public async Task <IActionResult> GenerateToken([FromBody] LoginViewModel model)
{
if (ModelState.IsValid)
{
var config = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("appsettings.json")
.Build();
var user = await _userManager.FindByEmailAsync(model.Email);
if (user != null)
{
var result = await _signInManager.CheckPasswordSignInAsync(user, model.Password, false);
if (result.Succeeded)
{
var userRoles = new List <string>();
var userClaims = new List <Claim>();
if (_userManager.SupportsUserRole)
{
var roles = await _userManager.GetRolesAsync(user);
foreach (var roleName in roles)
{
if (_roleManager.SupportsRoleClaims)
{
userRoles.Add(roleName);
var role = await _roleManager.FindByNameAsync(roleName);
if (role != null)
{
userClaims.AddRange(await _roleManager.GetClaimsAsync(role));
}
}
}
}
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.Email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["Jwt:Secret"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(config["Jwt:Iss"],
config["Jwt:Aud"],
claims.Union(userClaims),
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
token.Payload.Add("roles", userRoles);
return(Ok(new { token = new JwtSecurityTokenHandler().WriteToken(token) }));
}
}
}
return(BadRequest("Could not create token"));
}
public async Task <SignInResult> ValidatePasswordAsync(User user, string Password)
{
return(await _signInManager.CheckPasswordSignInAsync(user, Password, false));
}
public IActionResult Login(
[FromBody] User usuario,
[FromServices] UserManager <ApplicationUser> userManager,
[FromServices] SignInManager <ApplicationUser> signInManager,
[FromServices] SigningConfigurations signingConfigurations,
[FromServices] TokenConfigurations tokenConfigurations)
{
bool credenciaisValidas = false;
if (usuario != null && !string.IsNullOrEmpty(usuario.UserName))
{
// Verifica a existência do usuário nas tabelas do
// ASP.NET Core Identity
var userIdentity = userManager.FindByNameAsync(usuario.UserName).Result;
if (userIdentity != null)
{
// Efetua o login com base no Id do usuário e sua senha
var resultadoLogin = signInManager.CheckPasswordSignInAsync(userIdentity, usuario.Password, false).Result;
if (resultadoLogin.Succeeded)
{
// Verifica se o usuário em questão possui
// a role Acesso-API
credenciaisValidas = userManager.IsInRoleAsync(
userIdentity, Roles.ROLE_API).Result;
}
}
}
if (credenciaisValidas)
{
// Usado para gerar Token de login
var identity = new ClaimsIdentity(
new GenericIdentity(usuario.UserName, "Login"),
new[] {
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N")),
new Claim(JwtRegisteredClaimNames.UniqueName, usuario.UserName)
}
);
DateTime dataCriacao = DateTime.Now;
DateTime dataExpiracao = dataCriacao + TimeSpan.FromSeconds(tokenConfigurations.Seconds);
var handler = new JwtSecurityTokenHandler();
var securityToken = handler.CreateToken(new SecurityTokenDescriptor
{
Issuer = tokenConfigurations.Issuer,
Audience = tokenConfigurations.Audience,
SigningCredentials = signingConfigurations.SigningCredentials,
Subject = identity,
NotBefore = dataCriacao,
Expires = dataExpiracao
});
var token = handler.WriteToken(securityToken);
object obj = new
{
authenticated = true,
created = dataCriacao.ToString("yyyy-MM-dd HH:mm:ss"),
expiration = dataExpiracao.ToString("yyyy-MM-dd HH:mm:ss"),
accessToken = token,
message = "OK"
};
return(new ObjectResult(obj));
}
else
{
return(new ObjectResult(new
{
authenticated = false,
message = "Falha ao autenticar"
}));
}
}
public async Task <ActionResult <LoginAccountOutputDto> > Login(LoginAccountInputDto loginDto)
{
var user = await _userManager.FindByEmailAsync(loginDto.UserName);
if (user == null)
{
return(Unauthorized(new ApiResponse(401)));
}
var result = await _signInManager.CheckPasswordSignInAsync(user, loginDto.Password, false);
// Ensure the user is not already locked out.
if (result.IsLockedOut)
{
return(BadRequest(new ApiResponse(400, "The specified user account has been suspended.")));
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (result.RequiresTwoFactor)
{
return(BadRequest(new ApiResponse(400, "Invalid login procedure.")));
}
if (!result.Succeeded)
{
return(Unauthorized(new ApiResponse(401)));
}
var tokenResponse = await _tokenService.CreateToken(user, loginDto.TimeZone);
var timezone = await _accountService.GetUserTimezoneById(user.Id);
var hasChangePassword = user.HasChangePassword.HasValue ? user.HasChangePassword.Value : false;
var role = 1;
var roleName = (await _userManager.GetRolesAsync(user)).FirstOrDefault();
if (roleName == "admin")
{
role = (int)UserRole.admin;
}
else if (roleName == "manager")
{
role = (int)UserRole.manager;
}
else
{
role = (int)UserRole.sdr;
}
return(new LoginAccountOutputDto
{
Id = user.Id,
Username = user.Email,
Token = tokenResponse.Token,
RefreshToken = tokenResponse.RefreshToken,
TimeZone = timezone,
HasChangePassword = hasChangePassword,
Role = role
});
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
Debug.Assert(request.IsTokenRequest(),
"The OpenIddict binder for ASP.NET Core MVC is not registered. " +
"Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure : true);
if (!result.Succeeded)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The username/password couple is invalid."
}));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the refresh token.
var info = await HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Retrieve the user profile corresponding to the refresh token.
// Note: if you want to automatically invalidate the refresh token
// when the user password/roles change, use the following line instead:
// var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
var user = await _userManager.GetUserAsync(info.Principal);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The refresh token is no longer valid."
}));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The user is no longer allowed to sign in."
}));
}
// Create a new authentication ticket, but reuse the properties stored
// in the refresh token, including the scopes originally granted.
var ticket = await CreateTicketAsync(request, user, info.Properties);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported."
}));
}
public async Task <User> Post([FromBody] User User)
{
User user = null;
if (ModelState.IsValid)
{
int hostroleid = -1;
if (!Users.GetUsers().Any())
{
hostroleid = Roles.GetRoles(User.SiteId, true).Where(item => item.Name == Constants.HostRole).FirstOrDefault().RoleId;
}
IdentityUser identityuser = await IdentityUserManager.FindByNameAsync(User.Username);
if (identityuser == null)
{
identityuser = new IdentityUser();
identityuser.UserName = User.Username;
identityuser.Email = User.Email;
var result = await IdentityUserManager.CreateAsync(identityuser, User.Password);
if (result.Succeeded)
{
user = Users.AddUser(User);
// assign to host role if this is the initial installation
if (hostroleid != -1)
{
UserRole userrole = new UserRole();
userrole.UserId = user.UserId;
userrole.RoleId = hostroleid;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
UserRoles.AddUserRole(userrole);
}
}
}
else
{
var result = await IdentitySignInManager.CheckPasswordSignInAsync(identityuser, User.Password, false);
if (result.Succeeded)
{
user = Users.GetUser(User.Username);
}
}
if (user != null && hostroleid == -1)
{
// add auto assigned roles to user for site
List <Role> roles = Roles.GetRoles(User.SiteId).Where(item => item.IsAutoAssigned == true).ToList();
foreach (Role role in roles)
{
UserRole userrole = new UserRole();
userrole.UserId = user.UserId;
userrole.RoleId = role.RoleId;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
UserRoles.AddUserRole(userrole);
}
}
}
return(user);
}
public virtual async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var clientId = context.Request?.Client?.ClientId;
using var scope = ServiceScopeFactory.CreateScope();
await ReplaceEmailToUsernameOfInputIfNeeds(context);
IdentityUser user = null;
async Task SetSuccessResultAsync()
{
var sub = await UserManager.GetUserIdAsync(user);
Logger.LogInformation("Credentials validated for username: {username}", context.UserName);
var additionalClaims = new List <Claim>();
await AddCustomClaimsAsync(additionalClaims, user, context);
context.Result = new GrantValidationResult(
sub,
OidcConstants.AuthenticationMethods.Password,
additionalClaims.ToArray()
);
await IdentitySecurityLogManager.SaveAsync(
new IdentitySecurityLogContext
{
Identity = IdentityServerSecurityLogIdentityConsts.IdentityServer,
Action = IdentityServerSecurityLogActionConsts.LoginSucceeded,
UserName = context.UserName,
ClientId = clientId
}
);
}
if (AbpIdentityOptions.ExternalLoginProviders.Any())
{
foreach (var externalLoginProviderInfo in AbpIdentityOptions.ExternalLoginProviders.Values)
{
var externalLoginProvider = (IExternalLoginProvider)scope.ServiceProvider
.GetRequiredService(externalLoginProviderInfo.Type);
if (await externalLoginProvider.TryAuthenticateAsync(context.UserName, context.Password))
{
user = await UserManager.FindByNameAsync(context.UserName);
if (user == null)
{
user = await externalLoginProvider.CreateUserAsync(context.UserName, externalLoginProviderInfo.Name);
}
else
{
await externalLoginProvider.UpdateUserAsync(user, externalLoginProviderInfo.Name);
}
await SetSuccessResultAsync();
return;
}
}
}
user = await UserManager.FindByNameAsync(context.UserName);
string errorDescription;
if (user != null)
{
var result = await SignInManager.CheckPasswordSignInAsync(user, context.Password, true);
if (result.Succeeded)
{
await SetSuccessResultAsync();
return;
}
else if (result.IsLockedOut)
{
Logger.LogInformation("Authentication failed for username: {username}, reason: locked out", context.UserName);
errorDescription = Localizer["UserLockedOut"];
}
else if (result.IsNotAllowed)
{
Logger.LogInformation("Authentication failed for username: {username}, reason: not allowed", context.UserName);
errorDescription = Localizer["LoginIsNotAllowed"];
}
else
{
Logger.LogInformation("Authentication failed for username: {username}, reason: invalid credentials", context.UserName);
errorDescription = Localizer["InvalidUserNameOrPassword"];
}
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
{
Identity = IdentityServerSecurityLogIdentityConsts.IdentityServer,
Action = result.ToIdentitySecurityLogAction(),
UserName = context.UserName,
ClientId = clientId
});
}
else
{
Logger.LogInformation("No user found matching username: {username}", context.UserName);
errorDescription = Localizer["InvalidUsername"];
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
Identity = IdentityServerSecurityLogIdentityConsts.IdentityServer,
Action = IdentityServerSecurityLogActionConsts.LoginInvalidUserName,
UserName = context.UserName,
ClientId = clientId
});
}
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, errorDescription);
}
public async Task <OperationDataResult <EformAuthorizeResult> > AuthenticateUser(LoginModel model)
{
Log.LogEvent("AuthService.AuthenticateUser: called");
if (string.IsNullOrEmpty(model.Username) || string.IsNullOrEmpty(model.Password))
{
return(new OperationDataResult <EformAuthorizeResult>(false, "Empty username or password"));
}
var user = await _userService.GetByUsernameAsync(model.Username);
if (user == null)
{
return(new OperationDataResult <EformAuthorizeResult>(false,
$"User with username {model.Username} not found"));
}
var signInResult =
await _signInManager.CheckPasswordSignInAsync(user, model.Password, true);
if (!signInResult.Succeeded && !signInResult.RequiresTwoFactor)
{
if (signInResult.IsLockedOut)
{
return(new OperationDataResult <EformAuthorizeResult>(false,
"Locked Out. Please, try again after 10 min"));
}
// Credentials are invalid, or account doesn't exist
return(new OperationDataResult <EformAuthorizeResult>(false, "Incorrect password."));
}
// Confirmed email check
if (!user.EmailConfirmed)
{
return(new OperationDataResult <EformAuthorizeResult>(false, $"Email {user.Email} not confirmed"));
}
// TwoFactor check
var psk = user.GoogleAuthenticatorSecretKey;
var code = model.Code;
var isTwoFactorAuthForced = _appSettings.Value.IsTwoFactorForced;
if (user.TwoFactorEnabled || isTwoFactorAuthForced)
{
// check input params
if (string.IsNullOrEmpty(psk) || string.IsNullOrEmpty(code))
{
return(new OperationDataResult <EformAuthorizeResult>(false, "PSK or code is empty"));
}
if (psk != user.GoogleAuthenticatorSecretKey)
{
return(new OperationDataResult <EformAuthorizeResult>(false, "PSK is invalid"));
}
// check code
var otp = new Totp(Base32.FromBase32String(user.GoogleAuthenticatorSecretKey));
var isCodeValid = otp.VerifyTotp(code, out _, new VerificationWindow(300, 300));
if (!isCodeValid)
{
return(new OperationDataResult <EformAuthorizeResult>(false, "Invalid code"));
}
// update user entity
if (!user.IsGoogleAuthenticatorEnabled)
{
user.IsGoogleAuthenticatorEnabled = true;
var updateResult = _userManager.UpdateAsync(user).Result;
if (!updateResult.Succeeded)
{
return(new OperationDataResult <EformAuthorizeResult>(false, "PSK or code is empty"));
}
}
}
var token = await GenerateToken(user);
var roleList = _userManager.GetRolesAsync(user).Result;
if (!roleList.Any())
{
return(new OperationDataResult <EformAuthorizeResult>(false,
$"Role for user {model.Username} not found"));
}
return(new OperationDataResult <EformAuthorizeResult>(true, new EformAuthorizeResult
{
Id = user.Id,
access_token = token,
userName = user.UserName,
role = roleList.FirstOrDefault(),
FirstName = user.FirstName,
LastName = user.LastName,
}));
}
public virtual async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
await ReplaceEmailToUsernameOfInputIfNeeds(context);
var user = await _userManager.FindByNameAsync(context.UserName);
string errorDescription;
if (user != null)
{
var result = await _signInManager.CheckPasswordSignInAsync(user, context.Password, true);
if (result.Succeeded)
{
var sub = await _userManager.GetUserIdAsync(user);
_logger.LogInformation("Credentials validated for username: {username}", context.UserName);
await _events.RaiseAsync(new UserLoginSuccessEvent(context.UserName, sub, context.UserName, interactive : false));
var additionalClaims = new List <Claim>();
await AddCustomClaimsAsync(additionalClaims, user, context);
context.Result = new GrantValidationResult(
sub,
OidcConstants.AuthenticationMethods.Password,
additionalClaims.ToArray()
);
return;
}
else if (result.IsLockedOut)
{
_logger.LogInformation("Authentication failed for username: {username}, reason: locked out", context.UserName);
await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "locked out", interactive : false));
errorDescription = _localizer["UserLockedOut"];
}
else if (result.IsNotAllowed)
{
_logger.LogInformation("Authentication failed for username: {username}, reason: not allowed", context.UserName);
await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "not allowed", interactive : false));
errorDescription = _localizer["LoginIsNotAllowed"];
}
else
{
_logger.LogInformation("Authentication failed for username: {username}, reason: invalid credentials", context.UserName);
await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "invalid credentials", interactive : false));
errorDescription = _localizer["InvalidUserNameOrPassword"];
}
}
else
{
_logger.LogInformation("No user found matching username: {username}", context.UserName);
await _events.RaiseAsync(new UserLoginFailureEvent(context.UserName, "invalid username", interactive : false));
errorDescription = _localizer["InvalidUsername"];
}
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, errorDescription);
}
public async Task <IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (model == null)
{
throw new ArgumentNullException(nameof(model));
}
if (TryValidateModel(model) && ModelState.IsValid)
{
var disableLocalLogin = (await _siteService.GetSiteSettingsAsync()).As <LoginSettings>().DisableLocalLogin;
if (disableLocalLogin)
{
ModelState.AddModelError("", S["Local login is disabled."]);
}
else
{
await _accountEvents.InvokeAsync((e, model, modelState) => e.LoggingInAsync(model.UserName, (key, message) => modelState.AddModelError(key, message)), model, ModelState, _logger);
if (ModelState.IsValid)
{
var user = await _userManager.FindByNameAsync(model.UserName) ?? await _userManager.FindByEmailAsync(model.UserName);
if (user != null)
{
var result = await _signInManager.CheckPasswordSignInAsync(user, model.Password, lockoutOnFailure : true);
if (result.Succeeded)
{
if (!await AddConfirmEmailError(user) && !AddUserEnabledError(user))
{
result = await _signInManager.PasswordSignInAsync(user, model.Password, model.RememberMe, lockoutOnFailure : true);
if (result.Succeeded)
{
_logger.LogInformation(1, "User logged in.");
await _accountEvents.InvokeAsync((e, user) => e.LoggedInAsync(user), user, _logger);
return(await LoggedInActionResult(user, returnUrl));
}
}
}
if (result.IsLockedOut)
{
ModelState.AddModelError(string.Empty, S["The account is locked out"]);
await _accountEvents.InvokeAsync((e, user) => e.IsLockedOutAsync(user), user, _logger);
return(View());
}
// Login failed with a known user.
await _accountEvents.InvokeAsync((e, user) => e.LoggingInFailedAsync(user), user, _logger);
}
ModelState.AddModelError(string.Empty, S["Invalid login attempt."]);
}
// Login failed unknown user.
await _accountEvents.InvokeAsync((e, model) => e.LoggingInFailedAsync(model.UserName), model, _logger);
}
}
// If we got this far, something failed, redisplay form
return(View(model));
}
public async Task <SignInResult> CheckPasswordAsync(User user, string password)
{
return(await _signinManager.CheckPasswordSignInAsync(user, password, false));
}
public async Task <IActionResult> Exchange()
{
var request = HttpContext.GetOpenIddictServerRequest();
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
"The username/password couple is invalid."
});
return(Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure : true);
if (!result.Succeeded)
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
"The username/password couple is invalid."
});
return(Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Set the list of scopes granted to the client application.
// Note: the offline_access scope must be granted
// to allow OpenIddict to return a refresh token.
principal.SetScopes(new[]
{
Scopes.OpenId,
Scopes.Email,
Scopes.Profile,
Scopes.OfflineAccess,
Scopes.Roles
}.Intersect(request.GetScopes()));
foreach (var claim in principal.Claims)
{
claim.SetDestinations(GetDestinations(claim, principal));
}
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
else if (request.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the refresh token.
var info = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
// Retrieve the user profile corresponding to the refresh token.
// Note: if you want to automatically invalidate the refresh token
// when the user password/roles change, use the following line instead:
// var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
var user = await _userManager.GetUserAsync(info.Principal);
if (user == null)
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The refresh token is no longer valid."
});
return(Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
var properties = new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is no longer allowed to sign in."
});
return(Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
// Create a new ClaimsPrincipal containing the claims that
// will be used to create an id_token, a token or a code.
var principal = await _signInManager.CreateUserPrincipalAsync(user);
foreach (var claim in principal.Claims)
{
claim.SetDestinations(GetDestinations(claim, principal));
}
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
throw new NotImplementedException("The specified grant type is not implemented.");
}
public async Task <IActionResult> OnPostAsync()
{
if (!Input.TermAccount)
{
ModelState.ClearValidationState("Input.CreditLimit");
ModelState.ClearValidationState("Input.RegistrationNumber");
ModelState.ClearValidationState("Input.CompanyVAT");
ModelState.MarkFieldValid("Input.CreditLimit");
ModelState.MarkFieldValid("Input.RegistrationNumber");
ModelState.MarkFieldValid("Input.CompanyVAT");
for (int i = 0; i < 3; i++)
{
ModelState.ClearValidationState($"Input.References[{i}].Email");
ModelState.ClearValidationState($"Input.References[{i}].SureName");
ModelState.ClearValidationState($"Input.References[{i}].FirstName");
ModelState.ClearValidationState($"Input.References[{i}].Telephone");
ModelState.ClearValidationState($"Input.References[{i}].CompanyName");
ModelState.MarkFieldValid($"Input.References[{i}].Email");
ModelState.MarkFieldValid($"Input.References[{i}].SureName");
ModelState.MarkFieldValid($"Input.References[{i}].FirstName");
ModelState.MarkFieldValid($"Input.References[{i}].Telephone");
ModelState.MarkFieldValid($"Input.References[{i}].CompanyName");
}
}
else
{
if (string.IsNullOrEmpty(Input.References[2].CompanyName))
{
ModelState.ClearValidationState("Input.References[2].Email");
ModelState.ClearValidationState("Input.References[2].SureName");
ModelState.ClearValidationState("Input.References[2].FirstName");
ModelState.ClearValidationState("Input.References[2].Telephone");
ModelState.ClearValidationState("Input.References[2].CompanyName");
ModelState.MarkFieldValid("Input.References[2].Email");
ModelState.MarkFieldValid("Input.References[2].SureName");
ModelState.MarkFieldValid("Input.References[2].FirstName");
ModelState.MarkFieldValid("Input.References[2].Telephone");
ModelState.MarkFieldValid("Input.References[2].CompanyName");
}
}
var user = new ApplicationUser
{
FirstName = Input.FirstName,
LastName = Input.LastName,
UserName = Input.Email,
Email = Input.Email,
PhoneNumber = Input.PhoneNumber,
Type = Domain.Enums.UserType.SuperUser
};
foreach (var item in _userManager.PasswordValidators)
{
var password = await item.ValidateAsync(_userManager, user, Input.Password);
if (!password.Succeeded)
{
foreach (var error in password.Errors)
{
ModelState.AddModelError("Input.Password", string.Format("[{0}] - {1}", error.Code, error.Description));
}
}
}
if (!ModelState.IsValid)
{
return(Page());
}
//Input.ContractNumber = ContractNumber;
//Input.ContractNumber = Input.PhoneNumber;
var existingUser = _ctx.Users
.Include(x => x.Accounts)
.FirstOrDefault(x => x.Email == Input.Email);
if (existingUser != null)
{
var canSignIn = await _signInManager.CheckPasswordSignInAsync(existingUser, Input.Password, false);
if (canSignIn.Succeeded)
{
await _signInManager.SignInAsync(existingUser, false);
await new CreateAccount(_ctx, _emailSender)
.Do(new CreateAccount.Request {
UserId = existingUser.Id, Input = Input
});
_cookiesHelper.Set("PreviouslyLoggedInUser", "true", 365);
if (Input.TermAccount)
{
return(RedirectToPage("/Accounts/BusinessRegistered"));
}
else
{
return(RedirectToPage("/BusinessProfile/Index"));
}
}
return(Page());
}
var result = await _userManager.CreateAsync(user, Input.Password);
if (result.Succeeded)
{
await _userManager.AddClaimAsync(user, new Claim("type", "superuser"));
await _signInManager.SignInAsync(user, false);
await new CreateAccount(_ctx, _emailSender)
.Do(new CreateAccount.Request
{
UserId = user.Id,
Input = Input
});
_cookiesHelper.Set("PreviouslyLoggedInUser", "true", 365);
if (Input.TermAccount)
{
return(RedirectToPage("/Accounts/BusinessRegistered"));
}
else
{
return(RedirectToPage("/BusinessProfile/Index"));
}
}
return(Page());
}
public async Task <IActionResult> Login([FromBody] LoginViewModel loginViewModel)
{
try
{
var user = await _userManager.FindByEmailAsync(loginViewModel.UserName);
if (user is null)
{
_logger.LogError(LoggingEvents.GetItemNotFound, "Login failed: User not found");
return(StatusCode(500, new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.Other
}));
}
if (user.EmailConfirmed == false)
{
_logger.LogInformation("EmailNotConfirmed", "You cannot login until you confirm your email.");
return(StatusCode(500, new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.EmailConfirmationRequired
}));
}
var result = await _signInManager.CheckPasswordSignInAsync(user, loginViewModel.Password, false);
if (result.IsLockedOut)
{
_logger.LogWarning("User account locked out.");
return(StatusCode(500, new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.LockedOut
}));
}
//ToDo: move to separate Service?
if (result.Succeeded)
{
var claims = new List <Claim>
{
new Claim(JwtRegisteredClaimNames.Email, user.Email),
new Claim(JwtRegisteredClaimNames.UniqueName, user.UserName),
new Claim("ImageUrl", user.Avatar),
new Claim("DefaultLatitude", user.DefaultLocationLatitude.ToString()),
new Claim("DefaultLongitude", user.DefaultLocationLongitude.ToString()),
new Claim("FlickrKey", _configuration["FlickrApiKey"]),
new Claim("MapKey", _configuration["MapApiKey"]),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
};
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["TokenKey"]));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var baseUrl = string.Concat(_configuration["Scheme"], _configuration["Domain"]);
var tokenOptions = new JwtSecurityToken(
issuer: baseUrl,
audience: baseUrl,
claims: claims,
expires: _systemClock.GetNow.AddDays(2),
signingCredentials: signinCredentials);
var viewModel = new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.None,
AuthenticationToken = new JwtSecurityTokenHandler().WriteToken(tokenOptions)
};
return(Ok(viewModel));
}
_logger.LogWarning(LoggingEvents.GenerateItems, "Other authentication failure");
return(StatusCode(500, new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.Other
}));
}
catch (Exception ex)
{
_logger.LogError(LoggingEvents.Exception, ex, "An unexpeceted error occurred");
return(StatusCode(500, new AuthenticationResultDto()
{
FailureReason = AuthenticationFailureReason.Other
}));
}
}
public async Task <IActionResult> Post([FromBody] Login model)
{
if (ModelState.IsValid)
{
var user = await _userManager.FindByNameAsync(model.Email);
if (user != null)
{
if (user.IsLocked)
{
return(BadRequest("User is currently locked, ask administrator to unlock you!"));
}
if (user.IsDeleted)
{
return(BadRequest("User is deleted, ask administrator for reinstatement!"));
}
var result = await _signInManager.CheckPasswordSignInAsync(user, model.Password, false);
if (result.Succeeded)
{
var claims = new[]
{
new Claim(JwtRegisteredClaimNames.Sub, user.Id),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.UniqueName, user.Email),
new Claim(JwtRegisteredClaimNames.Email, user.UserName)
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("mysupersedkjhulfgyuerfw344cret"));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: "http://binmakdev.dedicated.co.za:81",
audience: "http://binmakdev.dedicated.co.za:80",
claims: claims,
expires: DateTime.UtcNow.AddDays(29),
signingCredentials: creds);
var results = new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
expiration = token.ValidTo,
userId = token.Subject,
username = user.UserName,
firstName = user.FirstName,
lastName = user.LastName,
isSuperAdmin = user.IsSuperAdmin,
isBinmak = user.IsBinmak,
isUser = user.IsUser,
isGuest = user.IsGuest,
isAdmin = user.IsAdmin,
role = user.RoleId,
binmakModules = GetBinmakModulesByUser(user.Id),
assignedAssetNodes = GetAssetNodesByUser(user.Id),
topAssetNode = GetTopAssetNodesByUser(user.Id),
};
return(Created("", results));
}
else
{
return(BadRequest("Login Failed, Wrong Username/Password"));
}
}
else
{
return(BadRequest("Account Does Not Exist, Please Register First"));
}
}
return(BadRequest("Login Failed"));
}
//TODO shoud be moved to another layer
private async Task <User> CreateUser(User user)
{
User newUser = null;
// users created by non-administrators must be verified
bool verified = !(!User.IsInRole(Constants.AdminRole) && user.Username != Constants.HostUser);
IdentityUser identityuser = await _identityUserManager.FindByNameAsync(user.Username);
if (identityuser == null)
{
identityuser = new IdentityUser();
identityuser.UserName = user.Username;
identityuser.Email = user.Email;
identityuser.EmailConfirmed = verified;
var result = await _identityUserManager.CreateAsync(identityuser, user.Password);
if (result.Succeeded)
{
user.LastLoginOn = null;
user.LastIPAddress = "";
newUser = _users.AddUser(user);
if (!verified)
{
Notification notification = new Notification();
notification.SiteId = user.SiteId;
notification.FromUserId = null;
notification.ToUserId = newUser.UserId;
notification.ToEmail = "";
notification.Subject = "User Account Verification";
string token = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
string url = HttpContext.Request.Scheme + "://" + _tenants.GetAlias().Name + "/login?name=" + user.Username + "&token=" + WebUtility.UrlEncode(token);
notification.Body = "Dear " + user.DisplayName + ",\n\nIn Order To Complete The Registration Of Your User Account Please Click The Link Displayed Below:\n\n" + url + "\n\nThank You!";
notification.ParentId = null;
notification.CreatedOn = DateTime.UtcNow;
notification.IsDelivered = false;
notification.DeliveredOn = null;
_notifications.AddNotification(notification);
}
// assign to host role if this is the host user ( initial installation )
if (user.Username == Constants.HostUser)
{
int hostroleid = _roles.GetRoles(user.SiteId, true).Where(item => item.Name == Constants.HostRole).FirstOrDefault().RoleId;
UserRole userrole = new UserRole();
userrole.UserId = newUser.UserId;
userrole.RoleId = hostroleid;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
_userRoles.AddUserRole(userrole);
}
// add folder for user
Folder folder = _folders.GetFolder(user.SiteId, "Users\\");
if (folder != null)
{
_folders.AddFolder(new Folder
{
SiteId = folder.SiteId, ParentId = folder.FolderId, Name = "My Folder", Path = folder.Path + newUser.UserId.ToString() + "\\", Order = 1, IsSystem = true,
Permissions = "[{\"PermissionName\":\"Browse\",\"Permissions\":\"[" + newUser.UserId.ToString() + "]\"},{\"PermissionName\":\"View\",\"Permissions\":\"All Users\"},{\"PermissionName\":\"Edit\",\"Permissions\":\"[" +
newUser.UserId.ToString() + "]\"}]"
});
}
}
}
else
{
var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, user.Password, false);
if (result.Succeeded)
{
newUser = _users.GetUser(user.Username);
}
}
if (newUser != null && user.Username != Constants.HostUser)
{
// add auto assigned roles to user for site
List <Role> roles = _roles.GetRoles(user.SiteId).Where(item => item.IsAutoAssigned).ToList();
foreach (Role role in roles)
{
UserRole userrole = new UserRole();
userrole.UserId = newUser.UserId;
userrole.RoleId = role.RoleId;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
_userRoles.AddUserRole(userrole);
}
}
if (newUser != null)
{
newUser.Password = ""; // remove sensitive information
_logger.Log(user.SiteId, LogLevel.Information, this, LogFunction.Create, "User Added {User}", newUser);
}
return(newUser);
}
public async Task <IActionResult> OnPostAsync()
{
if (String.IsNullOrEmpty(Input.References[2].CompanyName))
{
ModelState.ClearValidationState("Input.References[2].Email");
ModelState.ClearValidationState("Input.References[2].SureName");
ModelState.ClearValidationState("Input.References[2].FirstName");
ModelState.ClearValidationState("Input.References[2].Telephone");
ModelState.ClearValidationState("Input.References[2].CompanyName");
ModelState.MarkFieldValid("Input.References[2].Email");
ModelState.MarkFieldValid("Input.References[2].SureName");
ModelState.MarkFieldValid("Input.References[2].FirstName");
ModelState.MarkFieldValid("Input.References[2].Telephone");
ModelState.MarkFieldValid("Input.References[2].CompanyName");
}
var user = new ApplicationUser
{
FirstName = Input.FirstName,
LastName = Input.LastName,
UserName = Input.Email,
Email = Input.Email,
Type = Domain.Enums.UserType.SuperUser
};
foreach (var item in _userManager.PasswordValidators)
{
var password = await item.ValidateAsync(_userManager, user, Input.Password);
if (!password.Succeeded)
{
foreach (var error in password.Errors)
{
ModelState.AddModelError("Input.Password", string.Format("[{0}] - {1}", error.Code, error.Description));
}
}
}
if (!ModelState.IsValid)
{
return(Page());
}
Input.TradingName = TermInput.TradingName;
Input.AvgMonthly = TermInput.AvgMonthly;
Input.AgreeTOC = TermInput.AgreeTOC;
var existingUser = _ctx.Users
.Include(x => x.Accounts)
.FirstOrDefault(x => x.Email == Input.Email);
if (existingUser != null)
{
var canSignIn = await _signInManager.CheckPasswordSignInAsync(existingUser, Input.Password, false);
if (canSignIn.Succeeded)
{
await _signInManager.SignInAsync(existingUser, false);
var accountId = await new CreateAccount(_ctx, _emailSender)
.Do(new CreateAccount.Request
{
UserId = existingUser.Id,
Input = Input
});
await SetCartAddress(accountId);
await PlaceOrder(accountId, existingUser.Id);
return(RedirectToPage("/Index"));
}
return(Page());
}
var result = await _userManager.CreateAsync(user, Input.Password);
if (result.Succeeded)
{
await _userManager.AddClaimAsync(user, new Claim("type", "superuser"));
await _signInManager.SignInAsync(user, false);
var accountId = await new CreateAccount(_ctx, _emailSender)
.Do(new CreateAccount.Request
{
UserId = user.Id,
Input = Input
});
await SetCartAddress(accountId);
await PlaceOrder(accountId, user.Id);
}
return(RedirectToPage("/Accounts/GuestBusinessTermProfile"));
}
public async Task <bool> ValidateUser(User user, string password)
{
var result = await _signInManager.CheckPasswordSignInAsync(user, password, false);
return(result.Succeeded);
}
public async Task <SignInResult> SignInUser(User user, string password)
{
var result = await _signInManager.CheckPasswordSignInAsync(user, password, false);
return(result);
}
/// <inheritdoc cref="ILoginService{TEntity}.ValidateCredentialsAsync" />
public async Task <SignInResult> ValidateCredentialsAsync(Customer user, string password)
{
var result = await signInManager.CheckPasswordSignInAsync(user, password, false);
return(result);
}
public async Task <SignInResult> CheckPasswordSignInAsync(User user, string password, bool lockoutOnFailure)
{
return(await _signInManager.CheckPasswordSignInAsync(user, password, lockoutOnFailure));
}
private async Task <User> CreateUser(User user)
{
User newUser = null;
bool verified;
bool allowregistration;
if (user.Username == UserNames.Host || User.IsInRole(RoleNames.Admin))
{
verified = true;
allowregistration = true;
}
else
{
verified = false;
allowregistration = _sites.GetSite(user.SiteId).AllowRegistration;
}
if (allowregistration)
{
IdentityUser identityuser = await _identityUserManager.FindByNameAsync(user.Username);
if (identityuser == null)
{
identityuser = new IdentityUser();
identityuser.UserName = user.Username;
identityuser.Email = user.Email;
identityuser.EmailConfirmed = verified;
var result = await _identityUserManager.CreateAsync(identityuser, user.Password);
if (result.Succeeded)
{
user.LastLoginOn = null;
user.LastIPAddress = "";
newUser = _users.AddUser(user);
if (!verified)
{
string token = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
string url = HttpContext.Request.Scheme + "://" + _alias.Name + "/login?name=" + user.Username + "&token=" + WebUtility.UrlEncode(token);
string body = "Dear " + user.DisplayName + ",\n\nIn Order To Complete The Registration Of Your User Account Please Click The Link Displayed Below:\n\n" + url + "\n\nThank You!";
var notification = new Notification(user.SiteId, null, newUser, "User Account Verification", body, null);
_notifications.AddNotification(notification);
}
// assign to host role if this is the host user ( initial installation )
if (user.Username == UserNames.Host)
{
int hostroleid = _roles.GetRoles(user.SiteId, true).Where(item => item.Name == RoleNames.Host).FirstOrDefault().RoleId;
UserRole userrole = new UserRole();
userrole.UserId = newUser.UserId;
userrole.RoleId = hostroleid;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
_userRoles.AddUserRole(userrole);
}
// add folder for user
Folder folder = _folders.GetFolder(user.SiteId, Utilities.PathCombine("Users", Path.DirectorySeparatorChar.ToString()));
if (folder != null)
{
_folders.AddFolder(new Folder
{
SiteId = folder.SiteId,
ParentId = folder.FolderId,
Name = "My Folder",
Type = FolderTypes.Private,
Path = Utilities.PathCombine(folder.Path, newUser.UserId.ToString(), Path.DirectorySeparatorChar.ToString()),
Order = 1,
IsSystem = true,
Permissions = new List <Permission>
{
new Permission(PermissionNames.Browse, newUser.UserId, true),
new Permission(PermissionNames.View, RoleNames.Everyone, true),
new Permission(PermissionNames.Edit, newUser.UserId, true)
}.EncodePermissions()
});
}
}
}
else
{
var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, user.Password, false);
if (result.Succeeded)
{
newUser = _users.GetUser(user.Username);
}
}
if (newUser != null && user.Username != UserNames.Host)
{
// add auto assigned roles to user for site
List <Role> roles = _roles.GetRoles(user.SiteId).Where(item => item.IsAutoAssigned).ToList();
foreach (Role role in roles)
{
UserRole userrole = new UserRole();
userrole.UserId = newUser.UserId;
userrole.RoleId = role.RoleId;
userrole.EffectiveDate = null;
userrole.ExpiryDate = null;
_userRoles.AddUserRole(userrole);
}
}
if (newUser != null)
{
newUser.Password = ""; // remove sensitive information
_logger.Log(user.SiteId, LogLevel.Information, this, LogFunction.Create, "User Added {User}", newUser);
}
}
else
{
_logger.Log(user.SiteId, LogLevel.Error, this, LogFunction.Create, "User Registration Is Not Enabled For Site. User Was Not Added {User}", user);
}
return(newUser);
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByEmailAsync(request.Username) ?? await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Please check that your email and password is correct"
}));
}
// Ensure the user is enabled.
if (!user.IsEnabled)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user account is disabled"
}));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, true);
// Ensure the user is not already locked out.
if (result.IsLockedOut)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user account has been suspended"
}));
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (result.RequiresTwoFactor)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Invalid login procedure"
}));
}
// Ensure the user is allowed to sign in.
if (result.IsNotAllowed)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The specified user is not allowed to sign in"
}));
}
if (!result.Succeeded)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "Please check that your email and password is correct"
}));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the refresh token.
var info = await HttpContext.AuthenticateAsync(OpenIddictServerDefaults.AuthenticationScheme);
// Retrieve the user profile corresponding to the refresh token.
// Note: if you want to automatically invalidate the refresh token
// when the user password/roles change, use the following line instead:
// var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
var user = await _userManager.GetUserAsync(info.Principal);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The refresh token is no longer valid"
}));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = "The user is no longer allowed to sign in"
}));
}
// Create a new authentication ticket, but reuse the properties stored
// in the refresh token, including the scopes originally granted.
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
ErrorDescription = "The specified grant type is not supported"
}));
}
public async Task <IActionResult> Exchange(OpenIdConnectRequest request)
{
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(Constants.Errors.UsernamePasswordInvalid));
}
if (user.LockoutEnd.HasValue && user.LockoutEnd.Value >= DateTimeOffset.Now)
{
return(BadRequest(user.LockoutEnd.Value == DateTimeOffset.MaxValue ? Constants.Errors.UserBlockedError : Constants.Errors.LoginAttemptsExceededError));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure : true);
if (!result.Succeeded)
{
return(BadRequest(Constants.Errors.UsernamePasswordInvalid));
}
// Create a new authentication ticket.
var ticket = await CreateTicketAsync(request, user);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
else if (request.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the refresh token.
var info = await HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
// Retrieve the user profile corresponding to the refresh token.
// Note: if you don't want to automatically invalidate the refresh token
// when the user password/roles change, use the following line instead:
// var user = await _userManager.GetUserAsync(info.Principal);
var user = await _signInManager.ValidateSecurityStampAsync(info.Principal);
if (user == null)
{
return(BadRequest(Constants.Errors.RefreshTokenExpired));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(BadRequest(Constants.Errors.LoginRequired));
}
// Create a new authentication ticket, but reuse the properties stored
// in the refresh token, including the scopes originally granted.
var ticket = await CreateTicketAsync(request, user, info.Properties);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}
return(BadRequest(Constants.Errors.UnsupportedGrantType));
}
public async Task <IActionResult> Login(LoginInputModel model, string button)
{
// check if we are in the context of an authorization request
var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
// the user clicked the "cancel" button
if (button != "login")
{
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await _interaction.DenyAuthorizationAsync(context, AuthorizationError.AccessDenied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
if (context.IsNativeClient())
{
// The client is native, so this change in how to
// return the response is for better UX for the end user.
return(this.LoadingPage("Redirect", model.ReturnUrl));
}
return(Redirect(model.ReturnUrl));
}
else
{
// since we don't have a valid context, then we just go back to the home page
return(Redirect("~/"));
}
}
if (ModelState.IsValid)
{
// validate username/password against in-memory store
/*if (_users.ValidateCredentials(model.Username, model.Password))
* {
* var user = _users.FindByUsername(model.Username);
* await _events.RaiseAsync(new UserLoginSuccessEvent(user.Username, user.SubjectId, user.Username, clientId: context?.Client.ClientId));
*
* // only set explicit expiration here if user chooses "remember me".
* // otherwise we rely upon expiration configured in cookie middleware.
* AuthenticationProperties props = null;
* if (AccountOptions.AllowRememberLogin && model.RememberLogin)
* {
* props = new AuthenticationProperties
* {
* IsPersistent = true,
* ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration)
* };
* };
*
* // issue authentication cookie with subject ID and username
* var isuser = new IdentityServerUser(user.SubjectId)
* {
* DisplayName = user.Username
* };
*
* await HttpContext.SignInAsync(isuser, props);
*
* if (context != null)
* {
* if (context.IsNativeClient())
* {
* // The client is native, so this change in how to
* // return the response is for better UX for the end user.
* return this.LoadingPage("Redirect", model.ReturnUrl);
* }
*
* // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
* return Redirect(model.ReturnUrl);
* }
*
* // request for a local page
* if (Url.IsLocalUrl(model.ReturnUrl))
* {
* return Redirect(model.ReturnUrl);
* }
* else if (string.IsNullOrEmpty(model.ReturnUrl))
* {
* return Redirect("~/");
* }
* else
* {
* // user might have clicked on a malicious link - should be logged
* throw new Exception("invalid return URL");
* }
* }*/
var user = await _signInManager.UserManager.FindByNameAsync(model.Username);
// validate username/password using ASP.NET Identity
if (user != null && (await _signInManager.CheckPasswordSignInAsync(user, model.Password, true)) == SignInResult.Success)
{
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName, clientId : context?.Client.ClientId));
// only set explicit expiration here if user chooses "remember me".
// otherwise we rely upon expiration configured in cookie middleware.
AuthenticationProperties props = null;
if (AccountOptions.AllowRememberLogin && model.RememberLogin)
{
props = new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration)
};
}
;
// issue authentication cookie with subject ID and username
var isuser = new IdentityServerUser(user.Id)
{
DisplayName = user.UserName
};
await HttpContext.SignInAsync(isuser, props);
if (context != null)
{
if (context.IsNativeClient())
{
// The client is native, so this change in how to
// return the response is for better UX for the end user.
return(this.LoadingPage("Redirect", model.ReturnUrl));
}
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return(Redirect(model.ReturnUrl));
}
// request for a local page
if (Url.IsLocalUrl(model.ReturnUrl))
{
return(Redirect(model.ReturnUrl));
}
else if (string.IsNullOrEmpty(model.ReturnUrl))
{
return(Redirect("~/"));
}
else
{
// user might have clicked on a malicious link - should be logged
throw new Exception("invalid return URL");
}
}
await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, "invalid credentials", clientId : context?.Client.ClientId));
ModelState.AddModelError(string.Empty, AccountOptions.InvalidCredentialsErrorMessage);
}
// something went wrong, show form with error
var vm = await BuildLoginViewModelAsync(model);
return(View(vm));
}
public Task <SignInResult> ValidateCredentials(User user, string password)
{
return(_signInManager.CheckPasswordSignInAsync(user, password, true));
}
public async Task <IActionResult> Login(UserForLoginDto userForLoginDto)
{
var user = await _userManager.FindByNameAsync(userForLoginDto.Username);
if (user != null)
{
//var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
//var callbackUrl = Url.Page(
// "/Account/ConfirmEmail",
// pageHandler: null,
// values: new { userId = user.Id, code = code },
// protocol: Request.Scheme);
//await _emailSender.SendEmailAsync(Input.Email, "Confirm your email",
// $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");
////await _signInManager.SignInAsync(user, isPersistent: false);
//return LocalRedirect(returnUrl);
var result = await _signInManager
.CheckPasswordSignInAsync(user, userForLoginDto.Password, true);
var UserLockoutDate = await _userManager.GetLockoutEndDateAsync(user);
if (UserLockoutDate == null || UserLockoutDate < DateTime.Now)
{
user.PenaltEnable = false;
}
if (result.Succeeded)
{
user.NumberOfLockouts = 0;
await _userManager.SetLockoutEndDateAsync(user, null);
await _userManager.UpdateAsync(user);
var appUser = await _userManager.Users.Include(p => p.Photos)
.FirstOrDefaultAsync(u => u.NormalizedUserName == userForLoginDto.Username.ToUpper());
var userToReturn = _mapper.Map <UserForListDto>(appUser);
return(Ok(new
{
token = GenerateJwtToken(appUser).Result,
user = userToReturn
}));
}
else if (result.IsLockedOut)
{
if (!user.PenaltEnable)
{
user.PenaltEnable = true;
DateTimeOffset Penalt = DateTimeOffset.Now.AddMinutes(5 * user.NumberOfLockouts);
await _userManager.SetLockoutEndDateAsync(user, Penalt);
}
var LockoutTime = await _userManager.GetLockoutEndDateAsync(user);
var RemainingTime = LockoutTime.Value.Subtract(DateTime.Now).Minutes;
return(new CustomUnauthorizedResult(string.Format(Mensagens.LoginBloqueado,
user.NumberOfLockouts,
RemainingTime)));
}
}
user.NumberOfLockouts++;
await _userManager.UpdateAsync(user);
return(Unauthorized());
}
public async Task <IActionResult> Exchange()
{
var request = HttpContext.GetOpenIddictServerRequest() ??
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
if (request.IsPasswordGrantType())
{
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The username/password couple is invalid."
})));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure : true);
if (!result.Succeeded)
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The username/password couple is invalid."
})));
}
var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Note: in this sample, the granted scopes match the requested scope
// but you may want to allow the user to uncheck specific scopes.
// For that, simply restrict the list of scopes before calling SetScopes.
principal.SetScopes(request.GetScopes());
principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
foreach (var claim in principal.Claims)
{
claim.SetDestinations(GetDestinations(claim, principal));
}
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
else if (request.IsAuthorizationCodeGrantType() || request.IsDeviceCodeGrantType() || request.IsRefreshTokenGrantType())
{
// Retrieve the claims principal stored in the authorization code/device code/refresh token.
var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
// Retrieve the user profile corresponding to the authorization code/refresh token.
// Note: if you want to automatically invalidate the authorization code/refresh token
// when the user password/roles change, use the following line instead:
// var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
var user = await _userManager.GetUserAsync(principal);
if (user == null)
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The token is no longer valid."
})));
}
// Ensure the user is still allowed to sign in.
if (!await _signInManager.CanSignInAsync(user))
{
return(Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary <string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is no longer allowed to sign in."
})));
}
foreach (var claim in principal.Claims)
{
claim.SetDestinations(GetDestinations(claim, principal));
}
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return(SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
}
throw new InvalidOperationException("The specified grant type is not supported.");
}
public async Task <IActionResult> LogIn([FromBody] UserLogin userLogin)
{
var user = await _userManager.FindByEmailAsync(userLogin.UserName) ?? await _userManager.FindByNameAsync(userLogin.UserName);
if (user == null)
{
ModelState.AddModelError("username", "用户不存在");
return(BadRequest(ModelState));
}
// Ensure the user is enabled.
if (user.IsDisabled)
{
ModelState.AddModelError("username", "用户不存在");
return(BadRequest(ModelState));
}
// Validate the username/password parameters and ensure the account is not locked out.
var result = await _signInManager.CheckPasswordSignInAsync(user, userLogin.Password, true);
// Ensure the user is not already locked out.
if (result.IsLockedOut)
{
ModelState.AddModelError("username", "用户已被锁定");
return(BadRequest(ModelState));
}
// Reject the token request if two-factor authentication has been enabled by the user.
if (result.RequiresTwoFactor)
{
ModelState.AddModelError(string.Empty, "双因素验证失败");
return(BadRequest(ModelState));
}
// Ensure the user is allowed to sign in.
if (result.IsNotAllowed)
{
ModelState.AddModelError(string.Empty, "指定用户不允许登录");
return(BadRequest(ModelState));
}
if (!result.Succeeded)
{
ModelState.AddModelError(string.Empty, "请检查用户名或密码是否正确");
return(BadRequest(ModelState));
}
// var principal = await _signInManager.CreateUserPrincipalAsync(user);
var tokenHandler = new JwtSecurityTokenHandler();
//var key = Encoding.ASCII.GetBytes(Consts.Secret);
var authTime = DateTime.UtcNow;
var expiresAt = authTime.AddMinutes(30);
var key = new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes(Configuration["SigningKey"]));
var roles = _roleManager.Roles.Include(x => x.Users).Where(c => (c.Users.Select(x => x.UserId)).Contains(user.Id)).ToList();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
//new Claim(JwtClaimTypes.Audience,"api"),
//new Claim(JwtClaimTypes.Issuer,"http://localhost:5000"),
new Claim(JwtClaimTypes.Id, user.Id.ToString()),
new Claim(JwtClaimTypes.Name, user.Name),
new Claim(JwtClaimTypes.Email, user.Email),
new Claim(JwtClaimTypes.PhoneNumber, user.PhoneNumber),
new Claim(JwtClaimTypes.Role, string.Join(",", user.Roles))
}),
Expires = expiresAt,
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return(Ok(new
{
access_token = tokenString,
token_type = "Bearer",
id_token = user.Id.ToString(),
profile = new
{
roles = roles?.Select(x => x.Name).ToArray(),
auth_time = new DateTimeOffset(authTime).ToUnixTimeSeconds(),
expires_at = new DateTimeOffset(expiresAt).ToUnixTimeSeconds()
}
}));
}
private async Task <IActionResult> ExchangePasswordGrantType(OpenIdConnectRequest request)
{
var application = await _applicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
return(View("Error", new ErrorViewModel
{
Error = OpenIdConnectConstants.Errors.InvalidClient,
ErrorDescription = T["The specified 'client_id' parameter is invalid."]
}));
}
var user = await _userManager.FindByNameAsync(request.Username);
if (user == null)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = T["The username/password couple is invalid."]
}));
}
var authorizations = await _authorizationManager.FindAsync(
subject : await _userManager.GetUserIdAsync(user),
client : await _applicationManager.GetIdAsync(application),
status : OpenIddictConstants.Statuses.Valid,
type : OpenIddictConstants.AuthorizationTypes.Permanent,
scopes : ImmutableArray.CreateRange(request.GetScopes()));
// If the application is configured to use external consent,
// reject the request if no existing authorization can be found.
switch (await _applicationManager.GetConsentTypeAsync(application))
{
case OpenIddictConstants.ConsentTypes.External when authorizations.IsEmpty:
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.ConsentRequired,
ErrorDescription = T["The logged in user is not allowed to access this client application."]
}));
}
var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure : true);
if (result.IsNotAllowed)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = T["The specified user is not allowed to sign in."]
}));
}
else if (result.RequiresTwoFactor)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = T["The specified user is not allowed to sign in using the password method."]
}));
}
else if (!result.Succeeded)
{
return(BadRequest(new OpenIdConnectResponse
{
Error = OpenIdConnectConstants.Errors.InvalidGrant,
ErrorDescription = T["The username/password couple is invalid."]
}));
}
var ticket = await CreateTicketAsync(user, application, authorizations.LastOrDefault(), request);
return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme));
}