fix #3253 - login needs to validate User.IsDeleted property

2023-09-13 10:02:11 -04:00 · 2023-09-13 10:02:11 -04:00 · d155e13399
commit d155e13399
parent 9267efce01
3 changed files with 54 additions and 38 deletions
--- a/Oqtane.Client/Modules/Admin/Login/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Login/Index.razor
@ -206,8 +206,7 @@
                    if (hybrid)
                    {
                        // hybrid apps utilize an interactive login
-                        var authstateprovider = (IdentityAuthenticationStateProvider)ServiceProvider
-                            .GetService(typeof(IdentityAuthenticationStateProvider));
+                        var authstateprovider = (IdentityAuthenticationStateProvider)ServiceProvider.GetService(typeof(IdentityAuthenticationStateProvider));
                        authstateprovider.NotifyAuthenticationChanged();
                        NavigationManager.NavigateTo(NavigateUrl(WebUtility.UrlDecode(_returnUrl), true));
                    }
--- a/Oqtane.Server/Managers/UserManager.cs
+++ b/Oqtane.Server/Managers/UserManager.cs
@ -257,6 +257,8 @@ namespace Oqtane.Managers
                    var LastIPAddress = user.LastIPAddress ?? "";

                    user = _users.GetUser(user.Username);
+                    if (!user.IsDeleted)
+                    {
                        if (user.TwoFactorRequired)
                        {
                            var token = await _identityUserManager.GenerateTwoFactorTokenAsync(identityuser, "Email");
@ -299,6 +301,11 @@ namespace Oqtane.Managers
                        }
                    }
                    else
+                    {
+                        _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Login Failed - Account Deleted {Username}", user.Username);
+                    }
+                }
+                else
                {
                    if (result.IsLockedOut)
                    {
--- a/Oqtane.Server/Pages/Login.cshtml.cs
+++ b/Oqtane.Server/Pages/Login.cshtml.cs
@ -4,6 +4,9 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using Oqtane.Extensions;
+using Oqtane.Managers;
+using Oqtane.Shared;

 namespace Oqtane.Pages
 {
@ -12,11 +15,13 @@ namespace Oqtane.Pages
    {
        private readonly UserManager<IdentityUser> _identityUserManager;
        private readonly SignInManager<IdentityUser> _identitySignInManager;
+        private readonly IUserManager _userManager;

-        public LoginModel(UserManager<IdentityUser> identityUserManager, SignInManager<IdentityUser> identitySignInManager)
+        public LoginModel(UserManager<IdentityUser> identityUserManager, SignInManager<IdentityUser> identitySignInManager, IUserManager userManager)
        {
            _identityUserManager = identityUserManager;
            _identitySignInManager = identitySignInManager;
+            _userManager = userManager;
        }

        public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
@ -29,10 +34,15 @@ namespace Oqtane.Pages
                {
                    var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, true);
                    if (result.Succeeded)
+                    {
+                        var alias = HttpContext.GetAlias();
+                        var user = _userManager.GetUser(identityuser.UserName, alias.SiteId);
+                        if (user != null && !user.IsDeleted)
                        {
                            validuser = true;
                        }
                    }
+                }

                if (validuser)
                {