-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathProgram.cs
More file actions
116 lines (88 loc) · 3.56 KB
/
Program.cs
File metadata and controls
116 lines (88 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
using IdentityManagementSample;
using IdentityManagementSample.Helpers;
using IdentityManagementSample.Model;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Identity;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddSingleton<Filestore>();
builder.Services.AddSingleton<IPasswordHasher<User>, PasswordHasher<User>>();
builder.Services.AddAuthentication().AddCookie();
builder.Services.AddDataProtection();
builder.Services.AddAuthorization(builder =>
{
builder.AddPolicy("manager", pb =>
{
pb.RequireAuthenticatedUser()
.AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme)
.RequireClaim("role", "manager");
});
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/", () => "Hello World!");
app.MapGet("/register", async (string username, string password, IPasswordHasher<User> hasher, Filestore db, HttpContext ctx) =>
{
var user = new User() { Name = username };
user.PasswordHash = hasher.HashPassword(user, password);
await db.PutAsync(user);
await ctx.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, UserHelper.Convert(user));
return user;
});
app.MapGet("/login", async (string username, string password, IPasswordHasher<User> hasher, Filestore db, HttpContext ctx) =>
{
var user = await db.GetUserAsync(username);
var result = hasher.VerifyHashedPassword(user, user.PasswordHash, password);
if (result == PasswordVerificationResult.Failed)
{
return "bad credentials";
}
await ctx.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, UserHelper.Convert(user));
return "ok";
});
app.MapGet("/promote", async (string username, Filestore db) =>
{
var user = await db.GetUserAsync(username);
user.Claims.Add(new UserClaim() { Type = "role", Value = "manager" });
await db.PutAsync(user);
return "promoted!";
});
app.MapGet("/start-password-reset", async (string username, Filestore db, IDataProtectionProvider provider) =>
{
//Generate hash and this can be sent out to the user through email, for verification.
var protector = provider.CreateProtector("PasswordReset");
var user = await db.GetUserAsync(username);
//protect more than the username, could be guid+username which is saved in the db. Due to a hacker can get the username.
return protector.Protect(user.Name);
});
app.MapGet("/end-password-reset", async (string username, string password, string hash, Filestore db, IDataProtectionProvider provider, IPasswordHasher<User> hasher) =>
{
//User will provide the hash which has been sent to them, (the endpoint start pw reset), and the other required fields.
var protector = provider.CreateProtector("PasswordReset");
var hashUserName = protector.Unprotect(hash);
if (hashUserName != username)
{
return "bad hash";
}
var user = await db.GetUserAsync(username);
user.PasswordHash = hasher.HashPassword(user, password);
await db.PutAsync(user);
return "password reset";
});
app.MapGet("/protected", () =>
{
return "user has the role: manager";
}).RequireAuthorization("manager");
app.MapGet("/loginSetCookie", (HttpContext ctx) =>
{
ctx.Response.Headers["set-cookie"] = "auth=usr:xxx";
return "ok";
});
app.MapGet("/usernameReadFromCookie", (HttpContext ctx) =>
{
var authCookie = ctx.Request.Headers.Cookie.FirstOrDefault(x => x.StartsWith("auth="));
return authCookie;
});
app.Run();