diff --git a/EnvelopeGenerator.Application/DTOs/EnvelopeReceiver/EnvelopeReceiverSecretDto.cs b/EnvelopeGenerator.Application/DTOs/EnvelopeReceiver/EnvelopeReceiverSecretDto.cs index ebc529e7..9470766e 100644 --- a/EnvelopeGenerator.Application/DTOs/EnvelopeReceiver/EnvelopeReceiverSecretDto.cs +++ b/EnvelopeGenerator.Application/DTOs/EnvelopeReceiver/EnvelopeReceiverSecretDto.cs @@ -5,7 +5,5 @@ public string? AccessCode { get; init; } public string? PhoneNumber { get; init; } - - public EnvelopeReceiverDto WithoutSecrets => this; } } \ No newline at end of file diff --git a/EnvelopeGenerator.Application/Extensions/MappingExtensions.cs b/EnvelopeGenerator.Application/Extensions/MappingExtensions.cs index 0d7f19c8..d2ebb946 100644 --- a/EnvelopeGenerator.Application/Extensions/MappingExtensions.cs +++ b/EnvelopeGenerator.Application/Extensions/MappingExtensions.cs @@ -1,4 +1,5 @@ -using EnvelopeGenerator.Domain.HttpResponse; +using EnvelopeGenerator.Application.DTOs.EnvelopeReceiver; +using EnvelopeGenerator.Domain.HttpResponse; namespace EnvelopeGenerator.Application.Extensions { diff --git a/EnvelopeGenerator.Web/Controllers/HomeController.cs b/EnvelopeGenerator.Web/Controllers/HomeController.cs index d221bad0..202229c3 100644 --- a/EnvelopeGenerator.Web/Controllers/HomeController.cs +++ b/EnvelopeGenerator.Web/Controllers/HomeController.cs @@ -19,6 +19,7 @@ using Ganss.Xss; using Newtonsoft.Json; using EnvelopeGenerator.Application.DTOs; using DigitalData.Core.Client; +using DevExpress.Utils.About; namespace EnvelopeGenerator.Web.Controllers { @@ -35,7 +36,9 @@ namespace EnvelopeGenerator.Web.Controllers private readonly IEnvelopeMailService _mailService; private readonly IEnvelopeReceiverReadOnlyService _readOnlyService; private readonly IMessagingService _msgService; - public HomeController(EnvelopeOldService envelopeOldService, ILogger logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer localizer, IConfiguration configuration, HtmlSanitizer sanitizer, Cultures cultures, IEnvelopeMailService envelopeMailService, IEnvelopeReceiverReadOnlyService readOnlyService, IMessagingService messagingService) + private readonly IEnvelopeReceiverCache _erCache; + + public HomeController(EnvelopeOldService envelopeOldService, ILogger logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer localizer, IConfiguration configuration, HtmlSanitizer sanitizer, Cultures cultures, IEnvelopeMailService envelopeMailService, IEnvelopeReceiverReadOnlyService readOnlyService, IMessagingService messagingService, IEnvelopeReceiverCache envelopeReceiverCache) { this.envelopeOldService = envelopeOldService; _envRcvService = envelopeReceiverService; @@ -48,6 +51,7 @@ namespace EnvelopeGenerator.Web.Controllers _logger = logger; _readOnlyService = readOnlyService; _msgService = messagingService; + _erCache = envelopeReceiverCache; } [HttpGet("/")] @@ -175,20 +179,7 @@ namespace EnvelopeGenerator.Web.Controllers return await _envRcvService.ReadWithSecretByUuidSignatureAsync(uuid: uuid, signature: signature).ThenAsync( SuccessAsync: async er_secret => { - //check the access code verification - if (er_secret.AccessCode != auth.AccessCode) - { - //Constants.EnvelopeStatus.AccessCodeIncorrect - await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, Constants.EnvelopeStatus.AccessCodeIncorrect); - Response.StatusCode = StatusCodes.Status401Unauthorized; - return View("EnvelopeLocked") - .WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value); - } - - await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, Constants.EnvelopeStatus.AccessCodeCorrect); - - //check if the user has phone is added - if (er_secret.HasPhoneNumber) + async Task SendSmsView() { var res = await _msgService.SendSmsCodeAsync(er_secret.PhoneNumber!, envelopeReceiverId: envelopeReceiverId); if (res.Ok) @@ -203,8 +194,54 @@ namespace EnvelopeGenerator.Web.Controllers } } + if (auth.HasMulti) + { + Response.StatusCode = StatusCodes.Status401Unauthorized; + return View("EnvelopeLocked") + .WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value); + } + else if (auth.HasAccessCode) + { + //check the access code verification + if (er_secret.AccessCode != auth.AccessCode) + { + //Constants.EnvelopeStatus.AccessCodeIncorrect + await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, Constants.EnvelopeStatus.AccessCodeIncorrect); + Response.StatusCode = StatusCodes.Status401Unauthorized; + return View("EnvelopeLocked") + .WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value); + } + + await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, Constants.EnvelopeStatus.AccessCodeCorrect); + + //check if the user has phone is added + if (er_secret.HasPhoneNumber) + { + return await SendSmsView(); + } + } + else if (auth.HasSmsCode) + { + var smsCode = await _erCache.GetSmsCodeAsync(envelopeReceiverId); + if (smsCode is null) + return RedirectToAction("EnvelopeLocked", new { envelopeReceiverId }); + + if(auth.SmsCode != smsCode) + { + Response.StatusCode = StatusCodes.Status401Unauthorized; + ViewData["ErrorMessage"] = _localizer[WebKey.WrongAccessCode].Value; + return await SendSmsView(); + } + } + else + { + Response.StatusCode = StatusCodes.Status401Unauthorized; + return View("EnvelopeLocked") + .WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value); + } + //continue the process without important data to minimize security errors. - var er = er_secret.WithoutSecrets; + EnvelopeReceiverDto er = er_secret; ViewData["EnvelopeKey"] = envelopeReceiverId; //check rejection