/// <summary>
/// Try and auth the user from the HTTP headers on the request to the API
/// Look for bearer token aka JWT token & try to verify & deserialise it
/// </summary>
/// <param name="request"></param>
/// <returns>If success auth'd return the associated Umbraco backoffice user</returns>
private static IUser Authenticate(HttpRequestMessage request)
{
//Try to get the Authorization header in the request
var ah = request.Headers.Authorization;
//If no Auth header sent or the scheme is not bearer aka TOKEN
if (ah == null || ah.Scheme.ToLower() != "bearer")
{
//Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
//Get the JWT token from auth HTTP header param param (Base64 encoded - username:password)
var jwtToken = ah.Parameter;
try
{
//Decode & verify token was signed with our secret
var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken);
//Ensure our token is not null (was decoded & valid)
if (decodeJwt != null)
{
//Just the presence of the token & being deserialised with correct SECRET key is a good sign
//Get the user from userService from it's username
var user = ApplicationContext.Current.Services.UserService.GetUserById(decodeJwt.IdentityId);
//var user = ApplicationContext.Current.Services.UserService.GetByProviderKey(decodeJwt.IdentityId);
//If user is NOT Approved OR the user is Locked Out
if (!user.IsApproved || user.IsLockedOut)
{
//Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
//Verify token is what we have on the user
var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt);
//Token matches what we have in DB
if (isTokenValid)
{
//Lets return the backoffice user from Umbraco
//Can we use this user & pass down to API controller that is [Auth'd]
return(user);
}
//Token does not match in DB
return(null);
}
//JWT token could not be serialised to AuthToken object
return(null);
}
catch (SignatureVerificationException ex)
{
//Bubble exception up
throw ex;
}
}
public string Authorise(AuthCredentials auth)
{
//Verify user is valid credentials
var isValidAuth = Security.ValidateBackOfficeCredentials(auth.Username, auth.Password);
//Are credentials correct?
if (isValidAuth)
{
//Get the backoffice user from username
var user = ApplicationContext.Services.UserService.GetByUsername(auth.Username);
//Generate AuthToken DB object
var newToken = new UmbracoAuthToken();
newToken.IdentityId = user.Id;
newToken.IdentityType = IdentityAuthType.User.ToString();
//Generate a new token for the user
var authToken = UmbracoAuthTokenFactory.GenerateUserAuthToken(newToken);
//Store in DB (inserts or updates existing)
UserAuthTokenDbHelper.InsertAuthToken(authToken);
//Return the JWT token as the response
//This means valid login & client in our case mobile app stores token in local storage
return(authToken.AuthToken);
}
//Throw unauthorised HTTP error
var httpUnauthorised = new HttpResponseMessage(HttpStatusCode.Unauthorized);
throw new HttpResponseException(httpUnauthorised);
}
/// <summary>
/// Try and auth the user from the HTTP headers on the request to the API
/// Look for bearer token aka JWT token & try to verify & deserialise it
/// </summary>
/// <param name="request"></param>
/// <returns>If success auth'd return the associated Umbraco backoffice user</returns>
private static IMember Authenticate(HttpRequestMessage request)
{
// Try to get the JWT token from the request
string jwtToken = GetTokenFromRequest(request);
// Return null if we didn't find a token (by returning null, base method above will return it as HTTP 401)
if (string.IsNullOrEmpty(jwtToken))
{
return(null);
}
try
{
// Decode & verify token was signed with our secret
var decodeJwt = UmbracoAuthTokenFactory.DecodeUserAuthToken(jwtToken);
// Ensure our token is not null (was decoded & valid)
if (decodeJwt != null)
{
// Just the presence of the token & being deserialised with correct SECRET key is a good sign
// Get the member from userService from it's id
var member = ApplicationContext.Current.Services.MemberService.GetById(decodeJwt.IdentityId);
// If user is NOT Approved OR the user is Locked Out
if (!member.IsApproved || member.IsLockedOut)
{
// Return null (by returning null, base method above will return it as HTTP 401)
return(null);
}
// Verify token is what we have on the user
var isTokenValid = UserAuthTokenDbHelper.IsTokenValid(decodeJwt);
// Token matches what we have in DB
if (isTokenValid)
{
// Lets return the member
return(member);
}
// Token does not match in DB
return(null);
}
// JWT token could not be serialised to AuthToken object
return(null);
}
catch (SignatureVerificationException ex)
{
// Bubble exception up
throw ex;
}
}
public string AuthoriseMember(AuthCredentials auth)
{
//Verify user is valid credentials - using current membership provider
//Should be native Umbraco one
var isValidAuth = Membership.ValidateUser(auth.Username, auth.Password);
//Are credentials correct?
if (isValidAuth)
{
//Get the member from username
var member = ApplicationContext.Services.MemberService.GetByUsername(auth.Username);
//Check if we have an Auth Token for user
var hasAuthToken = UserAuthTokenDbHelper.GetAuthToken(member.Id);
//If the token already exists
if (hasAuthToken != null)
{
//Lets just return it in the request
return(hasAuthToken.AuthToken);
}
//Else user has no token yet - so let's create one
//Generate AuthToken DB object
var newToken = new UmbracoAuthToken();
newToken.IdentityId = member.Id;
newToken.IdentityType = IdentityAuthType.Member.ToString();
//Generate a new token for the user
var authToken = UmbracoAuthTokenFactory.GenerateAuthToken(newToken);
//We insert authToken as opposed to newToken
//As authToken now has DateTime & JWT token string on it now
//Store in DB (inserts or updates existing)
UserAuthTokenDbHelper.InsertAuthToken(authToken);
//Return the JWT token as the response
//This means valid login & client in our case mobile app stores token in local storage
return(authToken.AuthToken);
}
//Throw unauthorised HTTP error
var httpUnauthorised = new HttpResponseMessage(HttpStatusCode.Unauthorized);
throw new HttpResponseException(httpUnauthorised);
}
/// <summary>
///
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
void MemberService_Saving(IMemberService sender, SaveEventArgs <IMember> e)
{
//Saved entites (Could be more than one member saved. Very unlikely?)
var member = e.SavedEntities.FirstOrDefault();
//Found a member that has been saved
if (member != null)
{
//Check if the password property (RawPasswordValue) is dirty aka has beeen changed
var passIsDirty = member.IsPropertyDirty("RawPasswordValue");
//Password has been changed
if (passIsDirty)
{
//Check if user already has token in DB (token created on first login/auth to API)
var hasAuthToken = UserAuthTokenDbHelper.GetAuthToken(member.Id);
//invalidate token (Only if token exists in DB)
//We have found an existing token
if (hasAuthToken != null)
{
//Generate AuthToken DB object
var newToken = new UmbracoAuthToken();
newToken.IdentityId = member.Id;
newToken.IdentityType = IdentityAuthType.Member.ToString();
//Generate a new token for the user
var authToken = UmbracoAuthTokenFactory.GenerateUserAuthToken(newToken);
//NOTE: We insert authToken as opposed to newToken
//As authToken now has DateTime & JWT token string on it now
//Store in DB (inserts or updates existing)
UserAuthTokenDbHelper.InsertAuthToken(authToken);
}
}
}
}
