public IHttpActionResult SsoLogin([FromBody, Required] SsoUserRequestDTO request)
{
LoginManager loginManager = new LoginManager();
ResponseDTO <Session> response = loginManager.SsoLogin(request);
if (response.Data != null)
{
return(Redirect("http://localhost:8080/#/login?token=" + response.Data.SessionId.ToString("D")));
}
else
{
ResponseDTO <HttpStatusCode> statusResponse = ResponseManager.ConvertErrorToStatus(response.Error);
return(Content(statusResponse.Data, statusResponse.Error));
}
}
public IHttpActionResult LogoutUser([FromBody, Required] SsoUserRequestDTO request)
{
if (request == null)
{
return(Content((HttpStatusCode)400, "Request is null."));
}
UserManagementManager _userManagementManager = new UserManagementManager();
ResponseDTO <HttpStatusCode> managerResponse = _userManagementManager.LogoutUser(request);
if (managerResponse.Data != (HttpStatusCode)200)
{
return(Content(managerResponse.Data, managerResponse.Error));
}
else
{
return(Ok());
}
}
// Delete User From SsoRequest
public ResponseDTO <HttpStatusCode> LogoutUser(SsoUserRequestDTO request)
{
ResponseDTO <HttpStatusCode> response = new ResponseDTO <HttpStatusCode>();
ISignatureService _signatureService = new SignatureService();
if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
{
response.Data = (HttpStatusCode)400;
response.Error = "Signature not valid";
return(response);
}
// Protect against replay attacks by checking the timestamp
if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
{
response.Data = (HttpStatusCode)425;
response.Error = ErrorStrings.OLD_SSO_REQUEST;
return(response);
}
// Check if request id is in guid format
Guid ssoId;
try
{
ssoId = new Guid(request.SsoUserId);
}
catch (Exception e)
{
response.Data = (HttpStatusCode)400;
response.Error = "SsoId provided was invalid";
return(response);
}
UserAccountDTO userAccount;
ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);
if (userAccountResponse.Data == null)
{
// Returns a success because there are no sessions to delete
// The user has never opend our app so do not stop the SSO logout from continuing
response.Data = (HttpStatusCode)200;
return(response);
}
else
{
userAccount = userAccountResponse.Data;
}
ResponseDTO <bool> boolResponse;
try
{
boolResponse = _sessionService.DeleteAllUserSessions(userAccount.Id);
}
catch (Exception e)
{
response.Data = (HttpStatusCode)500;
response.Error = "Failed to delete sessions for userID: " + userAccount.Id + "\n" + e.Message;
return(response);
}
if (boolResponse.Data)
{
response.Data = (HttpStatusCode)200;
return(response);
}
else
{
response.Data = (HttpStatusCode)500;
response.Error = boolResponse.Error;
return(response);
}
}
// Delete User From SsoRequest
public ResponseDTO <HttpStatusCode> DeleteUser(SsoUserRequestDTO request)
{
ResponseDTO <HttpStatusCode> response = new ResponseDTO <HttpStatusCode>();
ISignatureService _signatureService = new SignatureService();
if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
{
response.Data = (HttpStatusCode)400;
response.Error = "Signature not valid";
return(response);
}
// Protect against replay attacks by checking the timestamp
if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
{
response.Data = (HttpStatusCode)425;
response.Error = ErrorStrings.OLD_SSO_REQUEST;
return(response);
}
// Check if request id is in guid format
Guid ssoId;
try
{
ssoId = new Guid(request.SsoUserId);
}
catch (Exception e)
{
response.Data = (HttpStatusCode)400;
response.Error = "SsoId provided was invalid";
return(response);
}
UserAccountDTO userAccount;
ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);
if (userAccountResponse.Data == null)
{
// TODO: Add a check if user did not exist or if it was a standard EntityFramework Error
response.Data = (HttpStatusCode)404;
response.Error = "Unable to find ssoId";
return(response);
}
else
{
userAccount = userAccountResponse.Data;
}
ResponseDTO <bool> boolResponse;
try
{
boolResponse = _userManagementService.DeleteUser(userAccount.Id);
}
catch (Exception e)
{
response.Data = (HttpStatusCode)500;
response.Error = "Failed to delete userID: " + userAccount.Id + "\n" + e.Message;
return(response);
}
if (boolResponse.Data)
{
response.Data = (HttpStatusCode)200;
return(response);
}
else
{
response.Data = (HttpStatusCode)500;
response.Error = boolResponse.Error;
return(response);
}
}
public ResponseDTO <Session> SsoLogin(SsoUserRequestDTO request)
{
ResponseDTO <Session> response = new ResponseDTO <Session>();
// Before anything happens, validate that this request is coming from the known sso server
if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
{
response.Data = null;
response.Error = "My signature: " + _signatureService.Sign(request.GetStringToSign()) + " Compared to: " + request.Signature;
_loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
return(response);
}
// Protect against replay attacks by checking the timestamp
if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
{
response.Data = null;
response.Error = ErrorStrings.OLD_SSO_REQUEST;
_loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
return(response);
}
// Convert request SsoId into Guid
Guid ssoId = new Guid(request.SsoUserId);
// Search for user in database
ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);
UserAccountDTO userDTO = userAccountResponse.Data;
// If the user does not exist in the data store, register the user as a standard user
if (userAccountResponse.Data == null)
{
// Verify the email is not null
if (request.Email == null)
{
response.Data = null;
response.Error = "User email may not be null.";
_loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
return(response);
}
// Create an unassigned user account
UserAccount user = new UserAccount()
{
SsoId = ssoId,
Username = request.Email,
IsActive = true,
AcceptedTOS = false,
RoleType = Roles.UNASSIGNED
};
List <Claim> newClaims = _claimService.GetUserClaims(Roles.UNASSIGNED, request.Email).Data;
// Add user to datastore
ResponseDTO <bool> createUserResponse = _userManagementService.CreateUser(user, newClaims);
// Check if user creation succeded
if (!createUserResponse.Data)
{
response.Data = null;
response.Error = createUserResponse.Error;
_loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
return(response);
}
// User now exists in database, proceed with login as normal
userDTO = new UserAccountDTO(user);
}
// Create session for user
ResponseDTO <Session> sessionResponseDTO = _sessionService.CreateSession(userDTO.Id);
_loggerService.LogAction(LogConstants.ACTION_LOGIN, userDTO.SsoId.ToString(), sessionResponseDTO.Data.SessionId.ToString());
return(sessionResponseDTO);
}
