15 changed files with 100 additions and 52 deletions
+ 2
- 0
Configuration/IdentityServerConfig.cs
View File
| @@ -12,6 +12,7 @@ namespace Teknik.Configuration | |||
| public string ClientSecret { get; set; } | |||
| public List<string> RedirectUris { get; set; } | |||
| public List<string> PostLogoutRedirectUris { get; set; } | |||
| public List<string> AllowedCorsOrigins { get; set; } | |||
| public string APIName { get; set; } | |||
| public string APISecret { get; set; } | |||
| @@ -23,6 +24,7 @@ namespace Teknik.Configuration | |||
| ClientSecret = "mysecret"; | |||
| RedirectUris = new List<string>(); | |||
| PostLogoutRedirectUris = new List<string>(); | |||
| AllowedCorsOrigins = new List<string>(); | |||
| APIName = "api"; | |||
| APISecret = "secret"; | |||
| } | |||
+ 12
- 1
IdentityServer/Controllers/AccountController.cs
View File
| @@ -295,7 +295,18 @@ namespace Teknik.IdentityServer.Controllers | |||
| } | |||
| return View("LoggedOut", vm); | |||
| return RedirectToLocal(model.ReturnURL); | |||
| } | |||
| [HttpOptions] | |||
| public async Task Logout() | |||
| { | |||
| if (User?.Identity.IsAuthenticated == true) | |||
| { | |||
| await _signInManager.SignOutAsync(); | |||
| // raise the logout event | |||
| await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName())); | |||
| } | |||
| } | |||
| private IActionResult RedirectToLocal(string returnUrl) | |||
+ 38
- 1
IdentityServer/Controllers/ManageController.cs
View File
| @@ -69,7 +69,7 @@ namespace Teknik.IdentityServer.Controllers | |||
| } | |||
| [HttpPost] | |||
| public async Task<IActionResult> DeleteUser(DeleteUserModel model) | |||
| public async Task<IActionResult> DeleteUser(DeleteUserModel model, [FromServices] ConfigurationDbContext configContext) | |||
| { | |||
| if (string.IsNullOrEmpty(model.Username)) | |||
| return new JsonResult(new { success = false, message = "Username is required" }); | |||
| @@ -77,6 +77,18 @@ namespace Teknik.IdentityServer.Controllers | |||
| var foundUser = await _userManager.FindByNameAsync(model.Username); | |||
| if (foundUser != null) | |||
| { | |||
| // Find this user's clients | |||
| var foundClients = configContext.Clients.Where(c => | |||
| c.Properties.Exists(p => | |||
| p.Key == "username" && | |||
| p.Value.ToLower() == model.Username.ToLower()) | |||
| ).ToList(); | |||
| if (foundClients != null) | |||
| { | |||
| configContext.Clients.RemoveRange(foundClients); | |||
| configContext.SaveChanges(); | |||
| } | |||
| var result = await _userManager.DeleteAsync(foundUser); | |||
| if (result.Succeeded) | |||
| return new JsonResult(new { success = true }); | |||
| @@ -467,6 +479,10 @@ namespace Teknik.IdentityServer.Controllers | |||
| var clientSecret = StringHelper.RandomString(40, "abcdefghjkmnpqrstuvwxyz1234567890"); | |||
| // Generate the origin for the callback | |||
| Uri redirect = new Uri(model.CallbackUrl); | |||
| string origin = redirect.Scheme + "://" + redirect.Host; | |||
| var client = new IdentityServer4.Models.Client | |||
| { | |||
| Properties = new Dictionary<string, string>() | |||
| @@ -495,6 +511,11 @@ namespace Teknik.IdentityServer.Controllers | |||
| model.CallbackUrl | |||
| }, | |||
| AllowedCorsOrigins = | |||
| { | |||
| origin | |||
| }, | |||
| AllowedScopes = model.AllowedScopes, | |||
| AllowOfflineAccess = true | |||
| @@ -530,6 +551,22 @@ namespace Teknik.IdentityServer.Controllers | |||
| newUri.RedirectUri = model.CallbackUrl; | |||
| configContext.Add(newUri); | |||
| // Generate the origin for the callback | |||
| Uri redirect = new Uri(model.CallbackUrl); | |||
| string origin = redirect.Scheme + "://" + redirect.Host; | |||
| // Update the allowed origin for this client | |||
| var corsOrigins = configContext.Set<ClientCorsOrigin>().Where(c => c.ClientId == foundClient.Id).ToList(); | |||
| if (corsOrigins != null) | |||
| { | |||
| configContext.RemoveRange(corsOrigins); | |||
| } | |||
| var newOrigin = new ClientCorsOrigin(); | |||
| newOrigin.Client = foundClient; | |||
| newOrigin.ClientId = foundClient.Id; | |||
| newOrigin.Origin = origin; | |||
| configContext.Add(newUri); | |||
| // Save all the changed | |||
| configContext.SaveChanges(); | |||
+ 7
- 0
IdentityServer/IdentityServer.csproj
View File
| @@ -32,6 +32,13 @@ | |||
| <ProjectReference Include="..\Logging\Logging.csproj" /> | |||
| </ItemGroup> | |||
| <ItemGroup> | |||
| <Content Update="App_Data\Config.json"> | |||
| <CopyToPublishDirectory>Never</CopyToPublishDirectory> | |||
| <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory> | |||
| </Content> | |||
| </ItemGroup> | |||
| <ItemGroup> | |||
| <None Update="Images\favicon.ico"> | |||
| <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory> | |||
+ 8
- 7
IdentityServer/Middleware/CSPMiddleware.cs
View File
| @@ -31,23 +31,24 @@ namespace Teknik.IdentityServer.Middleware | |||
| if (!string.IsNullOrEmpty(host)) | |||
| { | |||
| allowedDomain = host; | |||
| } | |||
| string domain = host.GetDomain(); | |||
| allowedDomain = string.Format("*.{0} {0}", domain); | |||
| } | |||
| var csp = string.Format( | |||
| "default-src 'none'; " + | |||
| "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " + | |||
| "default-src 'self'; " + | |||
| "script-src blob: 'unsafe-eval' 'unsafe-inline' {0}; " + | |||
| "style-src 'unsafe-inline' {0}; " + | |||
| "img-src data: *; " + | |||
| "font-src data: {0}; " + | |||
| "connect-src wss: blob: data: {0}; " + | |||
| "media-src *; " + | |||
| "worker-src blob: mediastream: {0}; " + | |||
| "form-action {0}; " + | |||
| "form-action *; " + | |||
| "base-uri {0}; " + | |||
| "frame-ancestors {0};", | |||
| allowedDomain, | |||
| httpContext.Items[Constants.NONCE_KEY]); | |||
| allowedDomain); | |||
| if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy")) | |||
| { | |||
+ 0
- 8
IdentityServer/Middleware/SecurityHeadersMiddleware.cs
View File
| @@ -35,14 +35,6 @@ namespace Teknik.IdentityServer.Middleware | |||
| // Content Type Options | |||
| headers.Append("X-Content-Type-Options", "nosniff"); | |||
| // Public Key Pinning | |||
| string keys = string.Empty; | |||
| foreach (string key in config.PublicKeys) | |||
| { | |||
| keys += $"pin-sha256=\"{key}\";"; | |||
| } | |||
| headers.Append("Public-Key-Pins", $"max-age=300; includeSubDomains; {keys}"); | |||
| // Referrer Policy | |||
| headers.Append("Referrer-Policy", "no-referrer, strict-origin-when-cross-origin"); | |||
+ 1
- 1
IdentityServer/Properties/PublishProfiles/Teknik Identity Development.pubxml
View File
| @@ -10,7 +10,7 @@ by editing this MSBuild file. In order to learn more about this please visit htt | |||
| <LastUsedPlatform>Any CPU</LastUsedPlatform> | |||
| <SiteUrlToLaunchAfterPublish>https://authdev.teknik.io</SiteUrlToLaunchAfterPublish> | |||
| <LaunchSiteAfterPublish>True</LaunchSiteAfterPublish> | |||
| <ExcludeApp_Data>False</ExcludeApp_Data> | |||
| <ExcludeApp_Data>True</ExcludeApp_Data> | |||
| <TargetFramework>netcoreapp2.1</TargetFramework> | |||
| <ProjectGuid>05842e03-223a-4f43-9e81-d968a9475a97</ProjectGuid> | |||
| <SelfContained>false</SelfContained> | |||
+ 5
- 0
IdentityServer/Startup.cs
View File
| @@ -23,6 +23,7 @@ using Teknik.Logging; | |||
| using Microsoft.AspNetCore.Authorization; | |||
| using Teknik.IdentityServer.Models; | |||
| using IdentityServer4.Services; | |||
| using System.Collections.Generic; | |||
| namespace Teknik.IdentityServer | |||
| { | |||
| @@ -108,6 +109,10 @@ namespace Teknik.IdentityServer | |||
| options.Events.RaiseSuccessEvents = true; | |||
| options.UserInteraction.ErrorUrl = "/Error/IdentityError"; | |||
| options.UserInteraction.ErrorIdParameter = "errorId"; | |||
| options.Cors.CorsPaths.Add(new PathString("/connect/authorize")); | |||
| options.Cors.CorsPaths.Add(new PathString("/connect/endsession")); | |||
| options.Cors.CorsPaths.Add(new PathString("/connect/checksession")); | |||
| options.Cors.CorsPaths.Add(new PathString("/connect/introspect")); | |||
| }) | |||
| .AddOperationalStore(options => | |||
| options.ConfigureDbContext = builder => | |||
+ 4
- 0
Teknik/Areas/User/Controllers/UserController.cs
View File
| @@ -1208,6 +1208,8 @@ namespace Teknik.Areas.Users.Controllers | |||
| return Json(new { error = "You must enter a client name" }); | |||
| if (string.IsNullOrEmpty(callbackUrl)) | |||
| return Json(new { error = "You must enter an authorization callback URL" }); | |||
| if (!callbackUrl.IsValidUrl()) | |||
| return Json(new { error = "Invalid callback URL" }); | |||
| // Validate the code with the identity server | |||
| var result = await IdentityHelper.CreateClient(_config, User.Identity.Name, name, homepageUrl, logoUrl, callbackUrl, "openid", "role", "account-info", "security-info", "teknik-api.read", "teknik-api.write"); | |||
| @@ -1267,6 +1269,8 @@ namespace Teknik.Areas.Users.Controllers | |||
| return Json(new { error = "You must enter a client name" }); | |||
| if (string.IsNullOrEmpty(callbackUrl)) | |||
| return Json(new { error = "You must enter an authorization callback URL" }); | |||
| if (!callbackUrl.IsValidUrl()) | |||
| return Json(new { error = "Invalid callback URL" }); | |||
| Client foundClient = await IdentityHelper.GetClient(_config, User.Identity.Name, clientId); | |||
+ 1
- 3
Teknik/Areas/User/Views/User/Settings/Settings.cshtml
View File
| @@ -42,6 +42,4 @@ | |||
| </div> | |||
| </div> | |||
| } | |||
| </div> | |||
| <bundle src="js/user.settings.min.js" append-version="true"></bundle> | |||
| </div> | |||
+ 0
- 8
Teknik/Middleware/SecurityHeadersMiddleware.cs
View File
| @@ -35,14 +35,6 @@ namespace Teknik.Middleware | |||
| // Content Type Options | |||
| headers.Append("X-Content-Type-Options", "nosniff"); | |||
| // Public Key Pinning | |||
| string keys = string.Empty; | |||
| foreach (string key in config.PublicKeys) | |||
| { | |||
| keys += $"pin-sha256=\"{key}\";"; | |||
| } | |||
| headers.Append("Public-Key-Pins", $"max-age=300; includeSubDomains; {keys}"); | |||
| // Referrer Policy | |||
| headers.Append("Referrer-Policy", "no-referrer, strict-origin-when-cross-origin"); | |||
+ 3
- 3
Teknik/Properties/launchSettings.json
View File
| @@ -3,7 +3,7 @@ | |||
| "windowsAuthentication": false, | |||
| "anonymousAuthentication": true, | |||
| "iisExpress": { | |||
| "applicationUrl": "http://localhost:23818", | |||
| "applicationUrl": "https://localhost:23818", | |||
| "sslPort": 44362 | |||
| } | |||
| }, | |||
| @@ -21,7 +21,7 @@ | |||
| "launchBrowser": true, | |||
| "launchUrl": "?sub=www", | |||
| "environmentVariables": { | |||
| "ASPNETCORE_URLS": "http://localhost:5050", | |||
| "ASPNETCORE_URLS": "https://localhost:5050", | |||
| "ASPNETCORE_ENVIRONMENT": "Development" | |||
| } | |||
| }, | |||
| @@ -30,7 +30,7 @@ | |||
| "launchBrowser": true, | |||
| "launchUrl": "?sub=www", | |||
| "environmentVariables": { | |||
| "ASPNETCORE_URLS": "http://localhost:5050", | |||
| "ASPNETCORE_URLS": "https://localhost:5050", | |||
| "ASPNETCORE_ENVIRONMENT": "Production" | |||
| } | |||
| } | |||
+ 2
- 8
Teknik/Scripts/User/AccountSettings.js
View File
| @@ -44,14 +44,8 @@ $(document).ready(function () { | |||
| type: "POST", | |||
| url: deleteUserURL, | |||
| data: AddAntiForgeryToken({}), | |||
| success: function (response) { | |||
| if (response.result) { | |||
| window.location.replace(homeUrl); | |||
| } | |||
| else { | |||
| $("#top_msg").css('display', 'inline', 'important'); | |||
| $("#top_msg").html('<div class="alert alert-danger alert-dismissable"><button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>' + parseErrorMessage(response) + '</div>'); | |||
| } | |||
| success: function () { | |||
| window.location.replace(homeUrl); | |||
| }, | |||
| error: function (response) { | |||
| $("#top_msg").css('display', 'inline', 'important'); | |||
+ 5
- 7
Teknik/Startup.cs
View File
| @@ -77,6 +77,11 @@ namespace Teknik | |||
| // Resolve the services from the service provider | |||
| var config = sp.GetService<Config>(); | |||
| if (config.DevEnvironment) | |||
| { | |||
| Environment.EnvironmentName = EnvironmentName.Development; | |||
| } | |||
| // Add Tracking Filter scopes | |||
| //services.AddScoped<TrackDownload>(); | |||
| //services.AddScoped<TrackLink>(); | |||
| @@ -264,13 +269,6 @@ namespace Teknik | |||
| // Use Exception Handling | |||
| app.UseErrorHandler(config); | |||
| if (env.IsDevelopment()) | |||
| { | |||
| app.UseBrowserLink(); | |||
| //app.UseDeveloperExceptionPage(); | |||
| app.UseDatabaseErrorPage(); | |||
| } | |||
| // Performance Monitor the entire request | |||
| app.UsePerformanceMonitor(); | |||
+ 12
- 5
Utilities/UrlExtensions.cs
View File
| @@ -49,12 +49,19 @@ namespace Teknik.Utilities | |||
| // If the param is not being used, we will use the curSub | |||
| if (string.IsNullOrEmpty(subParam)) | |||
| { | |||
| // If we are on dev and no subparam, we need to set the subparam to the specified sub | |||
| subParam = (curSub == "dev") ? sub : string.Empty; | |||
| string firstSub = (curSub == "dev") ? "dev" : sub; | |||
| if (!string.IsNullOrEmpty(firstSub)) | |||
| if (url.ActionContext.HttpContext.Request.IsLocal()) | |||
| { | |||
| domain = firstSub + "." + domain; | |||
| subParam = sub; | |||
| } | |||
| else | |||
| { | |||
| // If we are on dev and no subparam, we need to set the subparam to the specified sub | |||
| subParam = (curSub == "dev") ? sub : string.Empty; | |||
| string firstSub = (curSub == "dev") ? "dev" : sub; | |||
| if (!string.IsNullOrEmpty(firstSub)) | |||
| { | |||
| domain = firstSub + "." + domain; | |||
| } | |||
| } | |||
| } | |||
| else | |||
Loading…