public async Task <Result> Handle(Command request, CancellationToken cancellationToken)
{
var tokenHandler = new JwtSecurityTokenHandler();
var jwtOptions = new JwtConfigurationData();
configuration.Bind("jwt", jwtOptions);
// Token configurations
var tokenLifetime = TimeSpan.FromDays(jwtOptions.LifetimeDays);
var now = DateTime.Now;
var jwtToken = tokenHandler.CreateJwtSecurityToken(new SecurityTokenDescriptor()
{
Audience = jwtOptions.Audience,
Issuer = jwtOptions.Issuer,
Expires = now + tokenLifetime,
IssuedAt = now,
NotBefore = now,
SigningCredentials =
new SigningCredentials(
JwtSecurity.GetSecurityKey(jwtOptions.SecretKey, jwtOptions.SecurityPhrase),
SecurityAlgorithms.HmacSha256
),
});
return(new Result
{
Token = tokenHandler.WriteToken(jwtToken),
ExpiresAt = jwtToken.ValidTo,
});
}
public static void AddJwtAuthentication(this IServiceCollection services, IConfiguration configuration)
{
var jwtOptions = configuration.GetValue <JwtConfigurationData>("Jwt");
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = jwtOptions.Audience,
ValidIssuer = jwtOptions.Issuer,
IssuerSigningKey = JwtSecurity.GetSecurityKey(jwtOptions.SecretKey, jwtOptions.SecurityPhrase),
LifetimeValidator = (notBefore, expires, token, parameters) =>
{
var now = DateTime.UtcNow;
return((now >= notBefore) && (now <= expires));
},
//
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidateIssuer = true,
ValidateAudience = true,
};
//
options.Validate();
});
}
public IActionResult Login([FromBody] User user)
{
ISecurity <User> security = new JwtSecurity(context);
return(Ok(JsonConvert.SerializeObject(new
{
token = security.Login(user)
})));
}
public async Task<IActionResult> IssueToken([FromBody] BearerTokenRequest model)
{
if (!ValidModelState(out var error))
return error;
TUser user;
switch (model.IdentityType)
{
case IdentityType.Username:
user = await _userManager.FindByNameAsync(model.Identity);
break;
case IdentityType.Email:
user = await _userManager.FindByEmailAsync(model.Identity);
if (!user.EmailConfirmed)
return NotFound();
break;
case IdentityType.PhoneNumber:
user = await _userManager.FindByPhoneNumberAsync(model.Identity);
if (!user.PhoneNumberConfirmed)
return NotFound();
break;
default:
throw new ArgumentOutOfRangeException();
}
if (user == null)
return NotFound();
if (user.LockoutEnd.HasValue && user.LockoutEnd > _timestamps.GetCurrentTime())
return Forbid();
if (await _userManager.CheckPasswordAsync(user, model.Password))
{
Debug.Assert(nameof(IUserIdProvider.Id) == nameof(IdentityUser.Id));
var claims = await _userManager.GetClaimsAsync(user);
if (HttpContext.GetTenantContext<TTenant>() is TenantContext<TTenant> tenantContext)
{
if (tenantContext.Tenant != null)
{
claims.Add(new Claim(_securityOptions.Value.Claims.TenantIdClaim, tenantContext.Tenant.Id));
claims.Add(new Claim(_securityOptions.Value.Claims.TenantNameClaim, tenantContext.Tenant.Name));
}
}
var provider = user.ActLike<IUserIdProvider>();
var token = JwtSecurity.CreateToken(provider, claims, _securityOptions.Value, _apiOptions.Value);
return Ok(new
{
AccessToken = token
});
}
return Unauthorized();
}
public GetAuthrizationTokenQueryHandler(IMapper mapper
, IAuthrizationQueryRepository authrizationQueryRepository
, Hashing hashing
, JwtSecurity jwtSecurity)
{
this._mapper = mapper;
this._authrizationQueryRepository = authrizationQueryRepository;
this._hashing = hashing;
this._jwtSecurity = jwtSecurity;
}
private SecurityValidationResult ValidateJwt(HttpActionContext actionContext)
{
try
{
var authenticationHeader = actionContext.Request.Headers.Authorization;
if (authenticationHeader.Scheme.ToUpperInvariant() != "BEARER")
{
return(new SecurityValidationResult(false, "The authorization header scheme is invalid."));
}
if (string.IsNullOrEmpty(authenticationHeader.Parameter))
{
return(new SecurityValidationResult(false, "An authorization header value is required."));
}
var customerId = JwtSecurity.GetClaimValue(authenticationHeader.Parameter,
JwtSecurity.ClaimCustomerId);
if (customerId == null)
{
return(new SecurityValidationResult(false, "The supplied JWT is missing customer id claim."));
}
if (_jwtRequestInfo != null)
{
int parsedCustomerId;
int.TryParse(customerId, out parsedCustomerId);
if (parsedCustomerId > 0)
{
_jwtRequestInfo.JwtInfo.CustomerId = parsedCustomerId;
}
else
{
return(new SecurityValidationResult(false, "The supplied JWT internal id claim has an invalid value."));
}
}
return(new SecurityValidationResult(true, string.Empty));
}
catch (Exception exception)
{
// Logging
if (_logger.IsErrorEnabled)
{
_logger.Error("Failed to decode JWT", exception);
}
return(new SecurityValidationResult(false, "Failed to decode JWT."));
}
}
public string CreateToken(IEnumerable <Claim> claims)
{
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddMinutes(_jwtSettings.JwtTokenSettings.Expires),
SigningCredentials = JwtSecurity.GetPrivateSigningCredential(_jwtSettings),
Audience = _jwtSettings.JwtTokenSettings.ValidateAudience ? _jwtSettings.JwtTokenSettings.ValidAudience : null,
Issuer = _jwtSettings.JwtTokenSettings.ValidateIssuer ? _jwtSettings.JwtTokenSettings.ValidIssuer : null,
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return(tokenHandler.WriteToken(token));
}
public async Task <IActionResult> Authenticate([FromBody] LoginRequest request)
{
try
{
if (request != null)
{
var user = await UserHandler.Authenticate(request);
if (user == null)
{
Logger.LogInformation("User authentication failed: " + request.Email);
return(Unauthorized());
}
if (!user.IsSystemAccount)
{
Logger.LogInformation("User is not a system account: " + request.Email);
return(Unauthorized());
}
Logger.LogInformation("User authenticated");
var jwt = JwtSecurity.GenerateToken(user.UserId, user.Email);
var loginResponse = new
{
User = user,
CSToken = jwt
};
var response = JsonConvert.SerializeObject(loginResponse, new JsonSerializerSettings {
Formatting = Formatting.None
});
return(Ok(loginResponse));
}
return(StatusCode(408, new ErrorResponse()
{
Message = "Bad Login Request"
}));
}
catch (Exception ex)
{
Logger.LogError(ex.ToString());
return(StatusCode(505, ex.Message));
}
}
public async Task <IActionResult> Token(string username, string password)
{
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrEmpty(password))
{
return(Fail("Недопустимый логин или пароль."));
}
var identity = await _accountService.GetIdentityAsync(username, password);
if (identity == null)
{
return(Fail("Неверный логин или пароль."));
}
var jwt = JwtSecurity.CreateToken(identity.Claims);
var accessToken = new JwtSecurityTokenHandler().WriteToken(jwt);
return(Success(new { accessToken, username }));
}
public static void JwtConfiguration(this IServiceCollection services, IConfiguration configuration)
{
var tokenSection = configuration.GetSection("JwtSettings");
var tokenSettings = tokenSection.Get <JwtSettings>();
services.Configure <JwtSettings>(tokenSection);
services.AddScoped <IJwtTokenProvider, JwtTokenProvider>();
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.Events = new JwtBearerEvents
{
//It is the first event that meets and accepts all requests from the Client, whether token or not.
OnMessageReceived = context =>
{
return(Task.CompletedTask);
},
//If the token sent with the request is valid, it is triggered and verification procedures are performed
OnTokenValidated = context =>
{
return(Task.CompletedTask);
},
//The token that came with the request is invalid, worn or corrupted
OnAuthenticationFailed = context =>
{
return(Task.CompletedTask);
},
OnChallenge = context =>
{
return(Task.CompletedTask);
}
};
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = TokenValidation.TokenParameter(tokenSettings, JwtSecurity.GetPublicSigningCredential(tokenSettings));
});
}
public async Task <IActionResult> RefreshToken([FromRoute] Guid userId, [FromHeader] string authorization, [FromBody] Device deviceInfo)
{
try
{
//Null checks
if (authorization == null)
{
return(StatusCode(500, new ErrorResponse()
{
Message = "Authorization token is missing from header"
}));
}
if (deviceInfo.RefreshToken == null)
{
return(StatusCode(500, new ErrorResponse()
{
Message = "Refresh Token is missing from Json body"
}));
}
//Token verification
var updatedAuthorization = authorization.Replace("Bearer ", "");
var verifyToken = UserHandler.ReadToken(updatedAuthorization, userId);
if (!verifyToken)
{
return(StatusCode(500, new ErrorResponse()
{
Message = "UserId does not match Authorized User associated with provided Auth Token"
}));
}
var userInfo = await UserHandler.GetUserById(userId);
if (userInfo != null)
{
var authUser = userInfo;
var verifyRefreshToken = UserHandler.ReadToken(deviceInfo.RefreshToken, userId);
if (verifyRefreshToken)
{
var jwt = JwtSecurity.GenerateToken(authUser.UserId, authUser.Email);
var jwtRefresh = JwtSecurity.GenerateRefreshToken(authUser.UserId, authUser.Email);
var loginResponse = new
{
User = authUser,
CSToken = jwt,
RefreshToken = jwtRefresh
};
var response = JsonConvert.SerializeObject(loginResponse, new JsonSerializerSettings {
Formatting = Formatting.None
});
return(Ok(loginResponse));
}
return(StatusCode(500, new ErrorResponse()
{
Message = "Device Refresh token is invalid"
}));
}
Logger.LogInformation("Unable to retrieve user information with the UserId provided");
return(StatusCode(401, new ErrorResponse()
{
Message = "Unable to retrieve user information with the UserId provided"
}));
}
catch (Exception ex)
{
Logger.LogError(ex.ToString());
return(StatusCode(505, ex.Message));
}
}
public bool ValidateToken(string token)
{
var tokenHandler = new JwtSecurityTokenHandler();
var tokenValidationParameters = TokenValidation.TokenParameter(_jwtSettings, JwtSecurity.GetPublicSigningCredential(_jwtSettings));
try
{
tokenHandler.ValidateToken(token.Replace($"{_jwtSettings.TokenType} ", ""), tokenValidationParameters, out SecurityToken securityToken);
return(true);
}
catch
{
return(false);
}
}
public async Task <IActionResult> IssueToken([FromBody] BearerTokenRequest model)
{
if (!Debugger.IsAttached)
{
return(NotImplemented());
}
#if DEBUG
var superUser = _securityOptions.Value.SuperUser;
if (!superUser.Enabled)
{
return(NotFound());
}
if (!ValidModelState(out var error))
{
return(error);
}
bool isSuperUser;
switch (model.IdentityType)
{
case IdentityType.Username:
isSuperUser = superUser.Username == model.Identity;
if (!isSuperUser)
{
return(NotFound());
}
break;
case IdentityType.Email:
isSuperUser = superUser.Email == model.Identity;
if (!isSuperUser)
{
return(NotFound());
}
break;
case IdentityType.PhoneNumber:
isSuperUser = superUser.PhoneNumber == model.Identity;
if (!isSuperUser)
{
return(NotFound());
}
break;
default:
throw new ArgumentOutOfRangeException();
}
var encoding = Encoding.UTF8;
if (Crypto.ConstantTimeEquals(encoding.GetBytes(model.Password), encoding.GetBytes(_securityOptions.Value.SuperUser.Password)))
{
Debug.Assert(nameof(IUserIdProvider.Id) == nameof(IObject.Id));
var claims = new List <Claim>
{
new Claim(ClaimTypes.Role, nameof(SecurityOptions.SuperUser))
};
var provider = new { Id = "87BA0A16-7253-4A6F-A8D4-82DFA1F723C1" }.ActLike <IUserIdProvider>();
var token = JwtSecurity.CreateToken(provider, claims, _securityOptions.Value, _apiOptions.Value);
return(Ok(new { AccessToken = token }));
}
return(Unauthorized());
#endif
return(NotImplemented());
}
public SegurancaController(JwtSecurity jwt)
{
_jwt = jwt;
}
