/// <summary>
/// Login for Account route.
/// </summary>
/// <param name="loginDto"></param>
/// <param name="account"></param>
/// <returns></returns>
private HttpResponseMessage AccountLoginHelper(SsoLoginRequestDTO loginDto, Account account)
{
var saltModel = _saltLogic.GetSalt(loginDto.Username);
if (saltModel == null)
{
return(new HttpResponseMessage(HttpStatusCode.InternalServerError));
}
// Make sure you append the salt, not prepend (group decision).
var hashedPassword = HashService.Instance.HashPasswordWithSalt(saltModel.PasswordSalt, loginDto.Password, true);
if (!account.Password.Equals(hashedPassword))
{
return(new HttpResponseMessage(HttpStatusCode.Unauthorized));
}
var token = JwtManager.Instance.GenerateToken(loginDto.Username);
// Grab the previous access token associated with the account.
var accountAccessToken = _jAccessTokenLogic.GetJAccessToken(loginDto.Username);
if (accountAccessToken != null)
{
// Set current account token to expired list.
var expiredToken = new ExpiredAccessToken(accountAccessToken.Value, false);
_expiredAccessTokenLogic.Create(expiredToken);
// Updated new access token.
accountAccessToken.Value = token;
_jAccessTokenLogic.Update(accountAccessToken);
}
// Redirect them to our Home page with their credentials logged.
return(new HttpResponseMessage
{
Content = new StringContent(UrlConstants.BaseAppClient + "home?jwt=" + token),
StatusCode = HttpStatusCode.OK
});
}
public IHttpActionResult RenewToken()
{
string accessTokenFromRequest = "";
// Check authorization header
if (Request.Headers.Authorization.ToString() != null)
{
var authHeader = Request.Headers.Authorization;
// Retrieve JWT from authorization header
if (authHeader != null)
{
var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader.ToString());
// RFC 2617 sec 1.2, "scheme" name is case-insensitive
if (authHeaderVal.Scheme.Equals("bearer",
StringComparison.OrdinalIgnoreCase) &&
authHeaderVal.Parameter != null)
{
accessTokenFromRequest = authHeaderVal.Parameter;
}
}
string username = "";
// Obtain username from JWT if it is valid
if (JwtManager.Instance.ValidateToken(accessTokenFromRequest, out username))
{
JAccessToken accessToken = _jAccessTokenLogic.GetJAccessToken(username);
// Make sure the given username has an existing JWT token
if (accessToken != null)
{
string accessTokenStored = accessToken.Value;
// Compare the stored JWT to the given JWT to ensure they are the same
if (accessTokenFromRequest == accessTokenStored)
{
accessToken.DateTimeIssued = DateTime.UtcNow;
string token = JwtManager.Instance.GenerateToken(username);
accessToken.Value = token;
// Update store with new JWT value
_jAccessTokenLogic.Update(accessToken);
return(Json(new { AuthToken = token }));
}
else
{
return(Unauthorized());
}
}
// An existing JWT token was not found for the given username
else
{
return(Unauthorized());
}
}
// JWT was not valid
else
{
return(Unauthorized());
}
}
// Authorization header is empty
else
{
return(Unauthorized());
}
}