From db83eb90ee0d6a8df0ad2b1d87f4d844147ea5fe Mon Sep 17 00:00:00 2001 From: Developer 02 Date: Mon, 8 Apr 2024 12:53:55 +0200 Subject: [PATCH] Sicherheitsverbesserung: VerifyAccessCode implementiert und Verifizierungscode aus DTO entfernt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Die VerifyAccessCode-Methode wurde zur Validierung von Zugangscodes hinzugefügt und der Verifizierungscode aus Sicherheitsgründen aus dem DTO entfernt. --- .../Contracts/IEnvelopeReceiverService.cs | 1 + .../Contracts/IEnvelopeService.cs | 2 -- .../DTOs/EnvelopeReceiverDto.cs | 1 - .../Services/EnvelopeReceiverService.cs | 8 ++++++++ .../Entities/EnvelopeReceiver.cs | 8 ++++++++ EnvelopeGenerator.Domain/Entities/Receiver.cs | 2 ++ .../Contracts/IEnvelopeReceiverRepository.cs | 1 + EnvelopeGenerator.Infrastructure/EGDbContext.cs | 12 ++++++++---- .../Repositories/EnvlopeReceiverRepository.cs | 11 +++++++++++ EnvelopeGenerator.Web/Controllers/HomeController.cs | 11 ++++++----- 10 files changed, 45 insertions(+), 12 deletions(-) diff --git a/EnvelopeGenerator.Application/Contracts/IEnvelopeReceiverService.cs b/EnvelopeGenerator.Application/Contracts/IEnvelopeReceiverService.cs index 4240969a..348257e0 100644 --- a/EnvelopeGenerator.Application/Contracts/IEnvelopeReceiverService.cs +++ b/EnvelopeGenerator.Application/Contracts/IEnvelopeReceiverService.cs @@ -7,5 +7,6 @@ namespace EnvelopeGenerator.Application.Contracts { public interface IEnvelopeReceiverService : IBasicCRUDService { + Task VerifyAccessCode(string envelopeUuid, string accessCode); } } \ No newline at end of file diff --git a/EnvelopeGenerator.Application/Contracts/IEnvelopeService.cs b/EnvelopeGenerator.Application/Contracts/IEnvelopeService.cs index 6c56b231..fe3881c0 100644 --- a/EnvelopeGenerator.Application/Contracts/IEnvelopeService.cs +++ b/EnvelopeGenerator.Application/Contracts/IEnvelopeService.cs @@ -10,7 +10,5 @@ namespace EnvelopeGenerator.Application.Contracts Task>> ReadAllWithAsync(bool documents = false, bool receivers = false, bool history = false, bool documentReceiverElement = false); Task> ReadByUuidAsync(string uuid, bool withDocuments = false, bool withReceivers = false, bool withHistory = false, bool withDocumentReceiverElement = false); - - Task> ReadByEnvelopeKeyAsync(string envelopeKey, bool withDocuments = false, bool withReceivers = false, bool withHistory = false, bool withDocumentReceiverElement = false); } } \ No newline at end of file diff --git a/EnvelopeGenerator.Application/DTOs/EnvelopeReceiverDto.cs b/EnvelopeGenerator.Application/DTOs/EnvelopeReceiverDto.cs index 0701a149..3885af9f 100644 --- a/EnvelopeGenerator.Application/DTOs/EnvelopeReceiverDto.cs +++ b/EnvelopeGenerator.Application/DTOs/EnvelopeReceiverDto.cs @@ -8,7 +8,6 @@ string JobTitle, string CompanyName, string PrivateMessage, - string AccessCode, DateTime AddedWhen, DateTime? ChangedWhen); } \ No newline at end of file diff --git a/EnvelopeGenerator.Application/Services/EnvelopeReceiverService.cs b/EnvelopeGenerator.Application/Services/EnvelopeReceiverService.cs index 31921a24..787ed26f 100644 --- a/EnvelopeGenerator.Application/Services/EnvelopeReceiverService.cs +++ b/EnvelopeGenerator.Application/Services/EnvelopeReceiverService.cs @@ -1,10 +1,12 @@ using AutoMapper; using DigitalData.Core.Application; +using DigitalData.Core.Contracts.Application; using DigitalData.Core.Contracts.CultureServices; using EnvelopeGenerator.Application.Contracts; using EnvelopeGenerator.Application.DTOs; using EnvelopeGenerator.Domain.Entities; using EnvelopeGenerator.Infrastructure.Contracts; +using Microsoft.EntityFrameworkCore; namespace EnvelopeGenerator.Application.Services { @@ -14,5 +16,11 @@ namespace EnvelopeGenerator.Application.Services : base(repository, translationService, mapper) { } + + public async Task VerifyAccessCode(string envelopeUuid, string accessCode) + { + var envelopeAccessCode = await _repository.ReadAccessCodeByEnvelopeUuid(envelopeUuid); + return CreateMessage(isSuccess: accessCode == envelopeAccessCode) ; + } } } \ No newline at end of file diff --git a/EnvelopeGenerator.Domain/Entities/EnvelopeReceiver.cs b/EnvelopeGenerator.Domain/Entities/EnvelopeReceiver.cs index 8b546084..6c78bfa5 100644 --- a/EnvelopeGenerator.Domain/Entities/EnvelopeReceiver.cs +++ b/EnvelopeGenerator.Domain/Entities/EnvelopeReceiver.cs @@ -6,9 +6,11 @@ namespace EnvelopeGenerator.Domain.Entities [Table("TBSIG_ENVELOPE_RECEIVER", Schema = "dbo")] public class EnvelopeReceiver { + [Key] [Column("ENVELOPE_ID")] public int EnvelopeId { get; set; } + [Key] [Column("RECEIVER_ID")] public int ReceiverId { get; set; } @@ -37,5 +39,11 @@ namespace EnvelopeGenerator.Domain.Entities [Column("CHANGED_WHEN", TypeName = "datetime")] public DateTime? ChangedWhen { get; set; } + + [ForeignKey("EnvelopeId")] + public Envelope? Envelope { get; set; } + + [ForeignKey("ReceiverId")] + public Receiver? Receiver { get; set; } } } \ No newline at end of file diff --git a/EnvelopeGenerator.Domain/Entities/Receiver.cs b/EnvelopeGenerator.Domain/Entities/Receiver.cs index 193ba895..a447e770 100644 --- a/EnvelopeGenerator.Domain/Entities/Receiver.cs +++ b/EnvelopeGenerator.Domain/Entities/Receiver.cs @@ -22,5 +22,7 @@ namespace EnvelopeGenerator.Domain.Entities [Required] [Column("ADDED_WHEN", TypeName = "datetime")] public DateTime AddedWhen { get; set; } + + public IEnumerable? EnvelopeReceivers { get; set; } } } \ No newline at end of file diff --git a/EnvelopeGenerator.Infrastructure/Contracts/IEnvelopeReceiverRepository.cs b/EnvelopeGenerator.Infrastructure/Contracts/IEnvelopeReceiverRepository.cs index c56e1436..816baf10 100644 --- a/EnvelopeGenerator.Infrastructure/Contracts/IEnvelopeReceiverRepository.cs +++ b/EnvelopeGenerator.Infrastructure/Contracts/IEnvelopeReceiverRepository.cs @@ -5,5 +5,6 @@ namespace EnvelopeGenerator.Infrastructure.Contracts { public interface IEnvelopeReceiverRepository : ICRUDRepository { + Task ReadAccessCodeByEnvelopeUuid(string envelopeUuid); } } \ No newline at end of file diff --git a/EnvelopeGenerator.Infrastructure/EGDbContext.cs b/EnvelopeGenerator.Infrastructure/EGDbContext.cs index f4a4f7ef..eb5c053c 100644 --- a/EnvelopeGenerator.Infrastructure/EGDbContext.cs +++ b/EnvelopeGenerator.Infrastructure/EGDbContext.cs @@ -33,10 +33,10 @@ namespace DigitalData.UserManager.Infrastructure.Repositories .WithOne() .HasForeignKey(ed => ed.EnvelopeId); - modelBuilder.Entity() - .HasMany(e => e.Receivers) - .WithOne() - .HasForeignKey(er => er.EnvelopeId); + //modelBuilder.Entity() + // .HasMany(e => e.Receivers) + // .WithOne(er => er.Envelope) + // .HasForeignKey(er => er.EnvelopeId); modelBuilder.Entity() .HasMany(e => e.History) @@ -53,6 +53,10 @@ namespace DigitalData.UserManager.Infrastructure.Repositories .WithMany(ed => ed.Elements) .HasForeignKey(dre => dre.DocumentId); + //modelBuilder.Entity() + // .HasMany(e => e.EnvelopeReceivers) + // .WithOne(er => er.Receiver) + // .HasForeignKey(er => er.ReceiverId); base.OnModelCreating(modelBuilder); } diff --git a/EnvelopeGenerator.Infrastructure/Repositories/EnvlopeReceiverRepository.cs b/EnvelopeGenerator.Infrastructure/Repositories/EnvlopeReceiverRepository.cs index 90b262bb..0f528f41 100644 --- a/EnvelopeGenerator.Infrastructure/Repositories/EnvlopeReceiverRepository.cs +++ b/EnvelopeGenerator.Infrastructure/Repositories/EnvlopeReceiverRepository.cs @@ -2,6 +2,7 @@ using DigitalData.UserManager.Infrastructure.Repositories; using EnvelopeGenerator.Domain.Entities; using EnvelopeGenerator.Infrastructure.Contracts; +using Microsoft.EntityFrameworkCore; namespace EnvelopeGenerator.Infrastructure.Repositories { @@ -10,5 +11,15 @@ namespace EnvelopeGenerator.Infrastructure.Repositories public EnvelopeReceiverRepository(EGDbContext dbContext) : base(dbContext) { } + + public async Task ReadAccessCodeByEnvelopeUuid(string envelopeUuid) + { + var accessCode = await _dbSet + .Where(er => er.Envelope != null && er.Envelope.Uuid == envelopeUuid) + .Select(er => er.AccessCode) + .FirstOrDefaultAsync(); + + return accessCode; + } } } \ No newline at end of file diff --git a/EnvelopeGenerator.Web/Controllers/HomeController.cs b/EnvelopeGenerator.Web/Controllers/HomeController.cs index 23cb4a23..fdced414 100644 --- a/EnvelopeGenerator.Web/Controllers/HomeController.cs +++ b/EnvelopeGenerator.Web/Controllers/HomeController.cs @@ -14,12 +14,12 @@ namespace EnvelopeGenerator.Web.Controllers { private readonly EnvelopeOldService envelopeOldService; private readonly IConfiguration _config; - private readonly IEnvelopeService _envelopeService; + private readonly IEnvelopeReceiverService _envRcvService; - public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger logger, IConfiguration configuration, IEnvelopeService envelopeService) : base(databaseService, logger) + public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger logger, IConfiguration configuration, IEnvelopeReceiverService envelopeReceiverService) : base(databaseService, logger) { this.envelopeOldService = envelopeOldService; - _envelopeService = envelopeService; + _envRcvService = envelopeReceiverService; _config = configuration; } @@ -71,7 +71,8 @@ namespace EnvelopeGenerator.Web.Controllers [HttpPost("/EnvelopeKey/{envelopeReceiverId}/Locked")] public async Task ShowEnvelopePost([FromRoute] string envelopeReceiverId, [FromForm] string access_code) { - var envlopeServiceResult = await _envelopeService.ReadByUuidAsync(envelopeUuid, withDocuments: true, withReceivers: true, withHistory: true, withDocumentReceiverElement:true); + var uuid = envelopeReceiverId.DecodeEnvelopeReceiverId().EnvelopeUuid; + var verification = await _envRcvService.VerifyAccessCode(uuid, access_code); EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId); string accessCode = response.Receiver.AccessCode; @@ -85,7 +86,7 @@ namespace EnvelopeGenerator.Web.Controllers { database.Services.actionService.EnterCorrectAccessCode(response.Envelope, response.Receiver); //for history ViewData["EnvelopeKey"] = envelopeReceiverId; - return View("ShowEnvelope", envlopeServiceResult); + return View("ShowEnvelope"); } else {