Asp.net-Mvc
防止沒有確認電子郵件的使用者登錄 ASP.NET MVC Web API 身份(OWIN 安全)
我有一個 MVC 和一個 Web API 項目,使用 ASP.NET MVC Web API Identity (OWIN Security) 進行身份驗證。
我在正常工作的功能中添加了一封電子郵件確認,
Register但我不確定如何emailConfirmed = true在登錄之前檢查是否,因為 Web API 標識上沒有顯式登錄功能,它是隱式的。我知道微軟有充分的理由深度封裝授權功能,但沒有辦法實現嗎?
請指教。
這是我的註冊功能:
[AllowAnonymous] [Route("Register")] public async Task<IHttpActionResult> Register(RegisterBindingModel model) { if (!ModelState.IsValid) { return BadRequest(ModelState); } var user = new ApplicationUser() { UserName = model.Email, Email = model.Email }; IdentityResult result = await UserManager.CreateAsync(user, model.Password); if (!result.Succeeded) { return GetErrorResult(result); } try { var code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id); var callbackUrl = new Uri(Url.Link("ConfirmEmailRoute", new { userId = user.Id, code = code })); var email = new Email(); email.To = user.Email; email.From = "info@mycompany.com"; email.Subject = "Please confirm your account"; email.Body = "Please confirm your account by clicking this link: <a href=\"" + callbackUrl + "\">link</a>"; JsonSerializerSettings settings = new JsonSerializerSettings(); settings.ContractResolver = new CamelCasePropertyNamesContractResolver(); var data = JsonConvert.SerializeObject(email); WebClient client = new WebClient(); client.Headers.Add(HttpRequestHeader.ContentType, "application/json"); var resp = client.UploadString(@"http:...", data); } catch (Exception ex) { throw new Exception(ex.ToString()); } return Ok(); }
經過大量研究,我找到了答案。
我添加了以下程式碼來檢查是否
emailconfirmed = true:var userid = userManager.FindByEmail(context.UserName).Id; if (!userManager.IsEmailConfirmed(userid)) { context.SetError("invalid_grant", "Email registration wasn't confirmed."); return; }到類中的
GrantResourceOwnerCredentials函式ApplicationOAuthProvider.cs(在 Provider 文件夾下)。這是整個函式:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>(); ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password); if (user == null) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } ////Added code here var userid = userManager.FindByEmail(context.UserName).Id; if (!userManager.IsEmailConfirmed(userid)) { context.SetError("invalid_grant", "Email registration wasn't confirmed."); return; } //// ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, OAuthDefaults.AuthenticationType); ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager, CookieAuthenticationDefaults.AuthenticationType); AuthenticationProperties properties = CreateProperties(user.UserName); AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties); context.Validated(ticket); context.Request.Context.Authentication.SignIn(cookiesIdentity); }這非常有效,可以防止使用者在確認註冊電子郵件之前登錄。