public ToDoService(
IToDoCommands toDoCommands,
IToDoQueries toDoQueries,
IUserContextResolver userContextResolver,
ILogger <ToDoService> logger
)
{
_toDoCommands = toDoCommands;
_toDoQueries = toDoQueries;
_userContextResolver = userContextResolver;
_log = logger;
}
public AuthorNameResolver(IUserContextResolver userContextResolver)
{
userResolver = userContextResolver;
}
public async Task Invoke(
HttpContext context,
SiteContext currentSite,
IOptions <MultiTenantOptions> multiTenantOptionsAccessor,
IUserContextResolver userResolver,
IAccountService accountService
)
{
var multiTenantOptions = multiTenantOptionsAccessor.Value;
var folderSegment = "";
if (multiTenantOptions.Mode == MultiTenantMode.FolderName)
{
if (!string.IsNullOrWhiteSpace(currentSite.SiteFolderName))
{
folderSegment = "/" + currentSite.SiteFolderName;
}
}
var userContext = await userResolver.GetCurrentUser();
// enforce SiteRules
if (userContext != null)
{
// handle roles changes - basically sets RolesChanged flag to false then sign out and in again to get new roles in cookie
if (userContext.RolesChanged)
{
await accountService.HandleUserRolesChanged(context.User);
}
// handle user still authenticated after lockout or delete
if (userContext.IsLockedOut || userContext.IsDeleted)
{
await accountService.SignOutAsync();
}
//handle must change password
if (userContext.MustChangePwd)
{
var changePasswordUrl = folderSegment + "/manage/changepassword";
if (!context.Request.Path.StartsWithSegments(changePasswordUrl))
{
var logMessage = $"user {userContext.Email} has must change password so redirecting to change password page from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(changePasswordUrl);
}
}
}
else
{
//userContext is null, make sure user is not signed in, ie if account was deleted but user was currently logged in we need to catch that
if (context.User.Identity.IsAuthenticated)
{
await accountService.SignOutAsync();
}
}
// handle site closed
if (currentSite.SiteIsClosed &&
!context.User.IsInRole("Administrators") &&
!context.User.IsInRole("Content Administrators")
)
{
var closedUrl = folderSegment + "/closed";
// not redirecting for account urls because admin needs to be able to login to unclose the site
if (
(!context.Request.Path.StartsWithSegments(closedUrl)) &&
(!context.Request.Path.StartsWithSegments(folderSegment + "/account"))
)
{
var logMessage = $"site closed so redirecting to closed for requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(closedUrl);
}
}
// handle must agree to terms
if (userContext != null &&
(!string.IsNullOrWhiteSpace(currentSite.RegistrationAgreement)) &&
(userContext.AgreementAcceptedUtc == null || userContext.AgreementAcceptedUtc < currentSite.TermsUpdatedUtc) &&
!context.User.IsInRole("Administrators") &&
!context.User.IsInRole("Content Administrators")
)
{
var agreementUrl = folderSegment + "/account/termsofuse";
if (
(!context.Request.Path.StartsWithSegments(agreementUrl)) &&
(!context.Request.Path.StartsWithSegments("/oops/error")) &&
(!context.Request.Path.StartsWithSegments("/account/logoff")) &&
(!context.Request.Path.Value.EndsWith("css.map")) //css.map
)
{
var logMessage = $"user {userContext.Email} has not accepted terms of use so redirecting to terms of use acceptance page from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(agreementUrl);
}
}
await _next(context);
}
public async Task Invoke(
HttpContext context,
SiteContext currentSite,
IOptions <MultiTenantOptions> multiTenantOptionsAccessor,
IUserContextResolver userResolver,
IAccountService accountService
)
{
var multiTenantOptions = multiTenantOptionsAccessor.Value;
var folderSegment = "";
if (multiTenantOptions.Mode == MultiTenantMode.FolderName)
{
if (!string.IsNullOrWhiteSpace(currentSite.SiteFolderName))
{
folderSegment = "/" + currentSite.SiteFolderName;
}
}
var userContext = await userResolver.GetCurrentUser();
//userContext is null, make sure user is not signed in, ie if account was deleted but user was currently logged in we need to catch that
if (userContext == null && context.User.Identity.IsAuthenticated)
{
await accountService.SignOutAsync();
}
// handle roles changes - basically sets RolesChanged flag to false then sign out and in again to get new roles in cookie
if (userContext != null && userContext.RolesChanged)
{
await accountService.HandleUserRolesChanged(context.User);
}
// handle user still authenticated after lockout
if (userContext != null && userContext.IsLockedOut)
{
await accountService.SignOutAsync();
}
if (userContext != null && currentSite.SingleBrowserSessions && !string.IsNullOrWhiteSpace(userContext.BrowserKey))
{
var browserKeyClaim = context.User.Claims.Where(x => x.Type == "browser-key").FirstOrDefault();
if (browserKeyClaim == null || browserKeyClaim.Value != userContext.BrowserKey)
{
var logMessage = $"user {userContext.Email} BrowserKey doesn't match claim so signing user out";
_logger.LogWarning(logMessage);
await accountService.SignOutAsync();
}
}
// handle site closed
if (currentSite.SiteIsClosed &&
!context.User.IsInRole("Administrators") &&
!context.User.IsInRole("Content Administrators")
)
{
var closedUrl = folderSegment + "/closed";
// not redirecting for account urls because admin needs to be able to login to unclose the site
if (
(!context.Request.Path.StartsWithSegments(closedUrl)) &&
(!context.Request.Path.StartsWithSegments(folderSegment + "/account"))
)
{
var logMessage = $"site closed so redirecting to closed for requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(closedUrl);
}
}
else if (userContext != null && string.IsNullOrWhiteSpace(userContext.Email))
{
var setEmailUrl = folderSegment + "/manage/emailrequired";
if (!context.Request.Path.StartsWithSegments(setEmailUrl))
{
var logMessage = $"user {userContext.UserName} has must provide an email adddress so redirecting to email required page from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(setEmailUrl);
}
}
//handle must change password
else if (userContext != null && userContext.MustChangePwd)
{
var changePasswordUrl = folderSegment + "/manage/changepassword";
if (!context.Request.Path.StartsWithSegments(changePasswordUrl))
{
var logMessage = $"user {userContext.Email} has must change password so redirecting to change password page from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(changePasswordUrl);
}
}
else if (userContext != null && currentSite.Require2FA && !userContext.TwoFactorEnabled && !context.User.IsInRole("Administrators"))
{
var twoFactorUrl1 = folderSegment + "/manage/twofactorauthentication";
var twoFactorUrl2 = folderSegment + "/manage/enableauthenticator";
if (!context.Request.Path.StartsWithSegments(twoFactorUrl1) && !context.Request.Path.StartsWithSegments(twoFactorUrl2))
{
var logMessage = $"user {userContext.Email} has must setup 2fa so redirecting to 2fa path from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(twoFactorUrl1);
}
}
// handle must agree to terms
else if (userContext != null &&
(!string.IsNullOrWhiteSpace(currentSite.RegistrationAgreement)) &&
(userContext.AgreementAcceptedUtc == null || userContext.AgreementAcceptedUtc < currentSite.TermsUpdatedUtc) &&
!context.User.IsInRole("Administrators") &&
!context.User.IsInRole("Content Administrators")
)
{
var agreementUrl = folderSegment + "/account/termsofuse";
if (
(!context.Request.Path.StartsWithSegments(agreementUrl)) &&
(!context.Request.Path.StartsWithSegments("/oops/error")) &&
(!context.Request.Path.StartsWithSegments("/account/logoff")) &&
(!context.Request.Path.Value.EndsWith("css.map")) //css.map
)
{
var logMessage = $"user {userContext.Email} has not accepted terms of use so redirecting to terms of use acceptance page from requested path {context.Request.Path}";
_logger.LogWarning(logMessage);
context.Response.Redirect(agreementUrl);
}
}
await _next(context);
}
public FormPrepopulator(IUserContextResolver userResolver)
{
_userResolver = userResolver;
}
