From 9ad70efb06cc1bae395071e73431b9628b552d46 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Mon, 18 Oct 2021 18:09:15 +0000 Subject: [PATCH] license lockout handling code for when db has more active users than license allows for --- server/AyaNova/Controllers/AuthController.cs | 40 +++++++++----------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs index 2f155f17..75493c0a 100644 --- a/server/AyaNova/Controllers/AuthController.cs +++ b/server/AyaNova/Controllers/AuthController.cs @@ -68,6 +68,9 @@ namespace AyaNova.Api.Controllers public async Task PostCreds([FromBody] AuthController.CredentialsParam creds) //if was a json body then //public JsonResult PostCreds([FromBody] string login, [FromBody] string password) { + //NOTE: lockout or other login impacting state is processed later in ReturnUserCredsOnSuccessfulAuthentication() because many of those states need to have exceptions once the user is known + //or return alternate result of auth etc + #if (DEBUG) @@ -160,25 +163,6 @@ namespace AyaNova.Api.Controllers if (hashed == u.Password) { - //LOCKOUT?? - //done here because we need to know the user in case there is an exception (superuser) - //a bit different as ops users can still login if the state is opsonly - //so the only real barrier here would be a completely closed api - - //Is the server completely closed?? If so only the Super user can login - if (serverState.IsClosed && u.Id != 1) - { - return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); - } - - //not sure if key needs attention is relevant as closed is closed - // if (u.Id!=1 && serverState.IsClosed && AyaNova.Core.License.ActiveKey.KeyDoesNotNeedAttention) - // { - // //can't login as *any* user due to some issue not license key related - // return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); - // } - - //TWO FACTOR ENABLED?? //if 2fa enabled then need to validate it before sending token, so we're halfway there and need to send a 2fa prompt @@ -286,9 +270,13 @@ namespace AyaNova.Api.Controllers return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED)); } + + + //return creds and or process lockout handling here private async Task ReturnUserCredsOnSuccessfulAuthentication(User u) { + bool licenseLockout = false; //check if server available to SuperUser account only (closed or migrate mode) //if it is it means we got here either because there is no license //and only *the* SuperUser account can login now or we're in migrate mode @@ -300,12 +288,19 @@ namespace AyaNova.Api.Controllers { return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); } + else + { + if (serverState.Reason.Contains("E1020")) + { + licenseLockout = true;//this could be an expired license or user count exceeded capacity so flag to client on login so superuser can fix it + } + } } //Restrict auth due to server state? - //If we're here the server state is not closed, but it might be ops only + //If we're here it's the superuser or the server state is not closed, but it might be ops only //If the server is ops only then this user needs to be ops or else they are not allowed in - if (serverState.IsOpsOnly && + if ((u.Id != 1) && serverState.IsOpsOnly && !u.Roles.HasFlag(Biz.AuthorizationRoles.OpsAdmin) && !u.Roles.HasFlag(Biz.AuthorizationRoles.OpsAdminRestricted)) { @@ -392,7 +387,8 @@ namespace AyaNova.Api.Controllers usertype = u.UserType, roles = ((int)u.Roles).ToString(), dlt = DownloadToken, - tfa = u.TwoFactorEnabled + tfa = u.TwoFactorEnabled, + l = licenseLockout })); }