Merge pull request #3922 from sbwalker/dev

add IdentityRevalidatingAuthenticationStateProvider

Oqtane.Server/Extensions/ClaimsPrincipalExtensions.cs

@@ -50,5 +50,25 @@ namespace Oqtane.Extensions
                 return "";
             }
         }
+
+        public static int TenantId(this ClaimsPrincipal claimsPrincipal)
+        {
+            var sitekey = SiteKey(claimsPrincipal);
+            if (!string.IsNullOrEmpty(sitekey) && sitekey.Contains(":"))
+            {
+                return int.Parse(sitekey.Split(':')[0]);
+            }
+            return -1;
+        }
+
+        public static int SiteId(this ClaimsPrincipal claimsPrincipal)
+        {
+            var sitekey = SiteKey(claimsPrincipal);
+            if (!string.IsNullOrEmpty(sitekey) && sitekey.Contains(":"))
+            {
+                return int.Parse(sitekey.Split(':')[1]);
+            }
+            return -1;
+        }
     }
 }

Oqtane.Server/Providers/IdentityRevalidatingAuthenticationStateProvider.cs

@@ -0,0 +1,53 @@
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Components.Server;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using System.Threading;
+using System;
+using Oqtane.Infrastructure;
+using Oqtane.Extensions;
+
+namespace Oqtane.Providers
+{
+    internal sealed class IdentityRevalidatingAuthenticationStateProvider(
+             ILoggerFactory loggerFactory,
+             IServiceScopeFactory scopeFactory,
+             IOptions<IdentityOptions> options)
+         : RevalidatingServerAuthenticationStateProvider(loggerFactory)
+    {
+        protected override TimeSpan RevalidationInterval => TimeSpan.FromSeconds(20);
+
+        protected override async Task<bool> ValidateAuthenticationStateAsync(AuthenticationState authenticationState, CancellationToken cancellationToken)
+        {
+            await using var scope = scopeFactory.CreateAsyncScope();
+            var tenantManager = scope.ServiceProvider.GetRequiredService<ITenantManager>();
+            tenantManager.SetTenant(authenticationState.User.TenantId());
+            var userManager = scope.ServiceProvider.GetRequiredService<UserManager<IdentityUser>>();
+            return await ValidateSecurityStampAsync(userManager, authenticationState.User);
+        }
+
+        private async Task<bool> ValidateSecurityStampAsync(UserManager<IdentityUser> userManager, ClaimsPrincipal principal)
+        {
+            var user = await userManager.FindByNameAsync(principal.Identity.Name);
+            if (user is null)
+            {
+                return false;
+            }
+            else if (!userManager.SupportsUserSecurityStamp)
+            {
+                return true;
+            }
+            else
+            {
+                var principalStamp = principal.FindFirstValue(options.Value.ClaimsIdentity.SecurityStampClaimType);
+                var userStamp = await userManager.GetSecurityStampAsync(user);
+                //return principalStamp == userStamp; // security stamps need to be persisted in principal - they are stored in AspNetUsers
+                return true; 
+            }
+        }
+    }
+}

Oqtane.Server/Startup.cs

@@ -20,6 +20,8 @@ using Microsoft.Extensions.Logging;
 using Oqtane.Components;
 using Oqtane.UI;
 using OqtaneSSR.Extensions;
+using Microsoft.AspNetCore.Components.Authorization;
+using Oqtane.Providers;
 
 namespace Oqtane
 {
@@ -108,6 +110,7 @@ namespace Oqtane
             services.ConfigureOqtaneIdentityOptions(Configuration);
 
             services.AddCascadingAuthenticationState();
+            services.AddScoped<AuthenticationStateProvider, IdentityRevalidatingAuthenticationStateProvider>();
             services.AddAuthorization();
 
             services.AddAuthentication(options =>