From d155e13399f68e2f8032664f29adf546f0775fef Mon Sep 17 00:00:00 2001 From: sbwalker Date: Wed, 13 Sep 2023 10:02:11 -0400 Subject: [PATCH] fix #3253 - login needs to validate User.IsDeleted property --- Oqtane.Client/Modules/Admin/Login/Index.razor | 3 +- Oqtane.Server/Managers/UserManager.cs | 73 ++++++++++--------- Oqtane.Server/Pages/Login.cshtml.cs | 16 +++- 3 files changed, 54 insertions(+), 38 deletions(-) diff --git a/Oqtane.Client/Modules/Admin/Login/Index.razor b/Oqtane.Client/Modules/Admin/Login/Index.razor index 850072f1..4c1219d2 100644 --- a/Oqtane.Client/Modules/Admin/Login/Index.razor +++ b/Oqtane.Client/Modules/Admin/Login/Index.razor @@ -206,8 +206,7 @@ if (hybrid) { // hybrid apps utilize an interactive login - var authstateprovider = (IdentityAuthenticationStateProvider)ServiceProvider - .GetService(typeof(IdentityAuthenticationStateProvider)); + var authstateprovider = (IdentityAuthenticationStateProvider)ServiceProvider.GetService(typeof(IdentityAuthenticationStateProvider)); authstateprovider.NotifyAuthenticationChanged(); NavigationManager.NavigateTo(NavigateUrl(WebUtility.UrlDecode(_returnUrl), true)); } diff --git a/Oqtane.Server/Managers/UserManager.cs b/Oqtane.Server/Managers/UserManager.cs index 07304679..28e5b751 100644 --- a/Oqtane.Server/Managers/UserManager.cs +++ b/Oqtane.Server/Managers/UserManager.cs @@ -257,45 +257,52 @@ namespace Oqtane.Managers var LastIPAddress = user.LastIPAddress ?? ""; user = _users.GetUser(user.Username); - if (user.TwoFactorRequired) + if (!user.IsDeleted) { - var token = await _identityUserManager.GenerateTwoFactorTokenAsync(identityuser, "Email"); - user.TwoFactorCode = token; - user.TwoFactorExpiry = DateTime.UtcNow.AddMinutes(10); - _users.UpdateUser(user); + if (user.TwoFactorRequired) + { + var token = await _identityUserManager.GenerateTwoFactorTokenAsync(identityuser, "Email"); + user.TwoFactorCode = token; + user.TwoFactorExpiry = DateTime.UtcNow.AddMinutes(10); + _users.UpdateUser(user); - string body = "Dear " + user.DisplayName + ",\n\nYou requested a secure verification code to log in to your account. Please enter the secure verification code on the site:\n\n" + token + - "\n\nPlease note that the code is only valid for 10 minutes so if you are unable to take action within that time period, you should initiate a new login on the site." + - "\n\nThank You!"; - var notification = new Notification(user.SiteId, user, "User Verification Code", body); - _notifications.AddNotification(notification); + string body = "Dear " + user.DisplayName + ",\n\nYou requested a secure verification code to log in to your account. Please enter the secure verification code on the site:\n\n" + token + + "\n\nPlease note that the code is only valid for 10 minutes so if you are unable to take action within that time period, you should initiate a new login on the site." + + "\n\nThank You!"; + var notification = new Notification(user.SiteId, user, "User Verification Code", body); + _notifications.AddNotification(notification); - _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Verification Notification Sent For {Username}", user.Username); - user.TwoFactorRequired = true; + _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Verification Notification Sent For {Username}", user.Username); + user.TwoFactorRequired = true; + } + else + { + user = _users.GetUser(identityuser.UserName); + if (user != null) + { + if (identityuser.EmailConfirmed) + { + user.IsAuthenticated = true; + user.LastLoginOn = DateTime.UtcNow; + user.LastIPAddress = LastIPAddress; + _users.UpdateUser(user); + _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Login Successful {Username}", user.Username); + + if (setCookie) + { + await _identitySignInManager.SignInAsync(identityuser, isPersistent); + } + } + else + { + _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Not Verified {Username}", user.Username); + } + } + } } else { - user = _users.GetUser(identityuser.UserName); - if (user != null) - { - if (identityuser.EmailConfirmed) - { - user.IsAuthenticated = true; - user.LastLoginOn = DateTime.UtcNow; - user.LastIPAddress = LastIPAddress; - _users.UpdateUser(user); - _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Login Successful {Username}", user.Username); - - if (setCookie) - { - await _identitySignInManager.SignInAsync(identityuser, isPersistent); - } - } - else - { - _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Not Verified {Username}", user.Username); - } - } + _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Login Failed - Account Deleted {Username}", user.Username); } } else diff --git a/Oqtane.Server/Pages/Login.cshtml.cs b/Oqtane.Server/Pages/Login.cshtml.cs index 7fa4bb87..faf1989c 100644 --- a/Oqtane.Server/Pages/Login.cshtml.cs +++ b/Oqtane.Server/Pages/Login.cshtml.cs @@ -4,6 +4,9 @@ using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.RazorPages; +using Oqtane.Extensions; +using Oqtane.Managers; +using Oqtane.Shared; namespace Oqtane.Pages { @@ -12,14 +15,16 @@ namespace Oqtane.Pages { private readonly UserManager _identityUserManager; private readonly SignInManager _identitySignInManager; + private readonly IUserManager _userManager; - public LoginModel(UserManager identityUserManager, SignInManager identitySignInManager) + public LoginModel(UserManager identityUserManager, SignInManager identitySignInManager, IUserManager userManager) { _identityUserManager = identityUserManager; _identitySignInManager = identitySignInManager; + _userManager = userManager; } - public async Task OnPostAsync(string username, string password, bool remember, string returnurl) + public async Task OnPostAsync(string username, string password, bool remember, string returnurl) { if (!User.Identity.IsAuthenticated && !string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password)) { @@ -30,7 +35,12 @@ namespace Oqtane.Pages var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, true); if (result.Succeeded) { - validuser = true; + var alias = HttpContext.GetAlias(); + var user = _userManager.GetUser(identityuser.UserName, alias.SiteId); + if (user != null && !user.IsDeleted) + { + validuser = true; + } } }