Add support for CredentialsAuthValidator.SkipPasswordVerificationForPrivateRequests to allow private requests to auth without a password

mythz · mythz · commit 35c721e244ae · 2015-05-28T16:57:08.000+08:00
diff --git a/src/ServiceStack/Auth/CredentialsAuthProvider.cs b/src/ServiceStack/Auth/CredentialsAuthProvider.cs
@@ -18,9 +18,19 @@ public CredentialsAuthValidator()
             }
         }
 
+        private class PrivateAuthValidator : AbstractValidator<Authenticate>
+        {
+            public PrivateAuthValidator()
+            {
+                RuleFor(x => x.UserName).NotEmpty();
+            }
+        }
+
         public static string Name = AuthenticateService.CredentialsProvider;
         public static string Realm = "/auth/" + AuthenticateService.CredentialsProvider;
 
+        public bool SkipPasswordVerificationForPrivateRequests { get; set; }
+
         public CredentialsAuthProvider()
         {
             Provider = Name;
@@ -44,20 +54,25 @@ public virtual bool TryAuthenticate(IServiceBase authService, string userName, s
                 if (IsAccountLocked(authRepo, userAuth))
                     throw new AuthenticationException("This account has been locked");
 
-                var holdSessionId = session.Id;
-                session.PopulateWith(userAuth); //overwrites session.Id
-                session.Id = holdSessionId;
-                session.IsAuthenticated = true;
-                session.UserAuthId = userAuth.Id.ToString(CultureInfo.InvariantCulture);
-                session.ProviderOAuthAccess = authRepo.GetUserAuthDetails(session.UserAuthId)
-                    .ConvertAll(x => (IAuthTokens)x);
+                PopulateSession(authRepo, userAuth, session);
 
                 return true;
             }
 
             return false;
         }
 
+        private static void PopulateSession(IUserAuthRepository authRepo, IUserAuth userAuth, IAuthSession session)
+        {
+            var holdSessionId = session.Id;
+            session.PopulateWith(userAuth); //overwrites session.Id
+            session.Id = holdSessionId;
+            session.IsAuthenticated = true;
+            session.UserAuthId = userAuth.Id.ToString(CultureInfo.InvariantCulture);
+            session.ProviderOAuthAccess = authRepo.GetUserAuthDetails(session.UserAuthId)
+                .ConvertAll(x => (IAuthTokens) x);
+        }
+
         public override bool IsAuthorized(IAuthSession session, IAuthTokens tokens, Authenticate request = null)
         {
             if (request != null)
@@ -73,6 +88,12 @@ public override bool IsAuthorized(IAuthSession session, IAuthTokens tokens, Auth
 
         public override object Authenticate(IServiceBase authService, IAuthSession session, Authenticate request)
         {
+            if (SkipPasswordVerificationForPrivateRequests && authService.Request.IsPrivateRequest())
+            {
+                new PrivateAuthValidator().ValidateAndThrow(request);
+                return AuthenticatePrivateRequest(authService, session, request.UserName, request.Password, request.Continue);
+            }
+            
             new CredentialsAuthValidator().ValidateAndThrow(request);
             return Authenticate(authService, session, request.UserName, request.Password, request.Continue);
         }
@@ -115,6 +136,38 @@ protected object Authenticate(IServiceBase authService, IAuthSession session, st
             throw HttpError.Unauthorized(ErrorMessages.InvalidUsernameOrPassword);
         }
 
+        protected object AuthenticatePrivateRequest(
+            IServiceBase authService, IAuthSession session, string userName, string password, string referrerUrl)
+        {
+            var authRepo = authService.TryResolve<IAuthRepository>().AsUserAuthRepository(authService.GetResolver());
+
+            var userAuth = authRepo.GetUserAuthByUserName(userName);
+            if (userAuth == null)
+                throw HttpError.Unauthorized(ErrorMessages.InvalidUsernameOrPassword);
+
+            if (IsAccountLocked(authRepo, userAuth))
+                throw new AuthenticationException("This account has been locked");
+
+            PopulateSession(authRepo, userAuth, session);
+
+            session.IsAuthenticated = true;
+
+            if (session.UserAuthName == null)
+                session.UserAuthName = userName;
+
+            var response = OnAuthenticated(authService, session, null, null);
+            if (response != null)
+                return response;
+
+            return new AuthenticateResponse
+            {
+                UserId = session.UserAuthId,
+                UserName = userName,
+                SessionId = session.Id,
+                ReferrerUrl = referrerUrl
+            };
+        }
+
         public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
         {
             var userSession = session as AuthUserSession;
diff --git a/src/ServiceStack/HostContext.cs b/src/ServiceStack/HostContext.cs
@@ -335,31 +335,34 @@ public static void RaiseUncaughtException(IRequest httpReq, IResponse httpRes, s
         /// </summary>
         public static T ResolveService<T>(HttpContextBase httpCtx=null) where T : class, IRequiresRequest
         {
-            var service = AssertAppHost().Container.Resolve<T>();
-            if (service == null) return null;
-            service.Request = httpCtx != null ? httpCtx.ToRequest() : GetCurrentRequest();
-            return service;
+            var httpReq = httpCtx != null ? httpCtx.ToRequest() : GetCurrentRequest();
+            return ResolveService(httpReq, AssertAppHost().Container.Resolve<T>());
         }
 
         /// <summary>
         /// Resolves and auto-wires a ServiceStack Service from a HttpListenerContext.
         /// </summary>
         public static T ResolveService<T>(HttpListenerContext httpCtx) where T : class, IRequiresRequest
         {
-            var service = AssertAppHost().Container.Resolve<T>();
-            if (service == null) return null;
-            service.Request = httpCtx.ToRequest();
-            return service;
+            return ResolveService(httpCtx.ToRequest(), AssertAppHost().Container.Resolve<T>());
         }
 
         /// <summary>
         /// Resolves and auto-wires a ServiceStack Service.
         /// </summary>
         public static T ResolveService<T>(IHttpRequest httpReq) where T : class, IRequiresRequest
         {
-            var service = AssertAppHost().Container.Resolve<T>();
-            if (service == null) return null;
-            service.Request = httpReq;
+            return ResolveService(httpReq, AssertAppHost().Container.Resolve<T>());
+        }
+
+        public static T ResolveService<T>(IRequest httpReq, T service)
+        {
+            var hasRequest = service as IRequiresRequest;
+            if (hasRequest != null)
+            {
+                httpReq.SetPrivateRequest();
+                hasRequest.Request = httpReq;
+            }
             return service;
         }
 
diff --git a/src/ServiceStack/Service.cs b/src/ServiceStack/Service.cs
@@ -39,12 +39,7 @@ public virtual T TryResolve<T>()
         public virtual T ResolveService<T>()
         {
             var service = TryResolve<T>();
-            var requiresContext = service as IRequiresRequest;
-            if (requiresContext != null)
-            {
-                requiresContext.Request = this.Request;
-            }
-            return service;
+            return HostContext.ResolveService(this.Request, service);
         }
 
         public object ExecuteRequest(object requestDto)
@@ -166,6 +161,8 @@ public virtual void Dispose()
                 messageProducer.Dispose();
 
             RequestContext.Instance.ReleaseDisposables();
+
+            Request.ReleaseIfPrivateRequest();
         }
     }
 
diff --git a/src/ServiceStack/ServiceStackProvider.cs b/src/ServiceStack/ServiceStackProvider.cs
@@ -137,12 +137,7 @@ public virtual T TryResolve<T>()
         public virtual T ResolveService<T>()
         {
             var service = TryResolve<T>();
-            var requiresContext = service as IRequiresRequest;
-            if (requiresContext != null)
-            {
-                requiresContext.Request = Request;
-            }
-            return service;
+            return HostContext.ResolveService(Request, service);
         }
 
         public object Execute(object requestDto)
diff --git a/tests/ServiceStack.AuthWeb.Tests/AppHost.cs b/tests/ServiceStack.AuthWeb.Tests/AppHost.cs
@@ -108,7 +108,9 @@ private void ConfigureAuth(Container container)
                     //    LoadUserAuthFilter = LoadUserAuthInfo,
                     //    AllowAllWindowsAuthUsers = true
                     //}, 
-                    new CredentialsAuthProvider(),        //HTML Form post of UserName/Password credentials
+                    new CredentialsAuthProvider {  //HTML Form post of UserName/Password credentials
+                        SkipPasswordVerificationForPrivateRequests = true,
+                    },        
                     new TwitterAuthProvider(appSettings),       //Sign-in with Twitter
                     new FacebookAuthProvider(appSettings),      //Sign-in with Facebook
                     new DigestAuthProvider(appSettings),        //Sign-in with Digest Auth
@@ -287,6 +289,26 @@ public override object Authenticate(IServiceBase authService, IAuthSession sessi
         }
     }
 
+    [Route("/privateauth")]
+    public class PrivateAuth
+    {
+        public string UserName { get; set; }
+    }
+
+    public class PrivateAuthService : Service
+    {
+        public object Any(PrivateAuth request)
+        {
+            using (var service = base.ResolveService<AuthenticateService>())
+            {
+                return service.Post(new Authenticate {
+                    provider = AuthenticateService.CredentialsProvider,
+                    UserName = request.UserName,
+                });
+            }
+        }
+    }
+
     //Provide extra validation for the registration process
     public class CustomRegisterPlugin : IPlugin
     {
diff --git a/tests/ServiceStack.AuthWeb.Tests/default.cshtml b/tests/ServiceStack.AuthWeb.Tests/default.cshtml
@@ -117,6 +117,12 @@
         <input type="submit"/>
     </form>
     
+    <h3>Private Auth</h3>
+    <form action="/privateauth">
+        <input type="text" name="Username" value="demis.bellot@gmail.com"/>
+        <input type="submit"/>
+    </form>
+    
     <h3>Register New User</h3>
     <form action="/register" method="POST">
         <input type="text" name="Username"  placeholder="UserName"  value="NewUser"/>

Original file line number	Diff line number	Diff line change
`@@ -39,12 +39,7 @@ public virtual T TryResolve<T>()`
`39`	`39`	`public virtual T ResolveService<T>()`
`40`	`40`	`{`
`41`	`41`	`var service = TryResolve<T>();`
`42`		`- var requiresContext = service as IRequiresRequest;`
`43`		`- if (requiresContext != null)`
`44`		`- {`
`45`		`- requiresContext.Request = this.Request;`
`46`		`- }`
`47`		`- return service;`
	`42`	`+ return HostContext.ResolveService(this.Request, service);`
`48`	`43`	`}`
`49`	`44`
`50`	`45`	`public object ExecuteRequest(object requestDto)`
`@@ -166,6 +161,8 @@ public virtual void Dispose()`
`166`	`161`	`messageProducer.Dispose();`
`167`	`162`
`168`	`163`	`RequestContext.Instance.ReleaseDisposables();`
	`164`	`+`
	`165`	`+ Request.ReleaseIfPrivateRequest();`
`169`	`166`	`}`
`170`	`167`	`}`
`171`	`168`
Original file line number	Diff line number	Diff line change
`@@ -137,12 +137,7 @@ public virtual T TryResolve<T>()`
`137`	`137`	`public virtual T ResolveService<T>()`
`138`	`138`	`{`
`139`	`139`	`var service = TryResolve<T>();`
`140`		`- var requiresContext = service as IRequiresRequest;`
`141`		`- if (requiresContext != null)`
`142`		`- {`
`143`		`- requiresContext.Request = Request;`
`144`		`- }`
`145`		`- return service;`
	`140`	`+ return HostContext.ResolveService(Request, service);`
`146`	`141`	`}`
`147`	`142`
`148`	`143`	`public object Execute(object requestDto)`