using System.Linq; using System.Security.Claims; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Rendering; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using UnicornStore.Models; namespace UnicornStore.Controllers { [Authorize] public class AccountController : Controller { private readonly ILogger _logger; public AccountController( UserManager userManager, SignInManager signInManager, ILogger logger) { UserManager = userManager; SignInManager = signInManager; _logger = logger; } public UserManager UserManager { get; } public SignInManager SignInManager { get; } // // GET: /Account/Login [AllowAnonymous] public IActionResult Login(string returnUrl = null) { ViewBag.ReturnUrl = returnUrl; return View(); } // // POST: /Account/Login [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task Login(LoginViewModel model, string returnUrl = null) { if (!ModelState.IsValid) { return View(model); } // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, change to lockoutOnFailure: true var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false); if (result.Succeeded) { _logger.LogInformation("Logged in {userName}.", model.Email); return RedirectToLocal(returnUrl); } if (result.RequiresTwoFactor) { return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }); } if (result.IsLockedOut) { return View("Lockout"); } else { _logger.LogWarning("Failed to log in {userName}.", model.Email); ModelState.AddModelError("", "Invalid login attempt."); return View(model); } } // // GET: /Account/VerifyCode [AllowAnonymous] public async Task VerifyCode(string provider, bool rememberMe, string returnUrl = null) { var user = await SignInManager.GetTwoFactorAuthenticationUserAsync(); if (user == null) { return View("Error"); } // Remove before production #if DEMO if (user != null) { ViewBag.Code = await UserManager.GenerateTwoFactorTokenAsync(user, provider); } #endif return View(new VerifyCodeViewModel { Provider = provider, ReturnUrl = returnUrl, RememberMe = rememberMe }); } // // POST: /Account/VerifyCode [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task VerifyCode(VerifyCodeViewModel model) { if (!ModelState.IsValid) { return View(model); } // The following code protects for brute force attacks against the two factor codes. // If a user enters incorrect codes for a specified amount of time then the user account // will be locked out for a specified amount of time. // You can configure the account lockout settings in IdentityConfig var result = await SignInManager.TwoFactorSignInAsync(model.Provider, model.Code, model.RememberMe, model.RememberBrowser); if (result.Succeeded) { return RedirectToLocal(model.ReturnUrl); } if (result.IsLockedOut) { return View("Lockout"); } else { ModelState.AddModelError("", "Invalid code."); return View(model); } } // // GET: /Account/Register [AllowAnonymous] public IActionResult Register() { return View(); } // // POST: /Account/Register [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task Register(RegisterViewModel model) { if (ModelState.IsValid) { var user = new ApplicationUser { UserName = model.Email, Email = model.Email }; var result = await UserManager.CreateAsync(user, model.Password); if (result.Succeeded) { _logger.LogInformation("User {userName} was created.", model.Email); //Bug: Remember browser option missing? //Uncomment this and comment the later part if account verification is not needed. //await SignInManager.SignInAsync(user, isPersistent: false); // For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771 // Send an email with this link string code = await UserManager.GenerateEmailConfirmationTokenAsync(user); var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme); await MessageServices.SendEmailAsync(model.Email, "Confirm your account", "Please confirm your account by clicking this link: link"); #if !DEMO return RedirectToAction("Index", "Home"); #else //To display the email link in a friendly page instead of sending email ViewBag.Link = callbackUrl; return View("DemoLinkDisplay"); #endif } AddErrors(result); } // If we got this far, something failed, redisplay form return View(model); } // // GET: /Account/ConfirmEmail [AllowAnonymous] public async Task ConfirmEmail(string userId, string code) { if (userId == null || code == null) { return View("Error"); } var user = await UserManager.FindByIdAsync(userId); if (user == null) { return View("Error"); } var result = await UserManager.ConfirmEmailAsync(user, code); return View(result.Succeeded ? "ConfirmEmail" : "Error"); } // // GET: /Account/ForgotPassword [AllowAnonymous] public ActionResult ForgotPassword() { return View(); } // // POST: /Account/ForgotPassword [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task ForgotPassword(ForgotPasswordViewModel model) { if (ModelState.IsValid) { var user = await UserManager.FindByNameAsync(model.Email); if (user == null || !(await UserManager.IsEmailConfirmedAsync(user))) { // Don't reveal that the user does not exist or is not confirmed return View("ForgotPasswordConfirmation"); } // For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771 // Send an email with this link string code = await UserManager.GeneratePasswordResetTokenAsync(user); var callbackUrl = Url.Action("ResetPassword", "Account", new { code = code }, protocol: HttpContext.Request.Scheme); await MessageServices.SendEmailAsync(model.Email, "Reset Password", "Please reset your password by clicking here: link"); #if !DEMO return RedirectToAction("ForgotPasswordConfirmation"); #else //To display the email link in a friendly page instead of sending email ViewBag.Link = callbackUrl; return View("DemoLinkDisplay"); #endif } ModelState.AddModelError("", string.Format("We could not locate an account with email : {0}", model.Email)); // If we got this far, something failed, redisplay form return View(model); } // // GET: /Account/ForgotPasswordConfirmation [AllowAnonymous] public ActionResult ForgotPasswordConfirmation() { return View(); } // // GET: /Account/ResetPassword [AllowAnonymous] public ActionResult ResetPassword(string code) { //TODO: Fix this? var resetPasswordViewModel = new ResetPasswordViewModel() { Code = code }; return code == null ? View("Error") : View(resetPasswordViewModel); } // // POST: /Account/ResetPassword [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task ResetPassword(ResetPasswordViewModel model) { if (!ModelState.IsValid) { return View(model); } var user = await UserManager.FindByNameAsync(model.Email); if (user == null) { // Don't reveal that the user does not exist return RedirectToAction("ResetPasswordConfirmation", "Account"); } var result = await UserManager.ResetPasswordAsync(user, model.Code, model.Password); if (result.Succeeded) { return RedirectToAction("ResetPasswordConfirmation", "Account"); } AddErrors(result); return View(); } // // GET: /Account/ResetPasswordConfirmation [AllowAnonymous] public ActionResult ResetPasswordConfirmation() { return View(); } // // POST: /Account/ExternalLogin [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult ExternalLogin(string provider, string returnUrl = null) { // Request a redirect to the external login provider var redirectUrl = Url.Action("ExternalLoginCallback", "Account", new { ReturnUrl = returnUrl }); var properties = SignInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl); return new ChallengeResult(provider, properties); } // // GET: /Account/SendCode [AllowAnonymous] public async Task SendCode(bool rememberMe, string returnUrl = null) { //TODO : Default rememberMe as well? var user = await SignInManager.GetTwoFactorAuthenticationUserAsync(); if (user == null) { return View("Error"); } var userFactors = await UserManager.GetValidTwoFactorProvidersAsync(user); var factorOptions = userFactors.Select(purpose => new SelectListItem { Text = purpose, Value = purpose }).ToList(); return View(new SendCodeViewModel { Providers = factorOptions, ReturnUrl = returnUrl, RememberMe = rememberMe }); } // // POST: /Account/SendCode [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task SendCode(SendCodeViewModel model) { if (!ModelState.IsValid) { return View(); } var user = await SignInManager.GetTwoFactorAuthenticationUserAsync(); if (user == null) { return View("Error"); } // Generate the token and send it var code = await UserManager.GenerateTwoFactorTokenAsync(user, model.SelectedProvider); if (string.IsNullOrWhiteSpace(code)) { return View("Error"); } var message = "Your security code is: " + code; if (model.SelectedProvider == "Email") { await MessageServices.SendEmailAsync(await UserManager.GetEmailAsync(user), "Security Code", message); } else if (model.SelectedProvider == "Phone") { await MessageServices.SendSmsAsync(await UserManager.GetPhoneNumberAsync(user), message); } return RedirectToAction("VerifyCode", new { Provider = model.SelectedProvider, ReturnUrl = model.ReturnUrl, RememberMe = model.RememberMe }); } // // GET: /Account/ExternalLoginCallback [AllowAnonymous] public async Task ExternalLoginCallback(string returnUrl = null) { var loginInfo = await SignInManager.GetExternalLoginInfoAsync(); if (loginInfo == null) { return RedirectToAction("Login"); } // Sign in the user with this external login provider if the user already has a login var result = await SignInManager.ExternalLoginSignInAsync(loginInfo.LoginProvider, loginInfo.ProviderKey, isPersistent: false); if (result.Succeeded) { return RedirectToLocal(returnUrl); } if (result.RequiresTwoFactor) { return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = false }); } if (result.IsLockedOut) { return View("Lockout"); } else { // If the user does not have an account, then prompt the user to create an account ViewBag.ReturnUrl = returnUrl; ViewBag.LoginProvider = loginInfo.LoginProvider; // REVIEW: handle case where email not in claims? var email = loginInfo.Principal.FindFirstValue(ClaimTypes.Email); return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = email }); } } // // POST: /Account/ExternalLoginConfirmation [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task ExternalLoginConfirmation(ExternalLoginConfirmationViewModel model, string returnUrl = null) { if (SignInManager.IsSignedIn(User)) { return RedirectToAction("Index", "Manage"); } if (ModelState.IsValid) { // Get the information about the user from the external login provider var info = await SignInManager.GetExternalLoginInfoAsync(); if (info == null) { return View("ExternalLoginFailure"); } var user = new ApplicationUser { UserName = model.Email, Email = model.Email }; var result = await UserManager.CreateAsync(user); // NOTE: Used for end to end testing only //Just for automated testing adding a claim named 'ManageStore' - Not required for production var manageClaim = info.Principal.Claims.Where(c => c.Type == "ManageStore").FirstOrDefault(); if (manageClaim != null) { await UserManager.AddClaimAsync(user, manageClaim); } if (result.Succeeded) { result = await UserManager.AddLoginAsync(user, info); if (result.Succeeded) { await SignInManager.SignInAsync(user, isPersistent: false); return RedirectToLocal(returnUrl); } } AddErrors(result); } ViewBag.ReturnUrl = returnUrl; return View(model); } // // POST: /Account/LogOff [HttpPost] [ValidateAntiForgeryToken] public async Task LogOff() { var userName = HttpContext.User.Identity.Name; // clear all items from the cart HttpContext.Session.Clear(); await SignInManager.SignOutAsync(); // TODO: Currently SignInManager.SignOut does not sign out OpenIdc and does not have a way to pass in a specific // AuthType to sign out. var appEnv = HttpContext.RequestServices.GetService(); if (appEnv.EnvironmentName.StartsWith("OpenIdConnect")) { return new SignOutResult("OpenIdConnect", new AuthenticationProperties { RedirectUri = Url.Action("Index", "Home") }); } _logger.LogInformation("{userName} logged out.", userName); return RedirectToAction("Index", "Home"); } // // GET: /Account/ExternalLoginFailure [AllowAnonymous] public ActionResult ExternalLoginFailure() { return View(); } #region Helpers private void AddErrors(IdentityResult result) { foreach (var error in result.Errors) { ModelState.AddModelError("", error.Description); _logger.LogWarning("Error in creating user: {error}", error.Description); } } private Task GetCurrentUserAsync() { return UserManager.GetUserAsync(HttpContext.User); } private ActionResult RedirectToLocal(string returnUrl) { if (Url.IsLocalUrl(returnUrl)) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } } #endregion } }