private AppContext CreateKnownUser(CookieIdentity cookieIdentity)
{
List <Organisation> organisations;
var organisation = GetActiveOrganisation(cookieIdentity.Email, out organisations);
if (organisation != null)
{
_session.SetOrganisation(organisation);
var user = _getUserByEmailAddressQuery.Invoke(new GetUserByEmailAddressRequest
{
EmailAddress = cookieIdentity.Email,
OrganisationId = organisation.Id
}).User;
if (user != null)
{
var appContext = new AppContext();
user.ActiveOrganisation = organisation;
user.Organisations = organisations;
user.OrganisationId = organisation.Id;
appContext.Authentication = _authenticationManager;
appContext.CurrentUser = user;
appContext.AuthenticationStatus = HttpContext.Current.Request.IsAuthenticated
? AuthenticationStatus.Authenticated
: AuthenticationStatus.NotAuthenticated;
return(appContext);
}
}
return(CreateAnonymousUser());
}
public AppContext Create()
{
try
{
AppContext appContext = AppContext.GetFromHttpContext();
if (appContext == null)
{
var impersonationStatus = _impersonationManager.CurrentStatus;
//GT: ideally we'd like to have a record of *who* is impersonating, but this would
// mean loading the impersonating user, which would mean we'd need to set the
// org on the session twice, which kind of breaks the security model.
// If we really wanted this information, we could set it into the ImpersonationStatus
// when starting the impersonation
if (impersonationStatus.Impersonating)
{
var impersonatedIdentity = new CookieIdentity
{
HasUserProfile = true,
Email = impersonationStatus.EmailAddress,
};
appContext = CreateKnownUser(impersonatedIdentity);
appContext.Impersonated = true;
}
else
{
var currentAuthenticationIdentity = _authenticationManager.GetCurrentUser();
appContext = currentAuthenticationIdentity.HasUserProfile ?
CreateKnownUser(currentAuthenticationIdentity) :
CreateAnonymousUser();
}
AppContext.AddToHttpContext(appContext);
}
return(appContext);
}
catch (Exception ex)
{
//exceptions thrown here cause an exception in the WindsorControllerFactory when the controller is released
//hence the true exception is masked in the event log. Hence we explicitly log the exception in here before throwing it
//TODO: get to the bottom of the actual problem!
Error(ex);
throw;
}
}
/// <summary>
/// Creates an identity cookie for our guest and returns their new identity
/// </summary>
/// <returns></returns>
public CookieIdentity SignInGuest()
{
//create the new anonymous identity
var authenticationIdentity = new CookieIdentity
{
RememberMe = false,
Email = CoreConstants.Authentication.GuestUserName,
HasUserProfile = false
};
//update the identity cookie
_cookieManager.Set(CoreConstants.Authentication.IdentityCookieName, authenticationIdentity.Encode(), DateTime.MaxValue);
//remove the current user from the http context
AppContext.RemoveFromHttpContext();
return(authenticationIdentity);
}
/// <summary>
/// Method should only be invoked for users who have just successfully logged into the site
/// </summary>
/// <param name="email">the email they logged in with (could be username or email address)</param>
public void SignIn(string email)
{
FormsAuthentication.SetAuthCookie(email, true);
var authenticationIdentity = new CookieIdentity
{
RememberMe = true,
Email = email,
HasUserProfile = true,
};
_cookieManager.Set(
CoreConstants.Authentication.IdentityCookieName,
authenticationIdentity.Encode(),
authenticationIdentity.RememberMe ? DateTime.MaxValue : (DateTime?)null);
//remove the current user from the http context
AppContext.RemoveFromHttpContext();
}
public CookieIdentity GetCurrentUser()
{
var name = HttpContext.Current.User.Identity.Name;
var authCookie = _cookieManager.Get(CoreConstants.Authentication.IdentityCookieName);
if (name.IsNullOrEmpty() || authCookie.IsNullOrEmpty())
{
return(SignInGuest());
}
var authIdentity = CookieIdentity.Decode(authCookie);
//make sure the identity cookie has not been hacked
if (authIdentity.Email.ToLowerInvariant().Trim() == name.ToLowerInvariant().Trim())
{
return(authIdentity);
}
return(SignInGuest());
}
public static CookieIdentity Decode(string cookieValue)
{
ArgumentValidation.NotEmpty(cookieValue, "cookieValue");
NameValueCollection cookieValues = HttpUtility.ParseQueryString(cookieValue);
if (cookieValues.Get(CoreConstants.Authentication.HasUserProfile) != null &&
cookieValues.Get(CoreConstants.Authentication.RememberMe) != null &&
cookieValues.Get(CoreConstants.Authentication.Email) != null)
{
var identity = new CookieIdentity
{
HasUserProfile = cookieValues[CoreConstants.Authentication.HasUserProfile] == "true",
RememberMe = cookieValues[CoreConstants.Authentication.RememberMe] == "true",
Email = cookieValues[CoreConstants.Authentication.Email]
};
return(identity);
}
return(null);
}
