completed antiforgery implementation, improved external login claim mapping, principal construction, and user experience

2022-04-22 17:54:20 -04:00
parent 391713b84d
commit e4c648ee92
38 changed files with 645 additions and 525 deletions
--- a/Oqtane.Server/Pages/External.cshtml.cs
+++ b/Oqtane.Server/Pages/External.cshtml.cs
@ -1,11 +1,14 @@
 using System.Net;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Oqtane.Extensions;

 namespace Oqtane.Pages
 {
+    [AllowAnonymous]
+    [IgnoreAntiforgeryToken]
    public class ExternalModel : PageModel
    {
        public IActionResult OnGetAsync(string returnurl)
@ -16,7 +19,7 @@ namespace Oqtane.Pages
            var providertype = HttpContext.GetSiteSettings().GetValue("ExternalLogin:ProviderType", "");
            if (providertype != "")
            {
-                    return new ChallengeResult(providertype, new AuthenticationProperties { RedirectUri = returnurl });
+                    return new ChallengeResult(providertype, new AuthenticationProperties { RedirectUri = returnurl + (returnurl.Contains("?") ? "&" : "?") + "reload=post" });
            }
            else
            {
@ -24,5 +27,22 @@ namespace Oqtane.Pages
                return new EmptyResult();
            }
        }
+
+        public IActionResult OnPostAsync(string returnurl)
+        {
+            if (returnurl == null)
+            {
+                returnurl = "";
+            }
+            if (!returnurl.StartsWith("/"))
+            {
+                returnurl = "/" + returnurl;
+            }
+
+            // remove reload parameter
+            returnurl = returnurl.ReplaceMultiple(new string[] { "?reload=post", "&reload=post" }, "");
+
+            return LocalRedirect(Url.Content("~" + returnurl));
+        }
    }
 }
--- a/Oqtane.Server/Pages/Login.cshtml.cs
+++ b/Oqtane.Server/Pages/Login.cshtml.cs
@ -18,9 +18,9 @@ namespace Oqtane.Pages
            _identitySignInManager = identitySignInManager;
        }

-        public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
+         public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
        {
-            if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
+            if (!User.Identity.IsAuthenticated && !string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
            {
                bool validuser = false;
                IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
--- a/Oqtane.Server/Pages/Logout.cshtml.cs
+++ b/Oqtane.Server/Pages/Logout.cshtml.cs
@ -1,11 +1,8 @@
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
-using Oqtane.Extensions;
 using Oqtane.Shared;

 namespace Oqtane.Pages
@ -13,7 +10,7 @@ namespace Oqtane.Pages
    [Authorize]
    public class LogoutModel : PageModel
    {
-        public async Task<IActionResult> OnGetAsync(string returnurl)
+        public async Task<IActionResult> OnPostAsync(string returnurl)
        {
            await HttpContext.SignOutAsync(Constants.AuthenticationScheme);