I have some people who login through standard ServiceStack authentication and some people whose passwords need to be compared to Active Directory. They use the same CredentialsAuthProvider and I want to be able to make use of the stuff happening in OrmLiteAuthRepository.TryAuthenticateAsync (recording of invalid login attempts etc.).
My solution thus far:
public class MyOrmLiteAuthRepository : OrmLiteAuthRepository
{
public override async Task<IUserAuth?> TryAuthenticateAsync(string userName, string password,
CancellationToken token = new CancellationToken())
{
if (!IsActiveDirectoryLogin)
{
return await base.TryAuthenticateAsync(userName, password, token);
}
var userAuth = await GetUserAuthByUserNameAsync(userName, token).ConfigAwait();
if (userAuth == null)
{
return null;
}
if (IsValidActiveDirectoryCredentials())
{
await this.RecordSuccessfulLoginAsync(userAuth, false, password, token).ConfigAwait();
return userAuth;
}
await this.RecordInvalidLoginAttemptAsync(userAuth, token).ConfigAwait();
}
}
So I have to repeat all the calls in the base leaving room for problems if ServiceStack changes. If IUserAuth.VerifyPassword wasn't an extension method and virtual I would've overridden it and placed the same conditional logic in there.
Is there a more straight forward way to override the password checking?
The standard way is to create a Custom CredentialsAuthProvider, e.g:
public class CustomCredentialsAuthProvider : CredentialsAuthProvider
{
public override async Task<bool> TryAuthenticateAsync(IServiceBase authService,
string userName, string password, CancellationToken token=default)
{
//Add here your custom auth logic (database calls etc)
//Return true if credentials are valid, otherwise false
}
}
That you would register in your AuthFeature plugin instead.
Related
I am attempting to implement a login step with a REST API using the Serenity Screenplay Pattern. For this to work I need to be able to grab a JWT token that was returned from one Task, and use it to authenticate other tasks. I know how to do this in theory. Please consider the following Groovy code.
class ActorInTheSpotlight {
String actor
String token
#Step("{0} is an actor using the system under test")
ActorInTheSpotlight whoIsNamed(String actor) {
this.actor = actor
theActorCalled(actor)
return this
}
#Step("#actor who can authenticate with credentials")
ActorInTheSpotlight whoCanAuthenticateWith(String email, String password) {
theActor().whoCan(Authenticate.withCredentials(email, password))
return this
}
#Step("#actor who can call the admin API")
ActorInTheSpotlight whoCanCallTheAdminApi() {
theActor().whoCan(CallAnApi.at("http://localhost:3000"))
return this
}
#Step("#actor was able to login to API with credentials")
ActorInTheSpotlight wasAbleToLoginToApi() {
return wasAbleTo(LoginWithApi.usingCredentials())
}
ActorInTheSpotlight wasAbleTo(Performable... todos) {
theActor().wasAbleTo(todos)
return this
}
}
class LoginWithApi implements Task {
#Shared
ActorInTheSpotlight theActor
static LoginWithApi usingCredentials() {
return instrumented(LoginWithApi.class);
}
#Step("{0} logs into api using credentials")
<T extends Actor> void performAs(T actor) {
def auth = Authenticate.asPrincipal(actor)
actor.attemptsTo(
// NOTE: PostToApi is an alias for Post, renaming `with` to `withRequest`
// so that Groovy does not attempt to match it to the default `with(Closure closure)`
PostToApi.at("/login").withRequest({ RequestSpecification req ->
req.header("Content-Type", "application/json")
.body([email: auth.email, password: auth.password])
})
)
}
}
class AdminApiStepDefinitions {
#Shared
ActorInTheSpotlight theActor
#Before
void set_the_stage(){
OnStage.setTheStage(new OnlineCast())
}
#Given(/^that "([^"]*)" is an Admin who may call the rest api$/)
void is_an_admin_who_may_call_the_rest_api(String actor) {
theActor.whoIsNamed(actor)
.whoCanCallTheAdminApi()
}
#Given(/^s?he was able to login to the api with the credentials$/)
void was_able_to_login_to_the_api_with_the_credentials(Map<String, String> credentials) {
def email = credentials.get('email')
def password = credentials.get('password')
theActor
.whoCanAuthenticateWith(email, password)
.wasAbleToLoginToApi()
}
}
So, in theory, I should be able to share the ActorInTheSpotlight steps between tasks, using it to store/retrieve my JWT token. I also see that I can grab the token value like so:
String token = SerenityRest.lastResponse()
.jsonPath()
.getObject("token", String.class);
The problem is that I'm not exactly sure where to put this code within the context of the step definitions. Should I implement the retrieving of this token as its own step, or is there a way to hide this implementation detail within the LoginToApi task itself?
Thanks for your time!
Update
Here is the Authenticate ability class, which would probably be a good place to implement this functionality, but the same timing issues as above still apply. IE, how would I update an ability "mid-flight" so that it's available at the correct time for consuption in other tasks.
class Authenticate implements Ability {
String email
String password
// instantiates the Ability and enables fluent DSL
static Authenticate withCredentials(String email, String password) {
return new Authenticate(email, password)
}
// NOTE: custom exception class not shown
static Authenticate asPrincipal(Actor actor) throws CannotAuthenticateException {
// complain if someone's asking the impossible
if(!actor.abilityTo(Authenticate.class)){
throw new CannotAuthenticateException(actor.getName())
}
return actor.abilityTo(Authenticate.class)
}
Authenticate(String email, String password) {
this.email = email
this.password = password
}
}
Update 2
I was able to implement this as its own step, but I really dislike my implementation details leaking into the step definitions like this. I would except any answer that allows me to implement this without the was_able_to_get_a_valid_jwt_token step shown below.
note: only showing additions to original code
class ActorInTheSpotlight {
#Step("#actor has a valid JWT token")
ActorInTheSpotlight whoHasTheToken(String token) {
this.token = token
theActor().whoCan(AuthenticateApi.withToken(token))
return this
}
}
class AuthenticateApi implements Ability {
String token
static AuthenticateApi withToken(String token) {
return new AuthenticateApi(token)
}
static AuthenticateApi asPrincipal(Actor actor) throws CannotAuthenticateException {
// complain if someone's asking the impossible
if(!actor.abilityTo(AuthenticateApi.class)){
throw new CannotAuthenticateException(actor.getName())
}
return actor.abilityTo(AuthenticateApi.class)
}
static <T extends Actor> void attempt(final T actor, final RequestSpecification req) {
AuthenticateApi auth = null
try {
auth = AuthenticateApi.asPrincipal(actor)
}
catch(CannotAuthenticateException e) {
// swallow error
}
if(auth) {
req.header("Authorization", "Bearer ${auth.token}")
}
}
AuthenticateApi(String token) {
this.token = token
}
}
class AdminApiStepDefinitions {
// This is what I want to get rid of!
#Given(/^s?he was able to get a valid JWT token$/)
void was_able_to_get_a_valid_jwt_token() {
theActor.whoHasTheToken(SerenityRest.lastResponse().jsonPath()
.getObject("token", String.class))
}
}
And here is an example of a Task using the JWT token to authenticate requests:
class ApiGet implements Task {
static ApiGet from(String resource) {
return instrumented(ApiGet.class, resource)
}
String resource
ApiGet(String resource) {
this.resource = resource
}
#Step("{0} attempts to GET #resource")
<T extends Actor> void performAs(T actor) {
actor.attemptsTo(
// NOTE: GetFromApi is an alias for Get, renaming `with` to `withRequest`
// so that Groovy does not attempt to match it to the default `with(Closure closure)`
GetFromApi.at(resource).withRequest({ RequestSpecification req ->
AuthenticateApi.attempt(actor, req)
req.header("Content-Type", "application/json")
})
)
}
}
Well it doesn't seem very thread safe, but none of this really is, so... meh. Here is what I came up with.
class AdminApiStepDefinitions {
#Given(/^s?he was able to login to the api with the credentials$/)
void was_able_to_login_to_the_api_with_the_credentials(Map<String, String> credentials) {
def email = credentials.get('email')
def password = credentials.get('password')
theActor
.whoCanAuthenticateWith(email, password)
.wasAbleToLoginToApi()
theActor.whoHasTheToken(SerenityRest.lastResponse().jsonPath().getString("token"))
}
}
I have tried create the Asp.Net Core MVC app where I want to protect the form model especially Id.
I have found the posibility with DataProtection with method - Protect and Unprotect string.
I've used this implementation:
public class HomeController : Controller
{
readonly IDataProtector _protector;
private readonly IUserRepository _userRepository;
public HomeController(IDataProtectionProvider provider, IUserRepository userRepository)
{
_protector = provider.CreateProtector("DataProtectionDemo.Controllers.HomeController");
_userRepository = userRepository;
}
[HttpGet]
public async Task<IActionResult> Index(int id)
{
var user = await _userRepository.GetUserDetail(id);
user.Id = _protector.Protect(user.Id);
return View(user);
}
[HttpPost]
public async Task<IActionResult> Index(UserViewModel model)
{
try
{
model.Id = _protector.Unprotect(model.Id);
await _userRepository.SaveUser(model);
return RedirectToAction(nameof(Index));
}
catch (Exception e)
{
model.Error = e.Message;
return View(model);
}
}
In this case I want to protect UserId in hidden field with encrypted string, but I don't know if this using of Dataprotection is correct way. I know of posibilities around Authorization Policy and it might be next step check user permission but I am wondering about this additional way as create better protection.
Is it good way how protect the form model?
I have opened this issue on Github in DataProtection topic:
https://github.com/aspnet/DataProtection/issues/278
The answer was that this solution should work fine.
I need to authenticate my users using an external API from the login page. If the authentication from the external API succeed then I store at the session a AuthToken.
To check if the request is valid I have created the following Authorization Handler
public class ExtApiStoreRequirement : IAuthorizationRequirement
{
}
public class ExtApiAuthorizationHandler : AuthorizationHandler<ExtApiStoreRequirement>
{
IHttpContextAccessor _accessor;
public ExtApiAuthorizationHandler(IHttpContextAccessor accessor)
{
_accessor = accessor;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ExtApiStoreRequirement requirement)
{
var authState = GET_AUTH_FROM_SESSION(_accessor.HttpContext.Session);
if (authState!=null)
{
_accessor.HttpContext.Response.Redirect("/Account/Login");
//context.Fail(); <-- I removed that because it was responding an empty page
context.Succeed(requirement);
}
else
context.Succeed(requirement);
return Task.CompletedTask;
}
}
And I have registered this handler at my startup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("ExtApi",
policy => policy.Requirements.Add(new ExtApiStoreRequirement()));
});
This approach is working but I don't feel confident because I have to call context.Succeed(requirement); for the redirection to work. If I call context.Fail() then no redirection takes place and all I see is an empty page.
Is there any security issue with this approach or I will be safe using it?
Your implementation is for authorization not authentication. I think instead of creating an authorization policy, writing custom authentication middleware would be right way for your case.
First see how to implement custom authentication Simple token based authentication/authorization in asp.net core for Mongodb datastore
To implement above way for your case HandleAuthenticateAsync should be something like below:
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
AuthenticateResult result = null;
var principal = GetPrincipalFromSession();
if(principal != null)
{
result = AuthenticateResult.Success(new AuthenticationTicket(principal,
new AuthenticationProperties(), Options.AuthenticationScheme));
}
else
{
result = AuthenticateResult.Skip();
}
return result;
}
Update based on comment:
protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext context)
{
Response.Redirect(Options.LoginPath);// you need to define LoginPath
return true;
}
Also you should store principal in session when user signs in.
Right now, we're authenticating our users with this:
public class WindowsAuthProvider : CredentialsAuthProvider
{
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "OurDomain"))
{
// TODO make sure user record exists in custom DB tables as well
return pc.ValidateCredentials(userName, password);
}
}
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
return base.OnAuthenticated(authService, session, tokens, authInfo);
}
}
Which works great when using the JsonServiceClient.
We have some legacy code written in Visual FoxPro which wants to call some of the authenticated functions in ServiceStack... to accommodate this, we'd like to also allow Api Keys. We want the API Keys to be stored in SQL Server to avoid issues if the process stops / restarts. So, the client would authenticate with domain credentials, then generate an API key for subsequent calls which would be stored in the database (ideally just using the table servicestack can create (dbo.ApiKey).
If we were to set this per the docs:
container.Register<IAuthRepository>(c => new OrmLiteAuthRepository(dbFactory));
We get an error on the OnAuthenticated function above telling us we should call Init()... like its trying to also create the user tables. So I'm not sure how to allow DB stored API Keys, along with custom authentication that relies on both active directory as well as our custom tables for users and roles.
Instead of inheriting from CredentialsAuthProvider, maybe its better to register a custom IUserAuthRepository and IManageRoles?
The API Key AuthProvider needs to be registered in your AuthFeature, e.g:
Plugins.Add(new AuthFeature(...,
new IAuthProvider[] {
new ApiKeyAuthProvider(AppSettings),
new WindowsAuthProvider(AppSettings),
//...
}));
Which requires a IAuthRepository like you're doing:
container.Register<IAuthRepository>(c =>
new OrmLiteAuthRepository(dbFactory));
Any AuthProvider that requires creating a back-end tables or other schema requires that its schema is initialized on Startup which you can do with:
container.Resolve<IAuthRepository>().InitSchema();
It's safe to always call InitSchema() as it only creates missing tables or is otherwise ignored for AuthRepositories that don't require creating a schema.
An issue you're running into is that you've registered an IAuthRepository and are inheriting a CredentialsAuthProvider which you don't want to use it in so you can't call CredentialsAuthProvider.OnAuthenticated() since it will save the User Auth info to the repository if it exists.
So you'll need to provide a custom implement without calling base.OnAuthenticated(), e.g:
public class WindowsAuthProvider : CredentialsAuthProvider
{
public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "OurDomain"))
{
// TODO make sure user record exists in custom DB tables as well
return pc.ValidateCredentials(userName, password);
}
}
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
try
{
session.IsAuthenticated = true;
session.OnAuthenticated(authService, session, tokens, authInfo);
AuthEvents.OnAuthenticated(authService.Request, session, authService, tokens, authInfo);
}
finally
{
this.SaveSession(authService, session, SessionExpiry);
}
return null;
}
}
Using the new ASP.net Identity in MVC 5, How do we disable a user from logging in? I don't want to delete them, maybe just disable their account for a time period.
Does anyone have any ideas on this as I don't see a status column or anything on the ASPNetUsers table.
await userManager.SetLockoutEnabledAsync(applicationUser.Id, true);
await userManager.SetLockoutEndDateAsync(DateTime.Today.AddYears(10));
Update: As CountZero points out, if you're using v2.1+, then you should try and use the lockout functionality they added first, before trying the solution below. See their blog post for a full sample: http://blogs.msdn.com/b/webdev/archive/2014/08/05/announcing-rtm-of-asp-net-identity-2-1-0.aspx
Version 2.0 has the IUserLockoutStore interface that you can use to lockout users, but the downside is that there is no OOB functionality to actually leverage it beyond the pass-through methods exposed by the UserManager class. For instance, it would be nice if it would actually increment the lockout count as a part of the standard username/password verification process. However, it's fairly trivial to implement yourself.
Step #1: Create a custom user store that implements IUserLockoutStore.
// I'm specifying the TKey generic param here since we use int's for our DB keys
// you may need to customize this for your environment
public class MyUserStore : IUserLockoutStore<MyUser, int>
{
// IUserStore implementation here
public Task<DateTimeOffset> GetLockoutEndDateAsync(MyUser user)
{
//..
}
public Task SetLockoutEndDateAsync(MyUser user, DateTimeOffset lockoutEnd)
{
//..
}
public Task<int> IncrementAccessFailedCountAsync(MyUser user)
{
//..
}
public Task ResetAccessFailedCountAsync(MyUser user)
{
//..
}
public Task<int> GetAccessFailedCountAsync(MyUser user)
{
//..
}
public Task<bool> GetLockoutEnabledAsync(MyUser user)
{
//..
}
public Task SetLockoutEnabledAsync(MyUser user, bool enabled)
{
//..
}
}
Step #2: Instead of UserManager, use the following class in your login/logout actions, passing it an instance of your custom user store.
public class LockingUserManager<TUser, TKey> : UserManager<TUser, TKey>
where TUser : class, IUser<TKey>
where TKey : IEquatable<TKey>
{
private readonly IUserLockoutStore<TUser, TKey> _userLockoutStore;
public LockingUserManager(IUserLockoutStore<TUser, TKey> store)
: base(store)
{
if (store == null) throw new ArgumentNullException("store");
_userLockoutStore = store;
}
public override async Task<TUser> FindAsync(string userName, string password)
{
var user = await FindByNameAsync(userName);
if (user == null) return null;
var isUserLockedOut = await GetLockoutEnabled(user);
if (isUserLockedOut) return user;
var isPasswordValid = await CheckPasswordAsync(user, password);
if (isPasswordValid)
{
await _userLockoutStore.ResetAccessFailedCountAsync(user);
}
else
{
await IncrementAccessFailedCount(user);
user = null;
}
return user;
}
private async Task<bool> GetLockoutEnabled(TUser user)
{
var isLockoutEnabled = await _userLockoutStore.GetLockoutEnabledAsync(user);
if (isLockoutEnabled == false) return false;
var shouldRemoveLockout = DateTime.Now >= await _userLockoutStore.GetLockoutEndDateAsync(user);
if (shouldRemoveLockout)
{
await _userLockoutStore.ResetAccessFailedCountAsync(user);
await _userLockoutStore.SetLockoutEnabledAsync(user, false);
return false;
}
return true;
}
private async Task IncrementAccessFailedCount(TUser user)
{
var accessFailedCount = await _userLockoutStore.IncrementAccessFailedCountAsync(user);
var shouldLockoutUser = accessFailedCount > MaxFailedAccessAttemptsBeforeLockout;
if (shouldLockoutUser)
{
await _userLockoutStore.SetLockoutEnabledAsync(user, true);
var lockoutEndDate = new DateTimeOffset(DateTime.Now + DefaultAccountLockoutTimeSpan);
await _userLockoutStore.SetLockoutEndDateAsync(user, lockoutEndDate);
}
}
}
Example:
[AllowAnonymous]
[HttpPost]
public async Task<ActionResult> Login(string userName, string password)
{
var userManager = new LockingUserManager<MyUser, int>(new MyUserStore())
{
DefaultAccountLockoutTimeSpan = /* get from appSettings */,
MaxFailedAccessAttemptsBeforeLockout = /* get from appSettings */
};
var user = await userManager.FindAsync(userName, password);
if (user == null)
{
// bad username or password; take appropriate action
}
if (await _userManager.GetLockoutEnabledAsync(user.Id))
{
// user is locked out; take appropriate action
}
// username and password are good
// mark user as authenticated and redirect to post-login landing page
}
If you want to manually lock someone out, you can set whatever flag you're checking in MyUserStore.GetLockoutEnabledAsync().
You can have a new class, which should be derived from IdentityUser class. YOu can add a boolean property in the new class and can use this new property of take care per check for login process. I also done it pretty well. I might wanna take a look at : blog
UserManager.RemovePasswordAsync("userId") will effectively disable a user. If the user has no password he will not be able to log in. You will need to set a new password to enable the user again.