refactor(HomeController): LogInEnvelope aktualisiert, um SMS-Code als TOTP zu verifizieren
This commit is contained in:
Developer 02
@@ -36,11 +36,10 @@ namespace EnvelopeGenerator.Web.Controllers
|
||||
private readonly IEnvelopeMailService _mailService;
|
||||
private readonly IEnvelopeReceiverReadOnlyService _readOnlyService;
|
||||
private readonly IMessagingService _msgService;
|
||||
private readonly IEnvelopeReceiverCache _erCache;
|
||||
private readonly ICodeGenerator _codeGenerator;
|
||||
private readonly IReceiverService _rcvService;
|
||||
|
||||
public HomeController(EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer<Resource> localizer, IConfiguration configuration, HtmlSanitizer sanitizer, Cultures cultures, IEnvelopeMailService envelopeMailService, IEnvelopeReceiverReadOnlyService readOnlyService, IMessagingService messagingService, IEnvelopeReceiverCache envelopeReceiverCache, ICodeGenerator codeGenerator, IReceiverService receiverService)
|
||||
public HomeController(EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer<Resource> localizer, IConfiguration configuration, HtmlSanitizer sanitizer, Cultures cultures, IEnvelopeMailService envelopeMailService, IEnvelopeReceiverReadOnlyService readOnlyService, IMessagingService messagingService, ICodeGenerator codeGenerator, IReceiverService receiverService)
|
||||
{
|
||||
this.envelopeOldService = envelopeOldService;
|
||||
_envRcvService = envelopeReceiverService;
|
||||
@@ -53,7 +52,6 @@ namespace EnvelopeGenerator.Web.Controllers
|
||||
_logger = logger;
|
||||
_readOnlyService = readOnlyService;
|
||||
_msgService = messagingService;
|
||||
_erCache = envelopeReceiverCache;
|
||||
_codeGenerator = codeGenerator;
|
||||
_rcvService = receiverService;
|
||||
}
|
||||
@@ -183,153 +181,152 @@ namespace EnvelopeGenerator.Web.Controllers
|
||||
//check access code
|
||||
EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId);
|
||||
|
||||
return await _envRcvService.ReadWithSecretByUuidSignatureAsync(uuid: uuid, signature: signature).ThenAsync(
|
||||
SuccessAsync: async er_secret =>
|
||||
var er_secret_res = await _envRcvService.ReadWithSecretByUuidSignatureAsync(uuid: uuid, signature: signature);
|
||||
|
||||
if (er_secret_res.IsFailed)
|
||||
{
|
||||
_logger.LogNotice(er_secret_res.Notices);
|
||||
return this.ViewEnvelopeNotFound();
|
||||
}
|
||||
var er_secret = er_secret_res.Data;
|
||||
|
||||
async Task<IActionResult> TFAView(bool viaSms)
|
||||
{
|
||||
if (viaSms)
|
||||
{
|
||||
//add date time cache
|
||||
var res = await _msgService.SendSmsCodeAsync(er_secret.PhoneNumber!, er_secret.Receiver.TotpSecretkey);
|
||||
if (res.Ok)
|
||||
return View("EnvelopeLocked").WithData("CodeType", "smsCode").WithData("SmsExpiration", res.Expiration);
|
||||
else if (!res.Allowed)
|
||||
return View("EnvelopeLocked").WithData("CodeType", "smsCode").WithData("SmsExpiration", res.AllowedAt);
|
||||
else
|
||||
{
|
||||
async Task<IActionResult> TFAView(bool viaSms)
|
||||
{
|
||||
if (viaSms)
|
||||
{
|
||||
var res = await _msgService.SendSmsCodeAsync(er_secret.PhoneNumber!, envelopeReceiverId: envelopeReceiverId);
|
||||
if (res.Ok)
|
||||
return View("EnvelopeLocked").WithData("CodeType", "smsCode").WithData("SmsExpiration", res.Expiration);
|
||||
else if (!res.Allowed)
|
||||
return View("EnvelopeLocked").WithData("CodeType", "smsCode").WithData("SmsExpiration", res.AllowedAt);
|
||||
else
|
||||
{
|
||||
var res_json = JsonConvert.SerializeObject(res);
|
||||
_logger.LogEnvelopeError(envelopeReceiverId: envelopeReceiverId, message: $"An unexpected error occurred while sending an SMS code. Response: ${res_json}");
|
||||
return this.ViewInnerServiceError();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return View("EnvelopeLocked").WithData("CodeType", "authenticatorCode").WithData("QRCodeExpiration", er_secret.Receiver?.TotpExpiration);
|
||||
}
|
||||
}
|
||||
|
||||
if (auth.HasMulti)
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
else if (auth.HasAccessCode)
|
||||
{
|
||||
//check the access code verification
|
||||
if (er_secret.AccessCode != auth.AccessCode)
|
||||
{
|
||||
//Constants.EnvelopeStatus.AccessCodeIncorrect
|
||||
await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, EnvelopeStatus.AccessCodeIncorrect);
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
|
||||
await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, EnvelopeStatus.AccessCodeCorrect);
|
||||
|
||||
//check if the user has phone is added
|
||||
if (er_secret.Envelope!.TFAEnabled)
|
||||
{
|
||||
var rcv = er_secret.Receiver;
|
||||
if (rcv.IsTotpSecretInvalid())
|
||||
{
|
||||
rcv.TotpSecretkey = _codeGenerator.GenerateTotpSecretKey();
|
||||
rcv.TotpExpiration = DateTime.Now.AddMonths(1);
|
||||
await _rcvService.UpdateAsync(rcv);
|
||||
await _mailService.SendTFAQrCodeAsync(er_secret);
|
||||
}
|
||||
return await TFAView(auth.UserSelectSMS);
|
||||
}
|
||||
|
||||
}
|
||||
else if (auth.HasSmsCode)
|
||||
{
|
||||
var smsCode = await _erCache.GetSmsCodeAsync(envelopeReceiverId);
|
||||
if (smsCode is null)
|
||||
return RedirectToAction("EnvelopeLocked", new { envelopeReceiverId });
|
||||
|
||||
if(auth.SmsCode != smsCode)
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
ViewData["ErrorMessage"] = _localizer[WebKey.WrongAccessCode].Value;
|
||||
return await TFAView(viaSms: true);
|
||||
}
|
||||
}
|
||||
else if (auth.HasAuthenticatorCode)
|
||||
{
|
||||
if (er_secret.Receiver!.IsTotpInvalid(totp: auth.AuthenticatorCode!))
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
ViewData["ErrorMessage"] = _localizer[WebKey.WrongAccessCode].Value;
|
||||
return await TFAView(viaSms: false);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
|
||||
//continue the process without important data to minimize security errors.
|
||||
EnvelopeReceiverDto er = er_secret;
|
||||
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
//check rejection
|
||||
var rejRcvrs = await _historyService.ReadRejectingReceivers(er.Envelope!.Id);
|
||||
if(rejRcvrs.Any())
|
||||
{
|
||||
ViewBag.IsExt = !rejRcvrs.Contains(er.Receiver); //external if the current user is not rejected
|
||||
return View("EnvelopeRejected", er);
|
||||
}
|
||||
|
||||
//check if it has already signed
|
||||
if (await _historyService.IsSigned(envelopeId: er.Envelope!.Id, userReference: er.Receiver!.EmailAddress))
|
||||
return View("EnvelopeSigned");
|
||||
|
||||
if (er.Envelope.Documents?.FirstOrDefault() is EnvelopeDocumentDto doc && doc.ByteData is not null)
|
||||
{
|
||||
ViewData["DocumentBytes"] = doc.ByteData;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.LogEnvelopeError(envelopeReceiverId: envelopeReceiverId, message: "No document byte-data was found in ENVELOPE_DOCUMENT table.");
|
||||
return this.ViewDocumentNotFound();
|
||||
}
|
||||
|
||||
var claims = new List<Claim> {
|
||||
new(ClaimTypes.NameIdentifier, uuid),
|
||||
new(ClaimTypes.Hash, signature),
|
||||
new(ClaimTypes.Name, er.Name ?? string.Empty),
|
||||
new(ClaimTypes.Email, er.Receiver.EmailAddress),
|
||||
new(EnvelopeClaimTypes.Title, er.Envelope.Title),
|
||||
new(EnvelopeClaimTypes.Id, er.Envelope.Id.ToString())
|
||||
};
|
||||
|
||||
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var authProperties = new AuthenticationProperties
|
||||
{
|
||||
AllowRefresh = false,
|
||||
IsPersistent = false
|
||||
};
|
||||
|
||||
await HttpContext.SignInAsync(
|
||||
CookieAuthenticationDefaults.AuthenticationScheme,
|
||||
new ClaimsPrincipal(claimsIdentity),
|
||||
authProperties);
|
||||
|
||||
//add PSPDFKit licence key
|
||||
ViewData["PSPDFKitLicenseKey"] = _configuration["PSPDFKitLicenseKey"];
|
||||
|
||||
return View("ShowEnvelope", er);
|
||||
},
|
||||
Fail: (messages, notices) =>
|
||||
{
|
||||
_logger.LogNotice(notices);
|
||||
return this.ViewEnvelopeNotFound();
|
||||
var res_json = JsonConvert.SerializeObject(res);
|
||||
_logger.LogEnvelopeError(envelopeReceiverId: envelopeReceiverId, message: $"An unexpected error occurred while sending an SMS code. Response: ${res_json}");
|
||||
return this.ViewInnerServiceError();
|
||||
}
|
||||
);
|
||||
}
|
||||
else
|
||||
{
|
||||
return View("EnvelopeLocked").WithData("CodeType", "authenticatorCode").WithData("QRCodeExpiration", er_secret.Receiver?.TotpExpiration);
|
||||
}
|
||||
}
|
||||
|
||||
if (auth.HasMulti)
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
else if (auth.HasAccessCode)
|
||||
{
|
||||
//check the access code verification
|
||||
if (er_secret.AccessCode != auth.AccessCode)
|
||||
{
|
||||
//Constants.EnvelopeStatus.AccessCodeIncorrect
|
||||
await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, EnvelopeStatus.AccessCodeIncorrect);
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
|
||||
await _historyService.RecordAsync(er_secret.EnvelopeId, er_secret.Receiver!.EmailAddress, EnvelopeStatus.AccessCodeCorrect);
|
||||
|
||||
//check if the user has phone is added
|
||||
if (er_secret.Envelope!.TFAEnabled)
|
||||
{
|
||||
var rcv = er_secret.Receiver;
|
||||
if (rcv.IsTotpSecretInvalid())
|
||||
{
|
||||
rcv.TotpSecretkey = _codeGenerator.GenerateTotpSecretKey();
|
||||
rcv.TotpExpiration = DateTime.Now.AddMonths(1);
|
||||
await _rcvService.UpdateAsync(rcv);
|
||||
await _mailService.SendTFAQrCodeAsync(er_secret);
|
||||
}
|
||||
return await TFAView(auth.UserSelectSMS);
|
||||
}
|
||||
|
||||
}
|
||||
else if (auth.HasSmsCode)
|
||||
{
|
||||
if (er_secret.Receiver!.TotpSecretkey is null)
|
||||
throw new InvalidOperationException($"TotpSecretkey of DTO cannot validate without TotpSecretkey. Dto: {JsonConvert.SerializeObject(er_secret)}");
|
||||
|
||||
if (_codeGenerator.VerifyTotp(auth.SmsCode!, er_secret.Receiver.TotpSecretkey, step: 60 * 5))
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
ViewData["ErrorMessage"] = _localizer[WebKey.WrongAccessCode].Value;
|
||||
return await TFAView(viaSms: true);
|
||||
}
|
||||
}
|
||||
else if (auth.HasAuthenticatorCode)
|
||||
{
|
||||
if (er_secret.Receiver!.IsTotpInvalid(totp: auth.AuthenticatorCode!))
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
ViewData["ErrorMessage"] = _localizer[WebKey.WrongAccessCode].Value;
|
||||
return await TFAView(viaSms: false);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Response.StatusCode = StatusCodes.Status401Unauthorized;
|
||||
return View("EnvelopeLocked")
|
||||
.WithData("ErrorMessage", _localizer[WebKey.WrongAccessCode].Value);
|
||||
}
|
||||
|
||||
//continue the process without important data to minimize security errors.
|
||||
EnvelopeReceiverDto er = er_secret;
|
||||
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
//check rejection
|
||||
var rejRcvrs = await _historyService.ReadRejectingReceivers(er.Envelope!.Id);
|
||||
if(rejRcvrs.Any())
|
||||
{
|
||||
ViewBag.IsExt = !rejRcvrs.Contains(er.Receiver); //external if the current user is not rejected
|
||||
return View("EnvelopeRejected", er);
|
||||
}
|
||||
|
||||
//check if it has already signed
|
||||
if (await _historyService.IsSigned(envelopeId: er.Envelope!.Id, userReference: er.Receiver!.EmailAddress))
|
||||
return View("EnvelopeSigned");
|
||||
|
||||
if (er.Envelope.Documents?.FirstOrDefault() is EnvelopeDocumentDto doc && doc.ByteData is not null)
|
||||
{
|
||||
ViewData["DocumentBytes"] = doc.ByteData;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.LogEnvelopeError(envelopeReceiverId: envelopeReceiverId, message: "No document byte-data was found in ENVELOPE_DOCUMENT table.");
|
||||
return this.ViewDocumentNotFound();
|
||||
}
|
||||
|
||||
var claims = new List<Claim> {
|
||||
new(ClaimTypes.NameIdentifier, uuid),
|
||||
new(ClaimTypes.Hash, signature),
|
||||
new(ClaimTypes.Name, er.Name ?? string.Empty),
|
||||
new(ClaimTypes.Email, er.Receiver.EmailAddress),
|
||||
new(EnvelopeClaimTypes.Title, er.Envelope.Title),
|
||||
new(EnvelopeClaimTypes.Id, er.Envelope.Id.ToString())
|
||||
};
|
||||
|
||||
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var authProperties = new AuthenticationProperties
|
||||
{
|
||||
AllowRefresh = false,
|
||||
IsPersistent = false
|
||||
};
|
||||
|
||||
await HttpContext.SignInAsync(
|
||||
CookieAuthenticationDefaults.AuthenticationScheme,
|
||||
new ClaimsPrincipal(claimsIdentity),
|
||||
authProperties);
|
||||
|
||||
//add PSPDFKit licence key
|
||||
ViewData["PSPDFKitLicenseKey"] = _configuration["PSPDFKitLicenseKey"];
|
||||
|
||||
return View("ShowEnvelope", er);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user