This commit is contained in:
@@ -158,7 +158,7 @@ namespace AyaNova.Api.Controllers
|
||||
|
||||
//Multiple users are allowed the same password and login
|
||||
//Salt will differentiate them so get all users that match login, then try to match pw
|
||||
var users = await ct.User.AsNoTracking().Where(m => m.Login == creds.Login).ToListAsync();
|
||||
var users = await ct.User.Where(m => m.Login == creds.Login && m.Active == true).ToListAsync();
|
||||
|
||||
foreach (User u in users)
|
||||
{
|
||||
@@ -177,13 +177,15 @@ namespace AyaNova.Api.Controllers
|
||||
}
|
||||
|
||||
|
||||
//If the user is inactive they may not login
|
||||
if (!u.Active)
|
||||
{
|
||||
//This is leaking information, instead just act like bad creds
|
||||
//return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated"));
|
||||
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
}
|
||||
// //If the user is inactive they may not login
|
||||
// if (!u.Active)
|
||||
// {
|
||||
// //This is leaking information, instead just act like bad creds
|
||||
// //return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated"));
|
||||
// return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
|
||||
// }
|
||||
|
||||
|
||||
|
||||
//build the key (JWT set in startup.cs)
|
||||
byte[] secretKey = System.Text.Encoding.ASCII.GetBytes(ServerBootConfig.AYANOVA_JWT_SECRET);
|
||||
@@ -192,6 +194,18 @@ namespace AyaNova.Api.Controllers
|
||||
var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime
|
||||
var exp = new DateTimeOffset(DateTime.Now.AddDays(JWT_LIFETIME_DAYS).ToUniversalTime(), TimeSpan.Zero);
|
||||
|
||||
|
||||
//=============== download token ===================
|
||||
//Generate a download token and store it with the user account
|
||||
//string DownloadToken = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
|
||||
string DownloadToken = Hasher.GenerateSalt();
|
||||
DownloadToken = DownloadToken.Replace("=", "");
|
||||
DownloadToken = DownloadToken.Replace("+", "");
|
||||
u.DlKey = DownloadToken;
|
||||
u.DlKeyExpire = exp.DateTime;
|
||||
await ct.SaveChangesAsync();
|
||||
//=======================================================
|
||||
|
||||
var payload = new Dictionary<string, object>()
|
||||
{
|
||||
{ "iat", iat.ToUnixTimeSeconds().ToString() },
|
||||
@@ -200,7 +214,8 @@ namespace AyaNova.Api.Controllers
|
||||
{ "id", u.Id.ToString() },
|
||||
{ "name", u.Name},
|
||||
{ "usertype", u.UserType},
|
||||
{ "ayanova/roles", ((int)u.Roles).ToString() }
|
||||
{ "ayanova/roles", ((int)u.Roles).ToString()},
|
||||
{ "dlt", DownloadToken }
|
||||
};
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user