Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nikolaj Brask-Nielsen 8 posts 168 karma points MVP 2x c-trib
    Oct 20, 2020 @ 17:42
    Nikolaj Brask-Nielsen
    0

    AuthU not working properly after upgrade to Umbraco 8.8.0

    I've upgraded to Umbraco 8.8.0 and now the auth is acting up. It returns "invalid username and/or password" even though the username and password are correct. The only way is to trick AuthU is by first posting with the hashed password and then post with the actual password. Does anyone know how I'd be able to fix this?

    Video example: https://gyazo.com/5c59c1e1c9d6966c2eeeadf9dc32badb

    I'm even getting a succeeded log when I try to access through AuthU: Log image

    I've also tried this with a clean project and had same issue.

    Config:

    using Our.Umbraco.AuthU;
using Our.Umbraco.AuthU.Data;
using Our.Umbraco.AuthU.Services;
using Umbraco.Core.Composing;

namespace Website.Core.Components.AuthU {

    // Documentation on AuthU: https://github.com/mattbrailsford/umbraco-authu

    public class AuthUConfigComponent : IComponent{
        public void Initialize() {
            OAuth.ConfigureEndpoint("/oauth/usertoken", new OAuthOptions {
                UserService = new UmbracoUsersOAuthUserService(),
                SymmetricKey = "cWoPis6f2r3bXSJw2d52L6AWN3EChtyl",
                AccessTokenLifeTime = 20, // Minutes
                RefreshTokenStore = new UmbracoDbOAuthRefreshTokenStore(),
                AllowInsecureHttp = true // During development only
            });
        }

        public void Terminate() {

        }

    }

    public class AuthUConfigComposer : ComponentComposer<AuthUConfigComponent> { }
}

    The problem can be recreated with an apicontroller:

    [HttpGet]
        public bool test() {
            MembershipProvider provider = Membership.Providers["UsersMembershipProvider"];
            return provider.ValidateUser(USERNAME, PASSWORD);
        }

    Stacktrace leads to this file (line 261): https://github.com/umbraco/Umbraco-CMS/blob/v8/contrib/src/Umbraco.Core/Services/Implement/UserService.cs

    Stacktrace: 

    <Error>
<Message>An error has occurred.</Message>
<ExceptionMessage>This method is not implemented or supported for users</ExceptionMessage>
<ExceptionType>System.NotSupportedException</ExceptionType>
<StackTrace> ved Umbraco.Core.Services.Implement.UserService.Umbraco.Core.Services.IMembershipMemberService<Umbraco.Core.Models.Membership.IUser>.SetLastLogin(String username, DateTime date) i D:\a\1\s\src\Umbraco.Core\Services\Implement\UserService.cs:linje 261 ved Umbraco.Web.Security.Providers.UmbracoMembershipProvider`2.PerformValidateUser(String username, String password) i D:\a\1\s\src\Umbraco.Web\Security\Providers\UmbracoMembershipProvider.cs:linje 615 ved Umbraco.Web.Security.Providers.UsersMembershipProvider.PerformValidateUser(String username, String password) i D:\a\1\s\src\Umbraco.Web\Security\Providers\UsersMembershipProvider.cs:linje 143 ved Umbraco.Web.Security.Providers.UmbracoMembershipProvider`2.ValidateUser(String username, String password) i D:\a\1\s\src\Umbraco.Web\Security\Providers\UmbracoMembershipProvider.cs:linje 632 ved Website.Core.Controllers.WebAPI.SiteConstructorController.test() i Y:\GitRepo\Foreningssider.dk\Website.Core\Controllers\WebAPI\SiteConstructorController.cs:linje 38 ved lambda_method(Closure , Object , Object[] ) ved System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters) ved System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext() --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext() --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__3.MoveNext() --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved Our.Umbraco.AuthU.Web.WebApi.AddOAuthChallengeResult.<ExecuteAsync>d__3.MoveNext() i C:\projects\umbraco-authu\src\Our.Umbraco.AuthU\Web\WebApi\AddOAuthChallengeResult.cs:linje 24 --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved System.Web.Http.Controllers.AuthenticationFilterResult.<ExecuteAsync>d__5.MoveNext() --- Afslutningen på staksporingen fra den tidligere placering, hvor undtagelsen blev udløst --- ved System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() ved System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) ved System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__15.MoveNext()</StackTrace>
</Error>
    Copy Link
  • Nikolaj Brask-Nielsen 8 posts 168 karma points MVP 2x c-trib
    Oct 22, 2020 @ 10:19
    Nikolaj Brask-Nielsen
    100

    Found a validation tactic which includes another function. Current.UmbracoContext.Security.ValidateBackOfficeCredentials(username, password) Source code

    Implementation:

    BackofficeOAuthUserService.cs

    using System.Collections.Generic;
using System.Security.Claims;
using System.Web.Security;
using Our.Umbraco.AuthU.Interfaces;
using Umbraco.Web.Composing;

namespace Website.Core.Components.AuthU.Services {
    public abstract class BackofficeOAuthUserService : IOAuthUserService {

        public abstract string UserType { get; }

        public abstract string MembershipProviderName { get; }

        protected MembershipProvider MemberProvider => Membership.Providers[this.MembershipProviderName];

        public bool ValidateUser(string username) {
            try {
                var user = this.MemberProvider.GetUser(username, false);
                return user != null && user.IsApproved && !user.IsLockedOut;
            }
            catch {
                return false;
            }
        }

        public bool ValidateUser(string username, string password) {
            try {
                return Current.UmbracoContext.Security.ValidateBackOfficeCredentials(username, password);
            }
            catch {
                return false;
            }
        }

        public IEnumerable<Claim> GetUserClaims(string username) {
            MembershipUser member = null;

            try {
                member = this.MemberProvider.GetUser(username, true);
            }
            catch { }

            if (member != null) {
                yield return new Claim(ClaimTypes.NameIdentifier, member.ProviderUserKey.ToString());

                var roles = Roles.GetRolesForUser(member.UserName);
                foreach (var role in roles) {
                    yield return new Claim(ClaimTypes.Role, role);
                }
            }
        }
    }
}

    UmbracoBackofficeUsersOAuthService.cs

    namespace Website.Core.Components.AuthU.Services {
    public class UmbracoBackofficeUsersOAuthService : BackofficeOAuthUserService{

        public override string UserType => "UmbracoMember";

        public override string MembershipProviderName => "UmbracoMembershipProvider";

    }
}

    AuthUConfigComponent.cs

    using Our.Umbraco.AuthU;
using Our.Umbraco.AuthU.Data;
using Umbraco.Core;
using Umbraco.Core.Composing;
using Website.Core.Components.AuthU.Services;

namespace Website.Core.Components.AuthU {

    // Documentation on AuthU: https://github.com/mattbrailsford/umbraco-authu

    [RuntimeLevel(MinLevel = RuntimeLevel.Run)]
    public class AuthUConfigComposer : ComponentComposer<AuthUConfigComponent> {

    }

    public class AuthUConfigComponent : IComponent{

        public void Initialize() {
            OAuth.ConfigureEndpoint("/oauth/usertoken", new OAuthOptions {
                UserService = new UmbracoBackofficeUsersOAuthService(),
                SymmetricKey = "cWoPis6f2r3bXSJw2d52L6AWN3EChtyl",
                AccessTokenLifeTime = 20, // Minutes
                RefreshTokenStore = new UmbracoDbOAuthRefreshTokenStore(),
                AllowInsecureHttp = true // During development only
            });
        }

        public void Terminate() {

        }

    }
}
    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft