| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449 |
- using Diligent.WebAPI.Business.Services.Interfaces;
- using Diligent.WebAPI.Data.Entities;
- using Microsoft.AspNetCore.Mvc;
- using Microsoft.AspNetCore.WebUtilities;
- using Microsoft.Extensions.Logging;
- using Newtonsoft.Json;
- using System;
- using System.Net;
- using System.Security.Policy;
-
- namespace Diligent.WebAPI.Business.Services
- {
-
- public class UserService : IUserService
- {
- private readonly AuthorizationSettings _authSettings;
- private readonly UserManager<User> _userManager;
- private readonly IMapper _mapper;
- private readonly DatabaseContext _databaseContext;
- private readonly IEmailer _emailer;
- private readonly ILogger<UserService> _logger;
- private const string GoogleApiTokenInfoUrl = "https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={0}";
- private string[] SupportedClientsIds = { "" };
-
- public UserService(IOptions<AuthorizationSettings> authSettings, UserManager<User> userManager, IMapper mapper, DatabaseContext databaseContext, IEmailer emailer, ILogger<UserService> logger)
- {
- _authSettings = authSettings.Value;
- _userManager = userManager;
- _mapper = mapper;
- _databaseContext = databaseContext;
- _emailer = emailer;
- _logger = logger;
- }
-
- public async Task<IEnumerable<User?>> GetAll() =>
- await _userManager.Users.ToListAsync();
-
- public async Task<User?> GetById(int id) =>
- await _userManager.FindByIdAsync(id.ToString());
-
- public async Task CreateUser(CreateUserRequestDto model)
- {
- var user = _mapper.Map<User>(model);
-
- await _userManager.CreateAsync(user, model.Password);
- }
-
- private bool IsTokenValid(string providerToken)
- {
- var httpClient = new HttpClient();
- var requestUri = new Uri(string.Format(GoogleApiTokenInfoUrl, providerToken));
-
- HttpResponseMessage httpResponseMessage;
- try
- {
- httpResponseMessage = httpClient.GetAsync(requestUri).Result;
- }
- catch (Exception ex)
- {
- return false;
- }
-
- if (httpResponseMessage.StatusCode != HttpStatusCode.OK)
- {
- return false;
- }
-
- var response = httpResponseMessage.Content.ReadAsStringAsync().Result;
- var googleApiTokenInfo = JsonConvert.DeserializeObject<GoogleApiTokenInfo>(response);
-
- //if (!SupportedClientsIds.Contains(googleApiTokenInfo.aud))
- if(googleApiTokenInfo.aud != _authSettings.GoogleClientId)
- {
- return false;
- }
-
- return true;
- }
-
- public async Task<ServiceResponseDTO<AuthenticateResponseDto>> Authenticate(AuthenticateRequestDto model)
- {
- var user = await _userManager.FindByNameAsync(model.Username);
-
- // return null if user not found
- if (user == null)
- {
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- IsError = true,
- ErrorMessage = "Username is not valid"
- };
- }
-
- var result = await _userManager.CheckPasswordAsync(user, model.Password);
-
- // password is not correct
- if (!result)
- {
- await _userManager.AccessFailedAsync(user);
-
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- IsError = true,
- ErrorMessage = "Password is not correct"
- };
- }
-
- return await GenerateToken(user);
- }
-
- public async Task<ServiceResponseDTO<AuthenticateResponseDto>> Authenticate(GoogleApiModel model)
- {
-
- if (!IsTokenValid(model.Token))
- {
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- IsError = true,
- ErrorMessage = "Invalid Google Api Token"
- };
- }
- var user = await _userManager.FindByEmailAsync(model.User.email);
-
- // return null if user not found
- if (user == null)
- {
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- IsError = true,
- ErrorMessage = $"User with email {model.User.email} does not exist in database"
- };
- }
-
- return await GenerateToken(user);
- }
-
- private async Task<ServiceResponseDTO<AuthenticateResponseDto>> GenerateToken(User user)
- {
- var isLocked = await _userManager.IsLockedOutAsync(user);
-
- if (isLocked)
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- IsError = true,
- ErrorMessage = "The account is locked out"
- };
-
-
-
- // authentication successful so generate jwt token
- var token = await GenerateJwtToken(user, true);
-
- var data = new AuthenticateResponseDto
- {
- Id = user.Id,
- Username = user.UserName,
- FirstName = user.FirstName,
- LastName = user.LastName,
- Token = token,
- RefreshToken = token
- };
-
- return new ServiceResponseDTO<AuthenticateResponseDto>
- {
- Data = data
- };
- }
-
- private async Task<string> GenerateJwtToken(User user, bool authenticate = false)
- {
- // generate token that is valid for 7 days
- var tokenHandler = new JwtSecurityTokenHandler();
- var key = Encoding.ASCII.GetBytes(_authSettings.Secret);
- var tokenDescriptor = new SecurityTokenDescriptor
- {
- Subject = new ClaimsIdentity(new[] {
- new Claim(JwtRegisteredClaimNames.Jti, user.Id.ToString()),
- new Claim("id", user.Id.ToString())
- }),
- Expires = DateTime.UtcNow.AddMinutes(_authSettings.JwtExpiredTime),
- SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
- };
- var token = tokenHandler.CreateToken(tokenDescriptor);
-
- var writedToken = tokenHandler.WriteToken(token);
-
- var refreshToken = new RefreshToken
- {
- Token = writedToken,
- JwtId = user.Id.ToString(),
- UserId = user.Id,
- User = user,
- CreationDate = DateTime.UtcNow,
- ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime)
- };
-
- var existRefreshToken = await _databaseContext.RefreshTokens.Where(x => x.UserId == user.Id).FirstOrDefaultAsync();
-
- if (existRefreshToken != null)
- {
- existRefreshToken.Token = writedToken;
- existRefreshToken.JwtId = token.Id;
- existRefreshToken.CreationDate = DateTime.UtcNow;
- existRefreshToken.ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime);
-
- if (authenticate)
- {
- existRefreshToken.Used = false;
- existRefreshToken.Invalidated = false;
- }
-
- _databaseContext.RefreshTokens.Update(existRefreshToken);
- await UpdateRefreshToken(existRefreshToken);
- }
- else
- {
- await _databaseContext.RefreshTokens.AddAsync(refreshToken);
- }
-
- await _databaseContext.SaveChangesAsync();
-
- return writedToken;
- }
-
- public async Task<RefreshTokenResultDto> RefreshTokenAsync(RefreshTokenRequestDto model)
- {
- var validatedToken = GetPrincipalFromToken(model.Token);
-
- if (validatedToken == null)
- {
- return new RefreshTokenResultDto { Error = "Invalid token" };
- }
-
- var jti = validatedToken.Claims.Single(x => x.Type == JwtRegisteredClaimNames.Jti).Value;
-
- var storedRefreshToken = await _databaseContext.RefreshTokens.SingleOrDefaultAsync(x => x.JwtId == jti);
-
- if (storedRefreshToken == null)
- {
- return new RefreshTokenResultDto { Error = "This refresh token does not exist" };
- }
-
- var userk = await _databaseContext.Users.Where(u => u.Id == storedRefreshToken.UserId).FirstOrDefaultAsync();
-
- if (userk == null)
- {
- return new RefreshTokenResultDto { Error = "There is no user which is associated with refresh token" };
- }
-
- var expiryDateUnix = long.Parse(validatedToken.Claims.Single(x => x.Type == JwtRegisteredClaimNames.Exp).Value);
-
- var expiryDateTimeUtc = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)
- .AddMinutes(expiryDateUnix);
-
- if (expiryDateTimeUtc < DateTime.UtcNow)
- {
- return new RefreshTokenResultDto
- {
- Data = new AuthenticateResponseDto
- {
- Id = userk.Id,
- FirstName = userk.FirstName,
- LastName = userk.LastName,
- Username = userk.UserName,
- Token = model.Token,
- RefreshToken = model.RefreshToken
- }
- };
- }
-
- if (DateTime.UtcNow > storedRefreshToken.ExpiryDate)
- {
- return new RefreshTokenResultDto { Error = "This refresh token has expired" };
- }
-
- if (storedRefreshToken.Invalidated)
- {
- return new RefreshTokenResultDto { Error = "This refresh token has been invalidated" };
- }
-
- if (storedRefreshToken.JwtId != jti)
- {
- return new RefreshTokenResultDto { Error = "This refresh token does not match this JWT" };
- }
-
- storedRefreshToken.ExpiryDate = DateTime.UtcNow.AddMinutes(_authSettings.JwtRefreshExpiredTime);
-
- await _databaseContext.SaveChangesAsync();
-
- var user = await _userManager.FindByIdAsync(validatedToken.Claims.Single(x => x.Type == "id").Value);
-
- var token = await GenerateJwtToken(user);
-
- return new RefreshTokenResultDto
- {
- Data = new AuthenticateResponseDto
- {
- Id = userk.Id,
- FirstName = userk.FirstName,
- LastName = userk.LastName,
- Username = userk.UserName,
- Token = model.Token,
- RefreshToken = model.RefreshToken
- }
- };
- }
-
- public async Task<ServiceResponseDTO<string>> DeleteRefreshToken(int userId)
- {
- var refreshToken = await _databaseContext.RefreshTokens.Where(r => r.UserId == userId).FirstOrDefaultAsync();
-
- if (refreshToken is null)
- return new ServiceResponseDTO<string>
- {
- IsError = true,
- ErrorMessage = "There is no refresh token for user"
- };
-
- _databaseContext.RefreshTokens.Remove(refreshToken);
-
- var result = await _databaseContext.SaveChangesAsync() > 0;
-
- if (!result)
- return new ServiceResponseDTO<string>
- {
- IsError = true,
- ErrorMessage = "Problem with saving changes into database"
- };
-
- return new ServiceResponseDTO<string>
- {
- Data = null
- };
- }
-
- private ClaimsPrincipal? GetPrincipalFromToken(string token)
- {
- var tokenHandler = new JwtSecurityTokenHandler();
-
- var key = Encoding.ASCII.GetBytes(_authSettings.Secret);
- var tokenValidationParameters = new TokenValidationParameters
- {
- ValidateIssuerSigningKey = true,
- IssuerSigningKey = new SymmetricSecurityKey(key),
- ValidateIssuer = false,
- ValidateAudience = false,
- RequireExpirationTime = false,
- ValidateLifetime = true,
- // set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)
- //ClockSkew = TimeSpan.Zero
- };
-
- try
- {
- var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out var validatedToken);
- if (!IsJwtWithValidSecurityAlgorithm(validatedToken))
- {
- return null;
- }
-
- return principal;
- }
- catch (Exception)
- {
- return null;
- }
- }
-
- private static bool IsJwtWithValidSecurityAlgorithm(SecurityToken validatedToken)
- {
- return (validatedToken is JwtSecurityToken jwtSecurityToken) &&
- jwtSecurityToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256,
- StringComparison.InvariantCultureIgnoreCase);
- }
-
- public async Task<RefreshToken?> GetRefreshTokenByUserId(int userId)
- {
- return await _databaseContext.RefreshTokens.Where(x => x.UserId == userId).FirstOrDefaultAsync();
- }
-
- public async Task UpdateRefreshToken(RefreshToken refreshToken)
- {
- _databaseContext.RefreshTokens.Update(refreshToken);
-
- await _databaseContext.SaveChangesAsync();
- }
-
- public async Task<ServiceResponseDTO<object>> GetEmailConfirmationUrlAsync(string email)
- {
- var user = await _userManager.FindByEmailAsync(email);
- if (user == null)
- {
- return new ServiceResponseDTO<object>
- {
- IsError = true,
- ErrorMessage = "Email did not find."
- };
- }
-
- var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);
-
- token = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
-
- await _emailer.SendEmailAndWriteToDbAsync(email, "Reset password", $"<a href='http://localhost:3000/reset-password?token={token}&email={email}'>RESET PASSWORD LINK</a>", isHtml: true);
-
- user.PasswordResetToken = token;
- await _databaseContext.SaveChangesAsync();
- return new ServiceResponseDTO<object>
- {
- Data = new { code = token, email = email }
- };
- }
-
- public async Task<ServiceResponseDTO<object>> PasswordResetAsync(string email, string code, string password)
- {
- var user = await _userManager.FindByEmailAsync(email);
- if (user == null)
- {
- return new ServiceResponseDTO<object>
- {
- IsError = true,
- ErrorMessage = "Email did not find."
- };
- }
- // FOR SOME REASON USERMANAGER.RESETPASSWORDASYNC returns InvalidToken. In future change this
- //var passwordResetToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
-
- //IdentityResult resetResult = await _userManager.ResetPasswordAsync(user, passwordResetToken, password);
- //if (resetResult.Succeeded)
- await _userManager.RemovePasswordAsync(user);
- await _userManager.AddPasswordAsync(user, password);
- if(user.PasswordResetToken == code)
- {
- if (await _userManager.IsLockedOutAsync(user))
- {
- await _userManager.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow);
- }
- return new ServiceResponseDTO<object> { Data = true };
- }
-
- //var errors = resetResult.Errors.Select(x => x.Description);
- return new ServiceResponseDTO<object>
- {
- IsError = true,
- ErrorMessage = "Invalid reset password token"
- };
- }
- }
- }
|
