87 lines
3.9 KiB
C#
87 lines
3.9 KiB
C#
// Copyright (c) .NET Foundation. All rights reserved.
|
|
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
|
|
|
|
using System;
|
|
using System.Security.Claims;
|
|
using System.Threading.Tasks;
|
|
using Microsoft.AspNet.Authentication.Cookies;
|
|
using Microsoft.AspNet.Builder;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Options;
|
|
|
|
namespace Microsoft.AspNet.Identity
|
|
{
|
|
/// <summary>
|
|
/// Provides default implementation of validation functions for security stamps.
|
|
/// </summary>
|
|
/// <typeparam name="TUser">The type encapsulating a user.</typeparam>
|
|
public class SecurityStampValidator<TUser> : ISecurityStampValidator where TUser : class
|
|
{
|
|
/// <summary>
|
|
/// Validates a security stamp of an identity as an asynchronous operation, and rebuilds the identity if the validation succeeds, otherwise rejects
|
|
/// the identity.
|
|
/// </summary>
|
|
/// <param name="context">The context containing the <see cref="ClaimsPrincipal"/>and <see cref="AuthenticationProperties"/> to validate.</param>
|
|
/// <returns>The <see cref="Task"/> that represents the asynchronous validation operation.</returns>
|
|
public virtual async Task ValidateAsync(CookieValidatePrincipalContext context)
|
|
{
|
|
var manager = context.HttpContext.RequestServices.GetRequiredService<SignInManager<TUser>>();
|
|
var userId = context.Principal.GetUserId();
|
|
var user = await manager.ValidateSecurityStampAsync(context.Principal, userId);
|
|
if (user != null)
|
|
{
|
|
// REVIEW: note we lost login authenticaiton method
|
|
context.ReplacePrincipal(await manager.CreateUserPrincipalAsync(user));
|
|
context.ShouldRenew = true;
|
|
}
|
|
else
|
|
{
|
|
context.RejectPrincipal();
|
|
await manager.SignOutAsync();
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Static helper class used to configure a CookieAuthenticationNotifications to validate a cookie against a user's security
|
|
/// stamp.
|
|
/// </summary>
|
|
public static class SecurityStampValidator
|
|
{
|
|
/// <summary>
|
|
/// Validates a principal against a user's stored security stamp.
|
|
/// the identity.
|
|
/// </summary>
|
|
/// <param name="context">The context containing the <see cref="ClaimsPrincipal"/>and <see cref="AuthenticationProperties"/> to validate.</param>
|
|
/// <returns>The <see cref="Task"/> that represents the asynchronous validation operation.</returns>
|
|
public static Task ValidatePrincipalAsync(CookieValidatePrincipalContext context)
|
|
{
|
|
var currentUtc = DateTimeOffset.UtcNow;
|
|
if (context.Options != null && context.Options.SystemClock != null)
|
|
{
|
|
currentUtc = context.Options.SystemClock.UtcNow;
|
|
}
|
|
var issuedUtc = context.Properties.IssuedUtc;
|
|
|
|
if (context.HttpContext.RequestServices == null)
|
|
{
|
|
throw new InvalidOperationException("TODO: RequestServices is null, missing Use[Request]Services?");
|
|
}
|
|
|
|
// Only validate if enough time has elapsed
|
|
var validate = (issuedUtc == null);
|
|
if (issuedUtc != null)
|
|
{
|
|
var timeElapsed = currentUtc.Subtract(issuedUtc.Value);
|
|
var accessor = context.HttpContext.RequestServices.GetRequiredService<IOptions<IdentityOptions>>();
|
|
validate = timeElapsed > accessor.Value.SecurityStampValidationInterval;
|
|
}
|
|
if (validate)
|
|
{
|
|
var validator = context.HttpContext.RequestServices.GetRequiredService<ISecurityStampValidator>();
|
|
return validator.ValidateAsync(context);
|
|
}
|
|
return Task.FromResult(0);
|
|
}
|
|
}
|
|
} |