or updates existing) UserAuthTokenDbHelper.InsertAuthToken(authToken); //Return the JWT token as the response //This means valid login & client in our case mobile app stores token in local storage return(authToken.AuthToken); } //Throw unauthorised HTTP error var httpUnauthorised = new HttpResponseMessage(HttpStatusCode.Unauthorized); throw new HttpResponseException(httpUnauthorised); }
/// <summary> /// /// </summary> /// <param name="sender"></param> /// <param name="e"></param> void MemberService_Saving(IMemberService sender, SaveEventArgs <IMember> e) { //Saved entites (Could be more than one member saved. Very unlikely?) var member = e.SavedEntities.FirstOrDefault(); //Found a member that has been saved if (member != null) { //Check if the password property (RawPasswordValue) is dirty aka has beeen changed var passIsDirty = member.IsPropertyDirty("RawPasswordValue"); //Password has been changed if (passIsDirty) { //Check if user already has token in DB (token created on first login/auth to API) var hasAuthToken = UserAuthTokenDbHelper.GetAuthToken(member.Id); //invalidate token (Only if token exists in DB) //We have found an existing token if (hasAuthToken != null) { //Generate AuthToken DB object var newToken = new UmbracoAuthToken(); newToken.IdentityId = member.Id; newToken.IdentityType = IdentityAuthType.Member.ToString(); //Generate a new token for the user var authToken = UmbracoAuthTokenFactory.GenerateUserAuthToken(newToken); //NOTE: We insert authToken as opposed to newToken //As authToken now has DateTime & JWT token string on it now //Store in DB (inserts or updates existing) UserAuthTokenDbHelper.InsertAuthToken(authToken); } } } }