mirror/aliasvault
1
0
Fork 0
mirror of https://github.com/aliasvault/aliasvault.git synced 2026-03-22 16:43:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #176 from lanedirt/174-make-emailusername-on-login-case-insensitive

Browse Source 
Change email to username for main user authentication
This commit is contained in:
Leendert de Borst
2024-08-19 14:41:41 -07:00
committed by GitHub
parent 18978b94be 65342a2a8d
commit 75b22cfddf
12 changed files with 78 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/AliasVault.Admin/AliasVault.Admin.csproj
View File

@@ -6,6 +6,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<UserSecretsId>aspnet-AliasVault.Admin-1DAADE35-C01B-43BB-B440-AA5E1E0B672D</UserSecretsId>
<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
<NoWarn>1701;1702;NU1900</NoWarn>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)' == 'Debug' ">

5
src/AliasVault.Admin/Main/Pages/Users/Users.razor
View File

@@ -105,8 +105,7 @@ else
if (SearchTerm.Length > 0)
{
query = query.Where(x => EF.Functions.Like(x.UserName!.ToLower(), "%" + SearchTerm.ToLower() + "%") ||
EF.Functions.Like(x.Email!.ToLower(), "%" + SearchTerm.ToLower() + "%"));
query = query.Where(x => EF.Functions.Like(x.UserName!.ToLower(), "%" + SearchTerm.ToLower() + "%"));
}
TotalRecords = await query.CountAsync();
@@ -140,7 +139,7 @@ else
VaultCount = user.Vaults.Count(),
EmailClaimCount = user.EmailClaims.Count(),
VaultStorageInKb = user.Vaults.Sum(x => x.FileSize),
LastVaultUpdate = user.Vaults.Max(x => x.CreatedAt),
LastVaultUpdate = user.Vaults.Any() ? user.Vaults.Max(x => x.CreatedAt) : user.CreatedAt,
}).ToList();
IsLoading = false;

33
src/AliasVault.Api/Controllers/AuthController.cs
View File

@@ -39,9 +39,9 @@ using Microsoft.IdentityModel.Tokens;
public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFactory, UserManager<AliasVaultUser> userManager, SignInManager<AliasVaultUser> signInManager, IConfiguration configuration, IMemoryCache cache, ITimeProvider timeProvider) : ControllerBase
{
/// <summary>
/// Error message for invalid email or password.
/// Error message for invalid username or password.
/// </summary>
public static readonly string[] InvalidEmailOrPasswordError = ["Invalid email or password. Please try again."];
public static readonly string[] InvalidUsernameOrPasswordError = ["Invalid username or password. Please try again."];
/// <summary>
/// Login endpoint used to process login attempt using credentials.
@@ -51,17 +51,17 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
[HttpPost("login")]
public async Task<IActionResult> Login([FromBody] LoginRequest model)
{
var user = await userManager.FindByEmailAsync(model.Email);
var user = await userManager.FindByNameAsync(model.Username);
if (user == null)
{
return BadRequest(ServerValidationErrorResponse.Create(InvalidEmailOrPasswordError, 400));
return BadRequest(ServerValidationErrorResponse.Create(InvalidUsernameOrPasswordError, 400));
}
// Server creates ephemeral and sends to client
var ephemeral = Cryptography.Srp.GenerateEphemeralServer(user.Verifier);
// Store the server ephemeral in memory cache for Validate() endpoint to use.
cache.Set(model.Email, ephemeral.Secret, TimeSpan.FromMinutes(5));
cache.Set(model.Username, ephemeral.Secret, TimeSpan.FromMinutes(5));
return Ok(new LoginResponse(user.Salt, ephemeral.Public));
}
@@ -74,15 +74,15 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
[HttpPost("validate")]
public async Task<IActionResult> Validate([FromBody] ValidateLoginRequest model)
{
var user = await userManager.FindByEmailAsync(model.Email);
var user = await userManager.FindByNameAsync(model.Username);
if (user == null)
{
return BadRequest(ServerValidationErrorResponse.Create(InvalidEmailOrPasswordError, 400));
return BadRequest(ServerValidationErrorResponse.Create(InvalidUsernameOrPasswordError, 400));
}
if (!cache.TryGetValue(model.Email, out var serverSecretEphemeral) || serverSecretEphemeral is not string)
if (!cache.TryGetValue(model.Username, out var serverSecretEphemeral) || serverSecretEphemeral is not string)
{
return BadRequest(ServerValidationErrorResponse.Create(InvalidEmailOrPasswordError, 400));
return BadRequest(ServerValidationErrorResponse.Create(InvalidUsernameOrPasswordError, 400));
}
try
@@ -91,7 +91,7 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
serverSecretEphemeral.ToString() ?? string.Empty,
model.ClientPublicEphemeral,
user.Salt,
model.Email,
model.Username,
user.Verifier,
model.ClientSessionProof);
@@ -103,7 +103,7 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
}
catch
{
return BadRequest(ServerValidationErrorResponse.Create(InvalidEmailOrPasswordError, 400));
return BadRequest(ServerValidationErrorResponse.Create(InvalidUsernameOrPasswordError, 400));
}
}
@@ -120,13 +120,13 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
var principal = GetPrincipalFromExpiredToken(tokenModel.Token);
if (principal.FindFirst(ClaimTypes.NameIdentifier)?.Value == null)
{
return Unauthorized("User not found (email-1)");
return Unauthorized("User not found (name-1)");
}
var user = await userManager.FindByIdAsync(principal.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? string.Empty);
if (user == null)
{
return Unauthorized("User not found (email-2)");
return Unauthorized("User not found (name-2)");
}
// Check if the refresh token is valid.
@@ -172,13 +172,13 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
var principal = GetPrincipalFromExpiredToken(model.Token);
if (principal.FindFirst(ClaimTypes.NameIdentifier)?.Value == null)
{
return Unauthorized("User not found (email-1)");
return Unauthorized("User not found (name-1)");
}
var user = await userManager.FindByIdAsync(principal.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? string.Empty);
if (user == null)
{
return Unauthorized("User not found (email-2)");
return Unauthorized("User not found (name-2)");
}
// Check if the refresh token is valid.
@@ -204,7 +204,7 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
[HttpPost("register")]
public async Task<IActionResult> Register([FromBody] SrpSignup model)
{
var user = new AliasVaultUser { UserName = model.Email, Email = model.Email, Salt = model.Salt, Verifier = model.Verifier, CreatedAt = DateTime.UtcNow, UpdatedAt = DateTime.UtcNow };
var user = new AliasVaultUser { UserName = model.Username, Salt = model.Salt, Verifier = model.Verifier, CreatedAt = DateTime.UtcNow, UpdatedAt = DateTime.UtcNow };
var result = await userManager.CreateAsync(user);
if (result.Succeeded)
@@ -310,7 +310,6 @@ public class AuthController(IDbContextFactory<AliasServerDbContext> dbContextFac
{
new(ClaimTypes.NameIdentifier, user.Id),
new(ClaimTypes.Name, user.UserName ?? string.Empty),
new(ClaimTypes.Email, user.Email ?? string.Empty),
new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
};

15
src/AliasVault.Client/Auth/Pages/Base/LoginBase.cs
View File

@@ -97,13 +97,16 @@ public class LoginBase : OwningComponentBase
/// <summary>
/// Gets the username from the authentication state asynchronously.
/// </summary>
/// <param name="email">Email address.</param>
/// <param name="username">Username.</param>
/// <param name="password">Password.</param>
/// <returns>List of errors if something went wrong.</returns>
protected async Task<List<string>> ProcessLoginAsync(string email, string password)
protected async Task<List<string>> ProcessLoginAsync(string username, string password)
{
// Sanitize username
username = username.ToLowerInvariant().Trim();
// Send request to server with email to get server ephemeral public key.
var result = await Http.PostAsJsonAsync("api/v1/Auth/login", new LoginRequest(email));
var result = await Http.PostAsJsonAsync("api/v1/Auth/login", new LoginRequest(username));
var responseContent = await result.Content.ReadAsStringAsync();
if (!result.IsSuccessStatusCode)
@@ -125,16 +128,16 @@ public class LoginBase : OwningComponentBase
var passwordHashString = BitConverter.ToString(passwordHash).Replace("-", string.Empty);
var clientEphemeral = Srp.GenerateEphemeralClient();
var privateKey = Srp.DerivePrivateKey(loginResponse.Salt, email, passwordHashString);
var privateKey = Srp.DerivePrivateKey(loginResponse.Salt, username, passwordHashString);
var clientSession = Srp.DeriveSessionClient(
privateKey,
clientEphemeral.Secret,
loginResponse.ServerEphemeral,
loginResponse.Salt,
email);
username);
// 4. Client sends proof of session key to server.
result = await Http.PostAsJsonAsync("api/v1/Auth/validate", new ValidateLoginRequest(email, clientEphemeral.Public, clientSession.Proof));
result = await Http.PostAsJsonAsync("api/v1/Auth/validate", new ValidateLoginRequest(username, clientEphemeral.Public, clientSession.Proof));
responseContent = await result.Content.ReadAsStringAsync();
if (!result.IsSuccessStatusCode)

8
src/AliasVault.Client/Auth/Pages/Login.razor
View File

@@ -15,9 +15,9 @@
<EditForm Model="LoginModel" OnValidSubmit="HandleLogin" class="mt-8 space-y-6">
<DataAnnotationsValidator/>
<div>
<label asp-for="Input.Email" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your email</label>
<InputTextField id="email" @bind-Value="LoginModel.Email" placeholder="name@company.com" />
<ValidationMessage For="() => LoginModel.Email"/>
<label asp-for="Input.Email" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your username or email</label>
<InputTextField id="email" @bind-Value="LoginModel.Username" placeholder="name / name@company.com" />
<ValidationMessage For="() => LoginModel.Username"/>
</div>
<div>
<label asp-for="Input.Password" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your password</label>
@@ -64,7 +64,7 @@
try
{
var errors = await ProcessLoginAsync(LoginModel.Email, LoginModel.Password);
var errors = await ProcessLoginAsync(LoginModel.Username, LoginModel.Password);
foreach (var error in errors)
{
ServerValidationErrors.AddError(error);

8
src/AliasVault.Client/Auth/Pages/Register.razor
View File

@@ -22,9 +22,9 @@
<EditForm Model="RegisterModel" OnValidSubmit="HandleRegister" class="mt-8 space-y-6">
<DataAnnotationsValidator/>
<div>
<label asp-for="Input.Email" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your email</label>
<InputTextField id="email" @bind-Value="RegisterModel.Email" placeholder="name@company.com" />
<ValidationMessage For="() => RegisterModel.Email"/>
<label asp-for="Input.Email" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your username or email</label>
<InputTextField id="email" @bind-Value="RegisterModel.Username" placeholder="name / name@company.com" />
<ValidationMessage For="() => RegisterModel.Username"/>
</div>
<div>
<label asp-for="Input.Password" class="block mb-2 text-sm font-medium text-gray-900 dark:text-white">Your password</label>
@@ -71,7 +71,7 @@
byte[] passwordHash = await Encryption.DeriveKeyFromPasswordAsync(RegisterModel.Password, salt);
var passwordHashString = BitConverter.ToString(passwordHash).Replace("-", string.Empty);
var srpSignup = Cryptography.Srp.SignupPrepareAsync(client, salt, RegisterModel.Email, passwordHashString);
var srpSignup = Cryptography.Srp.SignupPrepareAsync(client, salt, RegisterModel.Username, passwordHashString);
var result = await Http.PostAsJsonAsync("api/v1/Auth/register", srpSignup);
var responseContent = await result.Content.ReadAsStringAsync();

5
src/AliasVault.Shared/Models/LoginModel.cs
View File

@@ -15,11 +15,10 @@ using System.ComponentModel.DataAnnotations;
public class LoginModel
{
/// <summary>
/// Gets or sets the email.
/// Gets or sets the username.
/// </summary>
[Required]
[EmailAddress]
public string Email { get; set; } = null!;
public string Username { get; set; } = null!;
/// <summary>
/// Gets or sets the password.

5
src/AliasVault.Shared/Models/RegisterModel.cs
View File

@@ -16,11 +16,10 @@ using AliasVault.Shared.Models.Validation;
public class RegisterModel
{
/// <summary>
/// Gets or sets the email.
/// Gets or sets the username.
/// </summary>
[Required]
[EmailAddress]
public string Email { get; set; } = null!;
public string Username { get; set; } = null!;
/// <summary>
/// Gets or sets the password.

10
src/AliasVault.Shared/Models/WebApi/Auth/LoginRequest.cs
View File

@@ -15,14 +15,14 @@ public class LoginRequest
/// <summary>
/// Initializes a new instance of the <see cref="LoginRequest"/> class.
/// </summary>
/// <param name="email">Email.</param>
public LoginRequest(string email)
/// <param name="username">Username.</param>
public LoginRequest(string username)
{
Email = email;
Username = username.ToLowerInvariant().Trim();
}
/// <summary>
/// Gets or sets the email address.
/// Gets the username.
/// </summary>
public string Email { get; set; }
public string Username { get; }
}

18
src/AliasVault.Shared/Models/WebApi/Auth/ValidateLoginRequest.cs
View File

@@ -15,29 +15,29 @@ namespace AliasVault.Shared.Models.WebApi.Auth
/// <summary>
/// Initializes a new instance of the <see cref="ValidateLoginRequest"/> class.
/// </summary>
/// <param name="email">Email.</param>
/// <param name="username">Username.</param>
/// <param name="clientPublicEphemeral">Client public ephemeral.</param>
/// <param name="clientSessionProof">Client session proof.</param>
public ValidateLoginRequest(string email, string clientPublicEphemeral, string clientSessionProof)
public ValidateLoginRequest(string username, string clientPublicEphemeral, string clientSessionProof)
{
Email = email;
Username = username.ToLowerInvariant().Trim();
ClientPublicEphemeral = clientPublicEphemeral;
ClientSessionProof = clientSessionProof;
}
/// <summary>
/// Gets or sets the email.
/// Gets the username.
/// </summary>
public string Email { get; set; }
public string Username { get; }
/// <summary>
/// Gets or sets the client's public ephemeral value.
/// Gets the client's public ephemeral value.
/// </summary>
public string ClientPublicEphemeral { get; set; }
public string ClientPublicEphemeral { get; }
/// <summary>
/// Gets or sets the client's session proof.
/// Gets the client's session proof.
/// </summary>
public string ClientSessionProof { get; set; }
public string ClientSessionProof { get; }
}
}

22
src/Utilities/Cryptography/Models/SrpSignup.cs
View File

@@ -15,35 +15,35 @@ public class SrpSignup
/// <summary>
/// Initializes a new instance of the <see cref="SrpSignup"/> class with the specified salt, private key, and verifier.
/// </summary>
/// <param name="email">The email address.</param>
/// <param name="username">The username.</param>
/// <param name="salt">The salt value.</param>
/// <param name="privateKey">The private key value.</param>
/// <param name="verifier">The verifier value.</param>
public SrpSignup(string email, string salt, string privateKey, string verifier)
public SrpSignup(string username, string salt, string privateKey, string verifier)
{
Email = email;
Username = username.ToLowerInvariant().Trim();
Salt = salt;
PrivateKey = privateKey;
Verifier = verifier;
}
/// <summary>
/// Gets or sets the email value.
/// Gets the username value.
/// </summary>
public string Email { get; set; }
public string Username { get; }
/// <summary>
/// Gets or sets the salt value.
/// Gets the salt value.
/// </summary>
public string Salt { get; set; }
public string Salt { get; }
/// <summary>
/// Gets or sets the private key value.
/// Gets the private key value.
/// </summary>
public string PrivateKey { get; set; }
public string PrivateKey { get; }
/// <summary>
/// Gets or sets the verifier value.
/// Gets the verifier value.
/// </summary>
public string Verifier { get; set; }
public string Verifier { get; }
}

26
src/Utilities/Cryptography/Srp.cs
View File

@@ -21,31 +21,31 @@ public static class Srp
/// </summary>
/// <param name="client">SrpClient.</param>
/// <param name="salt">Salt.</param>
/// <param name="email">Email.</param>
/// <param name="username">Username.</param>
/// <param name="passwordHashString">Hashed password string.</param>
/// <returns>SrpSignup model.</returns>
public static SrpSignup SignupPrepareAsync(SrpClient client, string salt, string email, string passwordHashString)
public static SrpSignup SignupPrepareAsync(SrpClient client, string salt, string username, string passwordHashString)
{
// Derive a key from the password using Argon2id
// Signup: client generates a salt and verifier.
var privateKey = DerivePrivateKey(salt, email, passwordHashString);
var privateKey = DerivePrivateKey(salt, username, passwordHashString);
var verifier = client.DeriveVerifier(privateKey);
return new SrpSignup(email, salt, privateKey, verifier);
return new SrpSignup(username, salt, privateKey, verifier);
}
/// <summary>
/// Derive a private key for a user.
/// </summary>
/// <param name="salt">Salt.</param>
/// <param name="email">Email.</param>
/// <param name="username">Username.</param>
/// <param name="passwordHashString">Hashed password string.</param>
/// <returns>Private key as string.</returns>
public static string DerivePrivateKey(string salt, string email, string passwordHashString)
public static string DerivePrivateKey(string salt, string username, string passwordHashString)
{
var client = new SrpClient();
return client.DerivePrivateKey(salt, email, passwordHashString);
return client.DerivePrivateKey(salt, username, passwordHashString);
}
/// <summary>
@@ -76,16 +76,16 @@ public static class Srp
/// <param name="clientSecretEphemeral">Client ephemeral secret.</param>
/// <param name="serverEphemeralPublic">Server public ephemeral.</param>
/// <param name="salt">Salt.</param>
/// <param name="email">Email.</param>
/// <param name="username">Username.</param>
/// <returns>session.</returns>
public static SrpSession DeriveSessionClient(string privateKey, string clientSecretEphemeral, string serverEphemeralPublic, string salt, string email)
public static SrpSession DeriveSessionClient(string privateKey, string clientSecretEphemeral, string serverEphemeralPublic, string salt, string username)
{
var client = new SrpClient();
return client.DeriveSession(
clientSecretEphemeral,
serverEphemeralPublic,
salt,
email,
username,
privateKey);
}
@@ -95,18 +95,18 @@ public static class Srp
/// <param name="serverEphemeralSecret">serverEphemeralSecret.</param>
/// <param name="clientEphemeralPublic">clientEphemeralPublic.</param>
/// <param name="salt">Salt.</param>
/// <param name="email">Email.</param>
/// <param name="username">Username.</param>
/// <param name="verifier">Verifier.</param>
/// <param name="clientSessionProof">Client session proof.</param>
/// <returns>SrpSession.</returns>
public static SrpSession DeriveSessionServer(string serverEphemeralSecret, string clientEphemeralPublic, string salt, string email, string verifier, string clientSessionProof)
public static SrpSession DeriveSessionServer(string serverEphemeralSecret, string clientEphemeralPublic, string salt, string username, string verifier, string clientSessionProof)
{
var server = new SrpServer();
return server.DeriveSession(
serverEphemeralSecret,
clientEphemeralPublic,
salt,
email,
username,
verifier,
clientSessionProof);
}