Neca
/
HRCenter
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 1 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
79 提交
45 分支
目录树: 3307716c3f
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '3307716c3f'
${ noResults }
HRCenter/Diligent.WebAPI.Business/Services/AuthenticationService.cs

AuthenticationService.cs 15KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410 
  1. using Microsoft.AspNetCore.WebUtilities;

  2. using Microsoft.Extensions.Logging;

  3. using System.Net;

  4. using System.Web;

  5. 

  6. namespace Diligent.WebAPI.Business.Services

  7. {

  8.     public class AuthenticationService : IAuthenticationService

  9.     {

  10.         private readonly AuthorizationSettings _authSettings;

  11.         private readonly FrontEndSettings _frontEndSettings;

  12.         private readonly UserManager<User> _userManager;

  13.         private readonly DatabaseContext _databaseContext;

  14.         private readonly IEmailer _emailer;

  15.         private readonly ILogger<AuthenticationService> _logger;

  16.         private readonly IHttpClientService _httpClient;

  17.        

  18.         public AuthenticationService(IOptions<AuthorizationSettings> authSettings, 

  19.             IOptions<FrontEndSettings> frontEndSettings, 

  20.             UserManager<User> userManager, 

  21.             DatabaseContext databaseContext, 

  22.             IEmailer emailer, 

  23.             ILogger<AuthenticationService> logger,

  24.             IHttpClientService httpClient)

  25.         {

  26.             _authSettings = authSettings.Value;

  27.             _frontEndSettings = frontEndSettings.Value;

  28.             _userManager = userManager;

  29.             _databaseContext = databaseContext;

  30.             _httpClient = httpClient;

  31.             _emailer = emailer;

  32.             _logger = logger;

  33.         }

  34.       

  35.         public async Task<ServiceResponseDTO<AuthenticateResponseDto>> Authenticate(AuthenticateRequestDto model)

  36.         {

  37.             var user = await _userManager.FindByNameAsync(model.Username);

  38. 

  39.             // return null if user not found

  40.             if (user == null)

  41.             {

  42.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  43.                 {

  44.                     IsError = true,

  45.                     ErrorMessage = "Username is not valid"

  46.                 };

  47.             }

  48. 

  49.             var result = await _userManager.CheckPasswordAsync(user, model.Password);

  50. 

  51.             // return null if user is disabled

  52.             if (user.IsEnabled == false)

  53.             {

  54.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  55.                 {

  56.                     IsError = true,

  57.                     ErrorMessage = $"User with email {model.Username} has no permission to log in."

  58.                 };

  59.             }

  60.             // password is not correct

  61.             if (!result)

  62.             {

  63.                 await _userManager.AccessFailedAsync(user);

  64. 

  65.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  66.                 {

  67.                     IsError = true,

  68.                     ErrorMessage = "Password is not correct"

  69.                 };

  70.             }

  71. 

  72.             return await GenerateToken(user);

  73.         }

  74. 

  75.         public async Task<ServiceResponseDTO<AuthenticateResponseDto>> Authenticate(GoogleApiModel model)

  76.         {

  77. 

  78.             if (!(await _httpClient.IsTokenValid(model.Token)))

  79.             {

  80.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  81.                 {

  82.                     IsError = true,

  83.                     ErrorMessage = "Invalid Google Api Token"

  84.                 };

  85.             }

  86.             var user = await _userManager.FindByEmailAsync(model.User.email);

  87. 

  88.             // return null if user not found

  89.             if (user == null)

  90.             {

  91.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  92.                 {

  93.                     IsError = true,

  94.                     ErrorMessage = $"User with email {model.User.email} does not exist in database"

  95.                 };

  96.             }

  97. 

  98.             if (user.IsEnabled == false)

  99.             {

  100.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  101.                 {

  102.                     IsError = true,

  103.                     ErrorMessage = $"User with email {model.User.email} has no permission to log in."

  104.                 };

  105.             }

  106.             return await GenerateToken(user);

  107.         }

  108. 

  109.         private async Task<ServiceResponseDTO<AuthenticateResponseDto>> GenerateToken(User user)

  110.         {

  111.             var isLocked = await _userManager.IsLockedOutAsync(user);

  112. 

  113.             if (isLocked)

  114.                 return new ServiceResponseDTO<AuthenticateResponseDto>

  115.                 {

  116.                     IsError = true,

  117.                     ErrorMessage = "The account is locked out"

  118.                 };

  119. 

  120. 

  121. 

  122.             // authentication successful so generate jwt token

  123.             var token = await GenerateJwtToken(user, true);

  124. 

  125.             var data = new AuthenticateResponseDto

  126.             {

  127.                 Id = user.Id,

  128.                 Username = user.UserName,

  129.                 FirstName = user.FirstName,

  130.                 LastName = user.LastName,

  131.                 Token = token,

  132.                 RefreshToken = token

  133.             };

  134. 

  135.             return new ServiceResponseDTO<AuthenticateResponseDto>

  136.             {

  137.                 Data = data

  138.             };

  139.         }

  140. 

  141.         private async Task<string> GenerateJwtToken(User user, bool authenticate = false)

  142.         {

  143.             // generate token that is valid for 7 days

  144.             var tokenHandler = new JwtSecurityTokenHandler();

  145.             var key = Encoding.ASCII.GetBytes(_authSettings.Secret);

  146.             var tokenDescriptor = new SecurityTokenDescriptor

  147.             {

  148.                 Subject = new ClaimsIdentity(new[] {

  149.                     new Claim(JwtRegisteredClaimNames.Jti, user.Id.ToString()),

  150.                     new Claim("id", user.Id.ToString())

  151.                 }),

  152.                 Expires = DateTime.UtcNow.AddMinutes(_authSettings.JwtExpiredTime),

  153.                 SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)

  154.             };

  155.             var token = tokenHandler.CreateToken(tokenDescriptor);

  156. 

  157.             var writedToken = tokenHandler.WriteToken(token);

  158. 

  159.             var refreshToken = new RefreshToken

  160.             {

  161.                 Token = writedToken,

  162.                 JwtId = user.Id.ToString(),

  163.                 UserId = user.Id,

  164.                 User = user,

  165.                 CreationDate = DateTime.UtcNow,

  166.                 ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime)

  167.             };

  168. 

  169.             var existRefreshToken = await _databaseContext.RefreshTokens.Where(x => x.UserId == user.Id).FirstOrDefaultAsync();

  170. 

  171.             if (existRefreshToken != null)

  172.             {

  173.                 existRefreshToken.Token = writedToken;

  174.                 existRefreshToken.JwtId = token.Id;

  175.                 existRefreshToken.CreationDate = DateTime.UtcNow;

  176.                 existRefreshToken.ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime);

  177. 

  178.                 if (authenticate)

  179.                 {

  180.                     existRefreshToken.Used = false;

  181.                     existRefreshToken.Invalidated = false;

  182.                 }

  183. 

  184.                 _databaseContext.RefreshTokens.Update(existRefreshToken);

  185.                 await UpdateRefreshToken(existRefreshToken);

  186.             }

  187.             else

  188.             {

  189.                 await _databaseContext.RefreshTokens.AddAsync(refreshToken);

  190.             }

  191. 

  192.             await _databaseContext.SaveChangesAsync();

  193. 

  194.             return writedToken;

  195.         }

  196. 

  197.         public async Task<RefreshTokenResultDto> RefreshTokenAsync(RefreshTokenRequestDto model)

  198.         {

  199.             var validatedToken = GetPrincipalFromToken(model.Token, false);

  200. 

  201.             if (validatedToken == null)

  202.             {

  203.                 return new RefreshTokenResultDto { Error = "Invalid token" };

  204.             }

  205. 

  206.             var jti = validatedToken.Claims.Single(x => x.Type == JwtRegisteredClaimNames.Jti).Value;

  207. 

  208.             var storedRefreshToken = await _databaseContext.RefreshTokens.SingleOrDefaultAsync(x => x.JwtId == jti);

  209. 

  210.             if (storedRefreshToken == null)

  211.             {

  212.                 return new RefreshTokenResultDto { Error = "This refresh token does not exist" };

  213.             }

  214. 

  215.             var userk = await _databaseContext.Users.Where(u => u.Id == storedRefreshToken.UserId).FirstOrDefaultAsync();

  216. 

  217.             if (userk == null)

  218.             {

  219.                 return new RefreshTokenResultDto { Error = "There is no user which is associated with refresh token" };

  220.             }

  221. 

  222.             var expiryDateUnix = long.Parse(validatedToken.Claims.Single(x => x.Type == JwtRegisteredClaimNames.Exp).Value);

  223. 

  224.             var expiryDateTimeUtc = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)

  225.                 .AddMinutes(expiryDateUnix);

  226. 

  227.             if (expiryDateTimeUtc < DateTime.UtcNow)

  228.             {

  229.                 return new RefreshTokenResultDto

  230.                 {

  231.                     Data = new AuthenticateResponseDto

  232.                     {

  233.                         Id = userk.Id,

  234.                         FirstName = userk.FirstName,

  235.                         LastName = userk.LastName,

  236.                         Username = userk.UserName,

  237.                         Token = model.Token,

  238.                         RefreshToken = model.RefreshToken

  239.                     }

  240.                 };

  241.             }

  242. 

  243.             if (DateTime.UtcNow > storedRefreshToken.ExpiryDate)

  244.             {

  245.                 return new RefreshTokenResultDto { Error = "This refresh token has expired" };

  246.             }

  247. 

  248.             if (storedRefreshToken.Invalidated)

  249.             {

  250.                 return new RefreshTokenResultDto { Error = "This refresh token has been invalidated" };

  251.             }

  252. 

  253.             if (storedRefreshToken.JwtId != jti)

  254.             {

  255.                 return new RefreshTokenResultDto { Error = "This refresh token does not match this JWT" };

  256.             }

  257. 

  258.             storedRefreshToken.ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime);

  259. 

  260.             await _databaseContext.SaveChangesAsync();

  261. 

  262.             var user = await _userManager.FindByIdAsync(validatedToken.Claims.Single(x => x.Type == "id").Value);

  263. 

  264.             var token = await GenerateJwtToken(user);

  265. 

  266.             return new RefreshTokenResultDto

  267.             {

  268.                 Data = new AuthenticateResponseDto

  269.                 {

  270.                     Id = userk.Id,

  271.                     FirstName = userk.FirstName,

  272.                     LastName = userk.LastName,

  273.                     Username = userk.UserName,

  274.                     Token = model.Token,

  275.                     RefreshToken = model.RefreshToken

  276.                 }

  277.             };

  278.         }

  279. 

  280.         public async Task<ServiceResponseDTO<string>> DeleteRefreshToken(int userId)

  281.         {

  282.             var refreshToken = await _databaseContext.RefreshTokens.Where(r => r.UserId == userId).FirstOrDefaultAsync();

  283. 

  284.             if (refreshToken is null)

  285.                 return new ServiceResponseDTO<string>

  286.                 {

  287.                     IsError = true,

  288.                     ErrorMessage = "There is no refresh token for user"

  289.                 };

  290. 

  291.             _databaseContext.RefreshTokens.Remove(refreshToken);

  292. 

  293.             var result = await _databaseContext.SaveChangesAsync() > 0;

  294. 

  295.             if (!result)

  296.                 return new ServiceResponseDTO<string>

  297.                 {

  298.                     IsError = true,

  299.                     ErrorMessage = "Problem with saving changes into database"

  300.                 };

  301. 

  302.             return new ServiceResponseDTO<string>

  303.             {

  304.                 Data = null

  305.             };

  306.         }

  307. 

  308.         private ClaimsPrincipal? GetPrincipalFromToken(string token, bool validateLifetime)

  309.         {

  310.             var tokenHandler = new JwtSecurityTokenHandler();

  311. 

  312.             var key = Encoding.ASCII.GetBytes(_authSettings.Secret);

  313.             var tokenValidationParameters = new TokenValidationParameters

  314.             {

  315.                 ValidateIssuerSigningKey = true,

  316.                 IssuerSigningKey = new SymmetricSecurityKey(key),

  317.                 ValidateIssuer = false,

  318.                 ValidateAudience = false,

  319.                 RequireExpirationTime = false,

  320.                 ValidateLifetime = validateLifetime,

  321.                 // set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)

  322.                 //ClockSkew = TimeSpan.Zero

  323.             };

  324. 

  325.             try

  326.             {

  327.                 var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out var validatedToken);

  328.                 if (!IsJwtWithValidSecurityAlgorithm(validatedToken))

  329.                 {

  330.                     return null;

  331.                 }

  332. 

  333.                 return principal;

  334.             }

  335.             catch (Exception)

  336.             {

  337.                 return null;

  338.             }

  339.         }

  340. 

  341.         private static bool IsJwtWithValidSecurityAlgorithm(SecurityToken validatedToken)

  342.         {

  343.             return (validatedToken is JwtSecurityToken jwtSecurityToken) &&

  344.                 jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256,

  345.             StringComparison.InvariantCultureIgnoreCase);

  346.         }

  347. 

  348.         public async Task<RefreshToken?> GetRefreshTokenByUserId(int userId)

  349.         {

  350.             return await _databaseContext.RefreshTokens.Where(x => x.UserId == userId).FirstOrDefaultAsync();

  351.         }

  352. 

  353.         public async Task UpdateRefreshToken(RefreshToken refreshToken)

  354.         {

  355.             _databaseContext.RefreshTokens.Update(refreshToken);

  356. 

  357.             await _databaseContext.SaveChangesAsync();

  358.         }

  359. 

  360.         public async Task<ServiceResponseDTO<object>> GetForgotPasswordUrlAsync(string email)

  361.         {

  362.             var user = await _userManager.FindByEmailAsync(email);

  363.             if (user == null)

  364.             {

  365.                 return new ServiceResponseDTO<object>

  366.                 {

  367.                     IsError = true,

  368.                     ErrorMessage = "Email did not find."

  369.                 };

  370.             }

  371. 

  372.             var token = await _userManager.GeneratePasswordResetTokenAsync(user);

  373.             token = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));

  374. 

  375.             await _emailer.SendEmailAndWriteToDbAsync(email, "Reset password", HTMLHelper.RenderForgotPasswordPage($"{_frontEndSettings.BaseUrl}/reset-password?token={token}&email={email}"), isHtml: true);

  376. 

  377.             return new ServiceResponseDTO<object>

  378.             {

  379.                 Data = new { code = token, email = email }

  380.             };

  381.         }

  382. 

  383.         public async Task<ServiceResponseDTO<object>> PasswordResetAsync(string email, string code, string password)

  384.         {

  385.             var user = await _userManager.FindByEmailAsync(email);

  386.             if (user == null)

  387.             {

  388.                 return new ServiceResponseDTO<object>

  389.                 {

  390.                     IsError = true,

  391.                     ErrorMessage = "Email did not find."

  392.                 };

  393.             }

  394.             var passwordResetToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));

  395. 

  396.             IdentityResult resetResult = await _userManager.ResetPasswordAsync(user, passwordResetToken, password);

  397.             if (resetResult.Succeeded)

  398.             {

  399.                 return new ServiceResponseDTO<object> { Data = true };

  400.             }

  401. 

  402.             var errors = resetResult.Errors.Select(x => x.Description);

  403.             return new ServiceResponseDTO<object>

  404.             {

  405.                 IsError = true,

  406.                 ErrorMessage = errors.First()

  407.             };

  408.         }

  409.     }

  410. }