fire up events for identityserver validation scheme

2024-11-25 12:45:18 +01:00 · 2017-01-16 22:02:12 -05:00 · 2017-01-16 22:02:12 -05:00 · d2b97bb3e8
commit d2b97bb3e8
parent 49f7857d2e
4 changed files with 50 additions and 16 deletions
--- a/src/Api/Controllers/AccountsController.cs
+++ b/src/Api/Controllers/AccountsController.cs
@ -9,7 +9,6 @@ using Microsoft.AspNetCore.Identity;
 using Bit.Core.Domains;
 using Bit.Core.Enums;
 using Bit.Core;
-using System.Security.Claims;
 using System.Linq;

 namespace Bit.Api.Controllers
@ -64,7 +63,6 @@ namespace Bit.Api.Controllers
        [HttpPost("email-token")]
        public async Task PostEmailToken([FromBody]EmailTokenRequestModel model)
        {
-            _currentContext.User = await _userService.GetUserByIdAsync(_userManager.GetUserId(User));
            if(!await _userManager.CheckPasswordAsync(_currentContext.User, model.MasterPasswordHash))
            {
                await Task.Delay(2000);
@ -152,9 +150,8 @@ namespace Bit.Api.Controllers
        }

        [HttpGet("profile")]
-        public async Task<ProfileResponseModel> GetProfile()
+        public ProfileResponseModel GetProfile()
        {
-            _currentContext.User = await _userService.GetUserByIdAsync(_userManager.GetUserId(User));
            var response = new ProfileResponseModel(_currentContext.User);
            return response;
        }
@ -170,17 +167,17 @@ namespace Bit.Api.Controllers
        }

        [HttpGet("revision-date")]
-        public async Task<long?> GetAccountRevisionDate()
+        public long? GetAccountRevisionDate()
        {
-            var userId = _userService.GetProperUserId(User);
-            long? revisionDate = null;
-            if(userId.HasValue)
-            {
-                var date = await _userService.GetAccountRevisionDateByIdAsync(userId.Value);
-                revisionDate = Core.Utilities.CoreHelpers.EpocMilliseconds(date);
-            }
+            //var userId = _userService.GetProperUserId(User);
+            //long? revisionDate = null;
+            //if(userId.HasValue)
+            //{
+            //    var date = await _userService.GetAccountRevisionDateByIdAsync(userId.Value);
+            //    revisionDate = Core.Utilities.CoreHelpers.EpocMilliseconds(date);
+            //}

-            return revisionDate;
+            return Core.Utilities.CoreHelpers.EpocMilliseconds(_currentContext.User.AccountRevisionDate);
        }

        [HttpGet("two-factor")]
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -25,7 +25,6 @@ using AspNetCoreRateLimit;
 using Bit.Api.Middleware;
 using IdentityServer4.Validation;
 using IdentityServer4.Services;
-using IdentityModel.AspNetCore.OAuth2Introspection;
 using IdentityServer4.Stores;
 using Bit.Core.Utilities;
 using Serilog;
@ -254,8 +253,15 @@ namespace Bit.Api
                Authority = env.IsProduction() ? "https://api.bitwarden.com" : "http://localhost:4000",
                RequireHttpsMetadata = env.IsProduction(),
                ApiName = "Vault API",
+                NameClaimType = ClaimTypes.Email,
+                // Version "2" until we retire the old jwt scheme and replace it with this one.
                AuthenticationScheme = "Bearer2",
-                TokenRetriever = TokenRetrieval.FromAuthorizationHeader("Bearer2")
+                TokenRetriever = TokenRetrieval.FromAuthorizationHeaderOrQueryString("Bearer2", "access_token2"),
+                JwtBearerEvents = new JwtBearerEvents
+                {
+                    OnTokenValidated = JwtBearerEventImplementations.ValidatedTokenAsync,
+                    OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync
+                }
            });

            // Add Jwt authentication to the request pipeline.
--- a/src/Core/Identity/JwtBearerEventImplementations.cs
+++ b/src/Core/Identity/JwtBearerEventImplementations.cs
@ -47,7 +47,8 @@ namespace Bit.Core.Identity
            if(!context.HttpContext.User.Identity.IsAuthenticated)
            {
                context.State = EventResultState.HandledResponse;
-                context.Ticket = new AuthenticationTicket(context.HttpContext.User, new AuthenticationProperties(), context.Options.AuthenticationScheme);
+                context.Ticket = new AuthenticationTicket(context.HttpContext.User, new AuthenticationProperties(), 
+                    context.Options.AuthenticationScheme);
            }

            return Task.FromResult(0);
--- a/src/Core/Identity/TokenRetrieval.cs
+++ b/src/Core/Identity/TokenRetrieval.cs
@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Linq;
+
+namespace Bit.Core.Identity
+{
+    public static class TokenRetrieval
+    {
+        public static Func<HttpRequest, string> FromAuthorizationHeaderOrQueryString(string headerScheme = "Bearer",
+            string qsName = "account_token")
+        {
+            return (request) =>
+            {
+                string authorization = request.Headers["Authorization"].FirstOrDefault();
+
+                if(string.IsNullOrWhiteSpace(authorization))
+                {
+                    return request.Query[qsName].FirstOrDefault();
+                }
+
+                if(authorization.StartsWith(headerScheme + " ", StringComparison.OrdinalIgnoreCase))
+                {
+                    return authorization.Substring(headerScheme.Length + 1).Trim();
+                }
+
+                return null;
+            };
+        }
+    }
+}