admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2020-11-19 00:55:47 +00:00
parent f21e66de08
commit a255aab73c
6 changed files with 88 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
server/AyaNova/Controllers/AuthController.cs
View File

@@ -71,10 +71,10 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
} }
#if (DEBUG) #if (DEBUG)
#region TESTING #region TESTING
@@ -330,6 +330,53 @@ namespace AyaNova.Api.Controllers
//return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED)); //return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
} }
/// <summary>
/// Change Password via reset token
/// </summary>
/// <param name="resetcreds"></param>
/// <returns></returns>
[HttpPost("resetpassword")]
public async Task<IActionResult> ResetPassword([FromBody] AuthController.ResetPasswordParam resetcreds)
{
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
if (!ModelState.IsValid)
{
return BadRequest(new ApiErrorResponse(ModelState));
}
int nFailDelay = 3000;
if (string.IsNullOrWhiteSpace(resetcreds.PasswordResetCode) || string.IsNullOrWhiteSpace(resetcreds.Password))
{
//Make a fail wait
await Task.Delay(nFailDelay);
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
}
//look for user with this reset code
var user = await ct.User.AsNoTracking().Where(z => z.PasswordResetCode == resetcreds.PasswordResetCode).FirstOrDefaultAsync();
if (user == null)
{
//Make a fail wait
await Task.Delay(nFailDelay);
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
}
//vet the expiry
var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
if (user.PasswordResetCodeExpire < utcNow.DateTime)
{//if reset code expired before now
//Make a fail wait
await Task.Delay(nFailDelay);
return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, "PasswordResetCodeExpire", "Reset code has expired"));
}
//Ok, were in, it's all good, accept the new password and update the user record
UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
await biz.ChangePasswordAsync(user.Id, resetcreds.Password);
return NoContent();
}
//------------------------------------------------------ //------------------------------------------------------
public class CredentialsParam public class CredentialsParam
@@ -356,5 +403,14 @@ namespace AyaNova.Api.Controllers
} }
public class ResetPasswordParam
{
[System.ComponentModel.DataAnnotations.Required]
public string PasswordResetCode { get; set; }
[System.ComponentModel.DataAnnotations.Required]
public string Password { get; set; }
}
}//eoc }//eoc
}//eons }//eons

71
server/AyaNova/Controllers/UserController.cs
View File

@@ -111,65 +111,6 @@ namespace AyaNova.Api.Controllers
} }
// /// <summary>
// /// Put (update) User
// /// (Login and / or Password are not changed if set to null / omitted)
// /// </summary>
// /// <param name="id"></param>
// /// <param name="inObj"></param>
// /// <returns></returns>
// [HttpPut("{id}")]
// public async Task<IActionResult> PutUser([FromRoute] long id, [FromBody] User inObj)
// {
// if (!serverState.IsOpen)
// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
// if (!ModelState.IsValid)
// {
// return BadRequest(new ApiErrorResponse(ModelState));
// }
// var o = await ct.User.SingleOrDefaultAsync(z => z.Id == id);
// if (o == null)
// {
// return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
// }
// //Instantiate the business object handler
// UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
// if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
// {
// return StatusCode(403, new ApiNotAuthorizedResponse());
// }
// try
// {
// if (!await biz.PutAsync(o, inObj))
// return BadRequest(new ApiErrorResponse(biz.Errors));
// }
// catch (DbUpdateConcurrencyException)
// {
// if (!UserExists(id))
// {
// return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
// }
// else
// {
// //exists but was changed by another user
// //I considered returning new and old record, but where would it end?
// //Better to let the client decide what to do than to send extra data that is not required
// return StatusCode(409, new ApiErrorResponse(ApiErrorCode.CONCURRENCY_CONFLICT));
// }
// }
// return Ok(ApiOkResponse.Response(new { Concurrency = o.Concurrency }));
// }
/// <summary> /// <summary>
/// Create User /// Create User
/// </summary> /// </summary>
@@ -376,16 +317,16 @@ namespace AyaNova.Api.Controllers
return Ok(ApiOkResponse.Response(u.UserType != UserType.Customer && u.UserType != UserType.HeadOffice)); return Ok(ApiOkResponse.Response(u.UserType != UserType.Customer && u.UserType != UserType.HeadOffice));
} }
/// <summary> /// <summary>
/// Generate new random credentials for User /// Generate time limited password reset code for User
/// and email them to the user /// and email to them
/// ///
/// </summary> /// </summary>
/// <param name="id">User id</param> /// <param name="id">User id</param>
/// <param name="apiVersion">From route path</param> /// <param name="apiVersion">From route path</param>
/// <returns>NoContent</returns> /// <returns>NoContent</returns>
[HttpPost("generate-creds-email/{id}")] [HttpPost("send-reset-code/{id}")]
public async Task<IActionResult> GenerateCredsAndEmailUser([FromRoute] long id, ApiVersion apiVersion) public async Task<IActionResult> SendPasswordResetCode([FromRoute] long id, ApiVersion apiVersion)
{ {
if (!serverState.IsOpen) if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
@@ -394,7 +335,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(403, new ApiNotAuthorizedResponse()); return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid) if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState)); return BadRequest(new ApiErrorResponse(ModelState));
bool successfulOperation=await biz.GenerateCredsAndEmailUser(id); bool successfulOperation = await biz.SendPasswordResetCode(id);
if (successfulOperation == false) if (successfulOperation == false)
return BadRequest(new ApiErrorResponse(biz.Errors)); return BadRequest(new ApiErrorResponse(biz.Errors));
else else

31
server/AyaNova/biz/UserBiz.cs
View File

@@ -311,9 +311,9 @@ namespace AyaNova.Biz
///////////////////////////////////////////// /////////////////////////////////////////////
// GENERATE AND EMAIL CREDS // GENERATE AND EMAIL Password reset code
// //
internal async Task<bool> GenerateCredsAndEmailUser(long userId) internal async Task<bool> SendPasswordResetCode(long userId)
{ {
User dbObject = await ct.User.Include(o => o.UserOptions).FirstOrDefaultAsync(z => z.Id == userId); User dbObject = await ct.User.Include(o => o.UserOptions).FirstOrDefaultAsync(z => z.Id == userId);
if (dbObject == null) if (dbObject == null)
@@ -329,40 +329,35 @@ namespace AyaNova.Biz
var ServerUrl = ServerGlobalOpsSettingsCache.Notify.AyaNovaServerURL; var ServerUrl = ServerGlobalOpsSettingsCache.Notify.AyaNovaServerURL;
if (string.IsNullOrWhiteSpace(ServerUrl)) if (string.IsNullOrWhiteSpace(ServerUrl))
{ {
await NotifyEventProcessor.AddOpsProblemEvent("User::GenerateCredsAndEmailUser - The OPS Notification setting is empty for AyaNova Server URL. This prevents Notification system from linking events to openable objects."); await NotifyEventProcessor.AddOpsProblemEvent("User::SendPasswordResetCode - The OPS Notification setting is empty for AyaNova Server URL. This prevents Notification system from linking events to openable objects.");
AddError(ApiErrorCode.VALIDATION_REQUIRED, "ServerUrl", "Error: no server url configured in notification settings. Can't direct user to server for login. Set server URL and try again."); AddError(ApiErrorCode.VALIDATION_REQUIRED, "ServerUrl", "Error: no server url configured in notification settings. Can't direct user to server for login. Set server URL and try again.");
return false; return false;
} }
var ResetCode = Hasher.GetRandomAlphanumericString(32);
var newPassword = Hasher.GetRandomAlphanumericString(32); dbObject.PasswordResetCode = ResetCode;
var newLogin = Hasher.GetRandomAlphanumericString(32); dbObject.PasswordResetCodeExpire = DateTime.UtcNow.AddHours(67);//This is enough time to issue a reset code on a friday at 5pm and use it Monday before noon
dbObject.Password = Hasher.hash(dbObject.Salt, newPassword);
dbObject.Login = newLogin;
await ct.SaveChangesAsync(); await ct.SaveChangesAsync();
//send message //send message
ServerUrl = ServerUrl.Trim().TrimEnd('/'); ServerUrl = ServerUrl.Trim().TrimEnd('/');
//Translations //Translations
List<string> TransKeysRequired = new List<string>(); List<string> TransKeysRequired = new List<string>();
TransKeysRequired.Add("UserLogin"); TransKeysRequired.Add("PasswordResetMessageBody");
TransKeysRequired.Add("UserPassword"); TransKeysRequired.Add("PasswordResetMessageTitle");
TransKeysRequired.Add("NewCredsMessageBody");
TransKeysRequired.Add("NewCredsMessageTitle");
long EffectiveTranslationId = dbObject.UserOptions.TranslationId; long EffectiveTranslationId = dbObject.UserOptions.TranslationId;
if (EffectiveTranslationId == 0) EffectiveTranslationId = ServerBootConfig.AYANOVA_DEFAULT_TRANSLATION_ID; if (EffectiveTranslationId == 0) EffectiveTranslationId = ServerBootConfig.AYANOVA_DEFAULT_TRANSLATION_ID;
var TransDict = await TranslationBiz.GetSubsetStaticAsync(TransKeysRequired, EffectiveTranslationId); var TransDict = await TranslationBiz.GetSubsetStaticAsync(TransKeysRequired, EffectiveTranslationId);
var Title = TransDict["NewCredsMessageTitle"]; var Title = TransDict["PasswordResetMessageTitle"];
var NewCredsMessage = TransDict["NewCredsMessageBody"]; var MessageBody = TransDict["PasswordResetMessageBody"];
var Creds = $"{TransDict["UserLogin"]}:\n{newLogin}\n{TransDict["UserPassword"]}:\n{newPassword}\n";
IMailer m = AyaNova.Util.ServiceProviderProvider.Mailer; IMailer m = AyaNova.Util.ServiceProviderProvider.Mailer;
await m.SendEmailAsync(dbObject.UserOptions.EmailAddress, Title, $"{NewCredsMessage}{Creds}{ServerUrl}/home-user-settings", ServerGlobalOpsSettingsCache.Notify); await m.SendEmailAsync(dbObject.UserOptions.EmailAddress, Title, $"{MessageBody}{ServerUrl}/reset?{ResetCode}", ServerGlobalOpsSettingsCache.Notify);
//Log modification and save context //Log modification and save context
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObject.Id, BizType, AyaEvent.Modified, "GeneratedNewCredentialsAndEmailedToUser"), ct); await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObject.Id, BizType, AyaEvent.Modified, "SendPasswordResetCode"), ct);
return true; return true;
} }

5
server/AyaNova/models/User.cs
View File

@@ -60,6 +60,11 @@ namespace AyaNova.Models
[JsonIgnore] [JsonIgnore]
public DateTime? DlKeyExpire { get; set; } public DateTime? DlKeyExpire { get; set; }
[JsonIgnore]
public string PasswordResetCode { get; set; }
[JsonIgnore]
public DateTime? PasswordResetCodeExpire { get; set; }
[Required] [Required]
public AuthorizationRoles Roles { get; set; } public AuthorizationRoles Roles { get; set; }
[Required] [Required]

5
server/AyaNova/resource/en.json
View File

@@ -1951,5 +1951,8 @@
"GeoCapture": "Set to current location", "GeoCapture": "Set to current location",
"GeoView": "View on map", "GeoView": "View on map",
"MapUrlTemplate": "Map URL template", "MapUrlTemplate": "Map URL template",
"Contacts": "Contacts" "Contacts": "Contacts",
"PasswordResetMessageTitle": "PasswordResetMessageTitle",
"PasswordResetMessageBody":"PasswordResetMessageBody"
} }

4
server/AyaNova/util/AySchema.cs
View File

@@ -22,7 +22,7 @@ namespace AyaNova.Util
//!!!!WARNING: BE SURE TO UPDATE THE DbUtil::EmptyBizDataFromDatabaseForSeedingOrImporting WHEN NEW TABLES ADDED!!!! //!!!!WARNING: BE SURE TO UPDATE THE DbUtil::EmptyBizDataFromDatabaseForSeedingOrImporting WHEN NEW TABLES ADDED!!!!
private const int DESIRED_SCHEMA_LEVEL = 15; private const int DESIRED_SCHEMA_LEVEL = 15;
internal const long EXPECTED_COLUMN_COUNT = 448; internal const long EXPECTED_COLUMN_COUNT = 450;
internal const long EXPECTED_INDEX_COUNT = 144; internal const long EXPECTED_INDEX_COUNT = 144;
//!!!!WARNING: BE SURE TO UPDATE THE DbUtil::EmptyBizDataFromDatabaseForSeedingOrImporting WHEN NEW TABLES ADDED!!!! //!!!!WARNING: BE SURE TO UPDATE THE DbUtil::EmptyBizDataFromDatabaseForSeedingOrImporting WHEN NEW TABLES ADDED!!!!
@@ -329,7 +329,7 @@ $BODY$;
//Add user table //Add user table
await ExecQueryAsync("CREATE TABLE auser (id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, active bool not null, name text not null unique, " + await ExecQueryAsync("CREATE TABLE auser (id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY, active bool not null, name text not null unique, " +
"lastlogin timestamp, login text not null unique, password text not null, salt text not null, roles integer not null, currentauthtoken text, " + "lastlogin timestamp, login text not null unique, password text not null, salt text not null, roles integer not null, currentauthtoken text, " +
"dlkey text, dlkeyexpire timestamp, usertype integer not null, employeenumber text, notes text, customerid bigint, " + "dlkey text, dlkeyexpire timestamp, passwordresetcode text, passwordresetcodeexpire timestamp, usertype integer not null, employeenumber text, notes text, customerid bigint, " +
"headofficeid bigint, vendorid bigint, wiki text, customfields text, tags varchar(255) ARRAY)"); "headofficeid bigint, vendorid bigint, wiki text, customfields text, tags varchar(255) ARRAY)");
//Index for name fetching //Index for name fetching