yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
93df2edec2c247ef6615496ed75195580f7b71da
Umbraco-CMS/src/Umbraco.Core/Security/AuthenticationExtensions.cs

460 lines
20 KiB
C#
Raw Normal View History

Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
using System;
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Linq;
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
using System.Net.Http;
using System.Net.Http.Headers;
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
using System.Security.Principal;
using System.Threading;
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
using System.Web;
using System.Web.Security;
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
using Microsoft.Owin;
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
using Newtonsoft.Json;
using Umbraco.Core.Configuration;
namespace Umbraco.Core.Security
{
/// <summary>
/// Extensions to create and renew and remove authentication tickets for the Umbraco back office
/// </summary>
Fixes: U4-4819 Publicize AuthenticationExtensions
2014-05-06 18:15:38 +10:00
public static class AuthenticationExtensions
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
/// <summary>
/// This will check the ticket to see if it is valid, if it is it will set the current thread's user and culture
/// </summary>
/// <param name="http"></param>
/// <param name="ticket"></param>
/// <param name="renewTicket">If true will attempt to renew the ticket</param>
public static bool AuthenticateCurrentRequest(this HttpContextBase http, FormsAuthenticationTicket ticket, bool renewTicket)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
//if there was a ticket, it's not expired, - it should not be renewed or its renewable
if (ticket != null && ticket.Expired == false && (renewTicket == false || http.RenewUmbracoAuthTicket()))
{
try
{
//create the Umbraco user identity
var identity = new UmbracoBackOfficeIdentity(ticket);
//set the principal object
var principal = new GenericPrincipal(identity, identity.Roles);
//It is actually not good enough to set this on the current app Context and the thread, it also needs
// to be set explicitly on the HttpContext.Current !! This is a strange web api thing that is actually
// an underlying fault of asp.net not propogating the User correctly.
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
http.User = principal;
Thread.CurrentPrincipal = principal;
//This is a back office request, we will also set the culture/ui culture
Thread.CurrentThread.CurrentCulture =
Thread.CurrentThread.CurrentUICulture =
new System.Globalization.CultureInfo(identity.Culture);
return true;
}
catch (Exception ex)
{
if (ex is FormatException || ex is JsonReaderException)
{
//this will occur if the cookie data is invalid
http.UmbracoLogout();
}
else
{
throw;
}
}
}
return false;
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
/// <summary>
/// This will return the current back office identity.
/// </summary>
/// <param name="http"></param>
Updates ValidateCurrentUser so that it doesn't re-decrypt the cookie since that is already done, it just needs to check if the current user is authenticated and if it is a back office identity. Added lots of notes for extension points when we start looking at extending how the back office auth works.
2014-12-05 10:29:18 +11:00
/// <param name="authenticateRequestIfNotFound">
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
/// If set to true and a back office identity is not found and not authenticated, this will attempt to authenticate the
Fixes: U4-6093 ContentService.SaveAndPublishDo changes Culture
2015-01-12 21:45:52 +11:00
/// request just as is done in the Umbraco module and then set the current identity if it is valid.
/// Just like in the UmbracoModule, if this is true then the user's culture will be assigned to the request.
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
/// </param>
/// <returns>
/// Returns the current back office identity if an admin is authenticated otherwise null
/// </returns>
public static UmbracoBackOfficeIdentity GetCurrentIdentity(this HttpContextBase http, bool authenticateRequestIfNotFound)
{
if (http == null) throw new ArgumentNullException("http");
Fixes: U4-4856 ApplicationContext.Current.Services.ContentService.Save throw exception
2014-05-12 14:32:34 +10:00
if (http.User == null) return null; //there's no user at all so no identity
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
var identity = http.User.Identity as UmbracoBackOfficeIdentity;
if (identity != null) return identity;
Updates ValidateCurrentUser so that it doesn't re-decrypt the cookie since that is already done, it just needs to check if the current user is authenticated and if it is a back office identity. Added lots of notes for extension points when we start looking at extending how the back office auth works.
2014-12-05 10:29:18 +11:00
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (authenticateRequestIfNotFound == false) return null;
Updates ValidateCurrentUser so that it doesn't re-decrypt the cookie since that is already done, it just needs to check if the current user is authenticated and if it is a back office identity. Added lots of notes for extension points when we start looking at extending how the back office auth works.
2014-12-05 10:29:18 +11:00
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
//even if authenticateRequestIfNotFound is true we cannot continue if the request is actually authenticated
// which would mean something strange is going on that it is not an umbraco identity.
if (http.User.Identity.IsAuthenticated) return null;
Updates ValidateCurrentUser so that it doesn't re-decrypt the cookie since that is already done, it just needs to check if the current user is authenticated and if it is a back office identity. Added lots of notes for extension points when we start looking at extending how the back office auth works.
2014-12-05 10:29:18 +11:00
//So the user is not authed but we've been asked to do the auth if authenticateRequestIfNotFound = true,
// which might occur in old webforms style things or for routes that aren't included as a back office request.
// in this case, we are just reverting to authing using the cookie.
// TODO: Even though this is in theory legacy, we have legacy bits laying around and we'd need to do the auth based on
// how the Module will eventually do it (by calling in to any registered authenticators).
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
var ticket = http.GetUmbracoAuthTicket();
if (http.AuthenticateCurrentRequest(ticket, true))
{
//now we 'should have an umbraco identity
return http.User.Identity as UmbracoBackOfficeIdentity;
}
return null;
}
/// <summary>
/// This will return the current back office identity.
/// </summary>
/// <param name="http"></param>
/// <param name="authenticateRequestIfNotFound">
/// If set to true and a back office identity is not found and not authenticated, this will attempt to authenticate the
/// request just as is done in the Umbraco module and then set the current identity if it is valid
/// </param>
/// <returns>
/// Returns the current back office identity if an admin is authenticated otherwise null
/// </returns>
internal static UmbracoBackOfficeIdentity GetCurrentIdentity(this HttpContext http, bool authenticateRequestIfNotFound)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
return new HttpContextWrapper(http).GetCurrentIdentity(authenticateRequestIfNotFound);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
/// <summary>
/// This clears the forms authentication cookie
/// </summary>
public static void UmbracoLogout(this HttpContextBase http)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Fixes merge issues, fixes up some unit tests, removes the For<T> config section stuff and simplifies the singleton, refactors it with methods as per discussion with stephen.
2013-09-25 19:23:41 +10:00
Logout(http, UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
/// <summary>
Fixes: U4-4819 Publicize AuthenticationExtensions
2014-05-06 18:15:38 +10:00
/// This clears the forms authentication cookie for webapi since cookies are handled differently
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
/// </summary>
/// <param name="response"></param>
Fixes: U4-4819 Publicize AuthenticationExtensions
2014-05-06 18:15:38 +10:00
public static void UmbracoLogoutWebApi(this HttpResponseMessage response)
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
{
if (response == null) throw new ArgumentNullException("response");
//remove the cookie
ensures preview cookie is gone on logout.
2014-01-16 20:56:34 +11:00
var authCookie = new CookieHeaderValue(UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName, "")
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
{
Expires = DateTime.Now.AddYears(-1),
Path = "/"
};
ensures preview cookie is gone on logout.
2014-01-16 20:56:34 +11:00
//remove the preview cookie too
var prevCookie = new CookieHeaderValue(Constants.Web.PreviewCookieName, "")
{
Expires = DateTime.Now.AddYears(-1),
Path = "/"
};
response.Headers.AddCookies(new[] { authCookie, prevCookie });
getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions
2013-12-02 17:20:50 +11:00
}
/// <summary>
/// This clears the forms authentication cookie
/// </summary>
/// <param name="http"></param>
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
internal static void UmbracoLogout(this HttpContext http)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
new HttpContextWrapper(http).UmbracoLogout();
}
/// <summary>
/// Renews the Umbraco authentication ticket
/// </summary>
/// <param name="http"></param>
/// <returns></returns>
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
public static bool RenewUmbracoAuthTicket(this HttpContextBase http)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Makes some massive headway with the real config section, have got all code re-delegated to using it and have migrated the baserest config to the core project, all configs will be shared out of the UmbracoConfiguration singleton, now to get the unit tests all wired up and using mocks for the most part.
2013-09-13 18:11:20 +10:00
return RenewAuthTicket(http,
Fixes merge issues, fixes up some unit tests, removes the For<T> config section stuff and simplifies the singleton, refactors it with methods as per discussion with stephen.
2013-09-25 19:23:41 +10:00
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName,
Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in.
2013-12-03 11:57:41 +11:00
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieDomain,
//Umbraco has always persisted it's original cookie for 1 day so we'll keep it that way
1440);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
internal static bool RenewUmbracoAuthTicket(this HttpContext http)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
return new HttpContextWrapper(http).RenewUmbracoAuthTicket();
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
/// <summary>
/// Creates the umbraco authentication ticket
/// </summary>
/// <param name="http"></param>
/// <param name="userdata"></param>
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
public static FormsAuthenticationTicket CreateUmbracoAuthTicket(this HttpContextBase http, UserData userdata)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
if (userdata == null) throw new ArgumentNullException("userdata");
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
var userDataString = JsonConvert.SerializeObject(userdata);
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
return CreateAuthTicketAndCookie(
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
http,
userdata.Username,
userDataString,
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
//use the configuration timeout - this is the same timeout that will be used when renewing the ticket.
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
GlobalSettings.TimeOutInMinutes,
//Umbraco has always persisted it's original cookie for 1 day so we'll keep it that way
1440,
Makes some massive headway with the real config section, have got all code re-delegated to using it and have migrated the baserest config to the core project, all configs will be shared out of the UmbracoConfiguration singleton, now to get the unit tests all wired up and using mocks for the most part.
2013-09-13 18:11:20 +10:00
"/",
Fixes merge issues, fixes up some unit tests, removes the For<T> config section stuff and simplifies the singleton, refactors it with methods as per discussion with stephen.
2013-09-25 19:23:41 +10:00
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName,
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieDomain);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
internal static FormsAuthenticationTicket CreateUmbracoAuthTicket(this HttpContext http, UserData userdata)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
if (userdata == null) throw new ArgumentNullException("userdata");
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
return new HttpContextWrapper(http).CreateUmbracoAuthTicket(userdata);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
/// <summary>
/// returns the number of seconds the user has until their auth session times out
/// </summary>
/// <param name="http"></param>
/// <returns></returns>
public static double GetRemainingAuthSeconds(this HttpContextBase http)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
var ticket = http.GetUmbracoAuthTicket();
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
return ticket.GetRemainingAuthSeconds();
}
/// <summary>
/// returns the number of seconds the user has until their auth session times out
/// </summary>
/// <param name="ticket"></param>
/// <returns></returns>
public static double GetRemainingAuthSeconds(this FormsAuthenticationTicket ticket)
{
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
if (ticket == null)
{
return 0;
}
var utcExpired = ticket.Expiration.ToUniversalTime();
var secondsRemaining = utcExpired.Subtract(DateTime.UtcNow).TotalSeconds;
return secondsRemaining;
}
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
/// <summary>
/// Gets the umbraco auth ticket
/// </summary>
/// <param name="http"></param>
/// <returns></returns>
public static FormsAuthenticationTicket GetUmbracoAuthTicket(this HttpContextBase http)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Fixes merge issues, fixes up some unit tests, removes the For<T> config section stuff and simplifies the singleton, refactors it with methods as per discussion with stephen.
2013-09-25 19:23:41 +10:00
return GetAuthTicket(http, UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
internal static FormsAuthenticationTicket GetUmbracoAuthTicket(this HttpContext http)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
return new HttpContextWrapper(http).GetUmbracoAuthTicket();
}
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
internal static FormsAuthenticationTicket GetUmbracoAuthTicket(this IOwinContext ctx)
{
if (ctx == null) throw new ArgumentNullException("ctx");
//get the ticket
try
{
return GetAuthTicket(ctx.Request.Cookies.ToDictionary(x => x.Key, x => x.Value), UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName);
}
catch (Exception)
{
//TODO: Do we need to do more here?? need to make sure that the forms cookie is gone, but is that
// taken care of in our custom middleware somehow?
ctx.Authentication.SignOut();
return null;
}
}
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
/// <summary>
/// This clears the forms authentication cookie
/// </summary>
/// <param name="http"></param>
/// <param name="cookieName"></param>
private static void Logout(this HttpContextBase http, string cookieName)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Merge remote-tracking branch 'origin/6.2.0' into 7.0.2 Conflicts: src/Umbraco.Core/Configuration/UmbracoSettings.cs src/Umbraco.Core/Security/AuthenticationExtensions.cs src/umbraco.businesslogic/StateHelper.cs
2014-01-16 20:49:19 +11:00
//clear the preview cookie too
var cookies = new[] { cookieName, Constants.Web.PreviewCookieName };
foreach (var c in cookies)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Merge remote-tracking branch 'origin/6.2.0' into 7.0.2 Conflicts: src/Umbraco.Core/Configuration/UmbracoSettings.cs src/Umbraco.Core/Security/AuthenticationExtensions.cs src/umbraco.businesslogic/StateHelper.cs
2014-01-16 20:49:19 +11:00
//remove from the request
http.Request.Cookies.Remove(c);
//expire from the response
var formsCookie = http.Response.Cookies[c];
if (formsCookie != null)
{
//this will expire immediately and be removed from the browser
formsCookie.Expires = DateTime.Now.AddYears(-1);
}
else
{
//ensure there's def an expired cookie
http.Response.Cookies.Add(new HttpCookie(c) { Expires = DateTime.Now.AddYears(-1) });
}
}
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
private static FormsAuthenticationTicket GetAuthTicket(this HttpContextBase http, string cookieName)
{
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
var allKeys = new List<string>();
for (var i = 0; i < http.Request.Cookies.Keys.Count; i++)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
allKeys.Add(http.Request.Cookies.Keys.Get(i));
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
var asDictionary = allKeys.ToDictionary(key => key, key => http.Request.Cookies[key].Value);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
//get the ticket
try
{
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
return GetAuthTicket(asDictionary, cookieName);
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
catch (Exception)
{
//occurs when decryption fails
http.Logout(cookieName);
return null;
}
}
Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up.
2015-02-06 13:47:00 +11:00
private static FormsAuthenticationTicket GetAuthTicket(IDictionary<string, string> cookies, string cookieName)
{
if (cookies == null) throw new ArgumentNullException("cookies");
if (cookies.ContainsKey(cookieName) == false) return null;
var formsCookie = cookies[cookieName];
if (formsCookie == null)
{
return null;
}
//get the ticket
return FormsAuthentication.Decrypt(formsCookie);
}
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
/// <summary>
/// Renews the forms authentication ticket & cookie
/// </summary>
/// <param name="http"></param>
/// <param name="cookieName"></param>
/// <param name="cookieDomain"></param>
Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in.
2013-12-03 11:57:41 +11:00
/// <param name="minutesPersisted"></param>
Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period.
2013-10-15 18:46:44 +11:00
/// <returns>true if there was a ticket to renew otherwise false if there was no ticket</returns>
Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in.
2013-12-03 11:57:41 +11:00
private static bool RenewAuthTicket(this HttpContextBase http, string cookieName, string cookieDomain, int minutesPersisted)
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
//get the ticket
var ticket = GetAuthTicket(http, cookieName);
//renew the ticket
var renewed = FormsAuthentication.RenewTicketIfOld(ticket);
if (renewed == null)
{
return false;
}
//get the request cookie to get it's expiry date,
//NOTE: this will never be null becaues we already do this
// check in teh GetAuthTicket.
var formsCookie = http.Request.Cookies[cookieName];
//encrypt it
var hash = FormsAuthentication.Encrypt(renewed);
//write it to the response
var cookie = new HttpCookie(cookieName, hash)
Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in.
2013-12-03 11:57:41 +11:00
{
Expires = DateTime.Now.AddMinutes(minutesPersisted),
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
Domain = cookieDomain
};
Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in.
2013-12-03 11:57:41 +11:00
if (GlobalSettings.UseSSL)
cookie.Secure = true;
//ensure http only, this should only be able to be accessed via the server
cookie.HttpOnly = true;
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
//rewrite the cooke
http.Response.Cookies.Set(cookie);
return true;
}
/// <summary>
/// Creates a custom FormsAuthentication ticket with the data specified
/// </summary>
/// <param name="http">The HTTP.</param>
/// <param name="username">The username.</param>
/// <param name="userData">The user data.</param>
/// <param name="loginTimeoutMins">The login timeout mins.</param>
/// <param name="minutesPersisted">The minutes persisted.</param>
/// <param name="cookiePath">The cookie path.</param>
/// <param name="cookieName">Name of the cookie.</param>
/// <param name="cookieDomain">The cookie domain.</param>
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
private static FormsAuthenticationTicket CreateAuthTicketAndCookie(this HttpContextBase http,
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
string username,
string userData,
int loginTimeoutMins,
int minutesPersisted,
string cookiePath,
string cookieName,
string cookieDomain)
{
Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly)
2013-11-01 15:37:59 +11:00
if (http == null) throw new ArgumentNullException("http");
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
// Create a new ticket used for authentication
var ticket = new FormsAuthenticationTicket(
4,
username,
DateTime.Now,
DateTime.Now.AddMinutes(loginTimeoutMins),
true,
userData,
cookiePath
);
// Encrypt the cookie using the machine key for secure transport
var hash = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(
cookieName,
hash)
{
Expires = DateTime.Now.AddMinutes(minutesPersisted),
Domain = cookieDomain
};
if (GlobalSettings.UseSSL)
cookie.Secure = true;
//ensure http only, this should only be able to be accessed via the server
cookie.HttpOnly = true;
http.Response.Cookies.Set(cookie);
More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable.
2013-10-16 12:00:42 +11:00
return ticket;
Added events.Service and xmlhelper.service
2013-08-12 15:06:12 +02:00
}
}
Implements real FormsAuthentication for back office cookie authentication... finally :)
2013-07-31 17:08:56 +10:00
}
Reference in New Issue Copy Permalink