bitwarden · jrmccannon · Jun 27, 2024 · Mar 26, 2024 · Mar 27, 2024 · Apr 1, 2024
@@ -0,0 +1,50 @@
+using System;
+using System.Globalization;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Passwordless.AspNetIdentity.Example.Authorization;
+
+public interface IStepUpAuthorizationRequirement : IAuthorizationRequirement
+{
+    public string Name { get; }
+}
+
+public class StepUpAuthorizationHandler(StepUpPurpose stepUpPurpose, TimeProvider timeProvider) : AuthorizationHandler<IStepUpAuthorizationRequirement>
+{
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IStepUpAuthorizationRequirement requirement)
+    {
+        if (context.User.Identity is not { IsAuthenticated: true })
+        {
+            return Task.CompletedTask;
+        }
+
+        if (context.User.HasClaim(MatchesClaim(requirement))
+            && IsExpired(GetExpiration(context.User.FindFirst(MatchesClaim(requirement))!)))
+        {
+            context.Succeed(requirement);
+        }
+        else
+        {
+            stepUpPurpose.Purpose = requirement.Name;
+            context.Fail();
+        }
+
+        return Task.CompletedTask;
+    }
+
+    private static Predicate<Claim> MatchesClaim(IStepUpAuthorizationRequirement requirement) => claim => claim.Type == requirement.Name;
+
+    private bool IsExpired(DateTime expiration)
+    {
+        return expiration > timeProvider.GetUtcNow().DateTime;
+    }
+
+    private static DateTime GetExpiration(Claim claim)
+    {
+        var expiration = DateTime.Parse(claim.Value, null, DateTimeStyles.RoundtripKind);
+
+        return expiration;
+    }
+}
@@ -0,0 +1,6 @@
+namespace Passwordless.AspNetIdentity.Example.Authorization;
+
+public class StepUpPurpose
+{
+    public string Purpose { get; set; } = string.Empty;
+}
@@ -0,0 +1,6 @@
+namespace Passwordless.AspNetIdentity.Example.Authorization;
+
+public static class StepUpPurposes
+{
+    public const string StepUp = "step-up";
+}
@@ -0,0 +1,6 @@
+namespace Passwordless.AspNetIdentity.Example.Authorization;
+
+public class StepUpRequirement(string policyName) : IStepUpAuthorizationRequirement
+{
+    public string Name => policyName;
+}
@@ -26,18 +26,19 @@
                 <button type="submit" class="btn-primary">Login</button>
             </div>
         </form>
-        
+
         <a asp-page="/Account/Recovery">If you have lost your passkey, please click here.</a>
     </div>
 </div>
 
 @if (canLogin)
 {
-    <script src="https://cdn.passwordless.dev/dist/1.1.0/umd/passwordless.umd.js"></script>
-    <script>
-    async function login() {
+    <script type="module">
+        import { Client } from "https://cdn.passwordless.dev/dist/1.2.0-beta1/esm/passwordless.mjs";
+
+        async function login() {
         const alias = document.getElementById("email").value;
-        const p = new Passwordless.Client(
+        const p = new Client(
             {
                 apiKey: "@PasswordlessOptions.Value.ApiKey",
                 apiUrl: "@PasswordlessOptions.Value.ApiUrl"
@@ -62,5 +63,7 @@
             window.location.href = '/Authorized/HelloWorld';        }
     }
     login();
+
+
     </script>
 }
@@ -1,4 +1,6 @@
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -10,6 +12,11 @@ public class Logout(SignInManager<IdentityUser> userSignInManager, ILogger<Logou
 {
     public async Task<IActionResult> OnGet()
     {
+        var userManager = userSignInManager.UserManager;
+
+        var user = await userManager.GetUserAsync(User);
+        if (user is not null) await userManager.RemoveClaimsAsync(user, await userManager.GetClaimsAsync(user));
+
         await userSignInManager.SignOutAsync();
         logger.LogInformation("User has signed out.");
 

@@ -1,4 +1,7 @@
-using System.Threading;
+using System;
+using System.Globalization;
+using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
@@ -20,6 +23,8 @@ public Magic(PasswordlessClient passwordlessClient,
 
     public bool Success { get; set; }
 
+    private static readonly string[] GeneratedTokenTypes = ["magic_link", "generated_signin"];
+
     public async Task<ActionResult> OnGet(string token)
     {
         if (User.Identity is { IsAuthenticated: true }) return RedirectToPage("/Authorized/HelloWorld");
@@ -47,6 +52,13 @@ public async Task<ActionResult> OnGet(string token)
         }
 
         await _signInManager.SignInAsync(user, true);
+
+
+        if (GeneratedTokenTypes.Contains(response.Type))
+        {
+            await _signInManager.UserManager.AddClaimAsync(user, new Claim(response.Type, DateTime.UtcNow.ToString(CultureInfo.InvariantCulture)));
+        }
+
         Success = true;
         return LocalRedirect("/Authorized/HelloWorld");
     }

@@ -2,6 +2,12 @@
 @using Microsoft.AspNetCore.Mvc.TagHelpers
 @model Passwordless.AspNetIdentity.Example.Pages.Account.Recovery
 
+<style lang="css">
+    .block-element {
+        display: block;
+    }
+</style>
+
 @{
     ViewData["Title"] = "Account Recovery";
 }
@@ -17,7 +23,10 @@ and a "magic link" will be used to authenticate the intended user.
     <label asp-for="Form.Email">Email: </label>
     <input asp-for="Form.Email" type="email" id="email" placeholder="janedoe@example.org"/>
     <span class="text-danger" asp-validation-for="Form.Email"></span>
-    <button type="submit" class="btn-primary">Send</button>
+    <p>Recovery Method:</p>
+    <label class="block-element"><input type="radio" asp-for="Form.RecoveryMethod" value="@Recovery.GeneratedSignIn"/>Generated Sign In Token</label>
+    <label class="block-element"><input type="radio" asp-for="Form.RecoveryMethod" value="@Recovery.MagicLink"/>Magic Link</label>
+    <button type="submit" class="btn-primary block-element">Send</button>
 </form>
 
 @if (!string.IsNullOrWhiteSpace(Model.RecoveryMessage))

@@ -1,5 +1,4 @@
 using System;
-using System.Collections.Specialized;
 using System.ComponentModel.DataAnnotations;
 using System.Threading;
 using System.Threading.Tasks;
@@ -22,6 +21,9 @@ public class Recovery : PageModel
     private readonly IUrlHelperFactory _urlHelperFactory;
     private readonly IActionContextAccessor _actionContextAccessor;
 
+    public const string MagicLink = "magic_link";
+    public const string GeneratedSignIn = "generated_signin";
+
     public RecoveryForm Form { get; } = new();
 
     public string RecoveryMessage { get; set; } = string.Empty;
@@ -60,32 +62,50 @@ public async Task<IActionResult> OnPostAsync(RecoveryForm form, CancellationToke
             throw new InvalidOperationException("ActionContext is null");
         }
 
-        var token = await _passwordlessClient.GenerateAuthenticationTokenAsync(new AuthenticationOptions(user.Id), cancellationToken);
         var urlBuilder = _urlHelperFactory.GetUrlHelper(_actionContextAccessor.ActionContext);
         var url = urlBuilder.PageLink("/Account/Magic") ?? urlBuilder.Content("~/");
 
         var uriBuilder = new UriBuilder(url);
         var query = HttpUtility.ParseQueryString(uriBuilder.Query);
-        query["token"] = token.Token;
+        query["token"] = string.Empty;
         uriBuilder.Query = query.ToString();
+        var successMessage = string.Empty;
+
+        if (string.Equals(form.RecoveryMethod, MagicLink, StringComparison.OrdinalIgnoreCase))
+        {
+            await _passwordlessClient.SendMagicLinkAsync(new SendMagicLinkRequest(form.Email!, uriBuilder.Uri + "$TOKEN", user.Id, null), cancellationToken);
+
+            successMessage = "Check your API magic link destination (mail.md if running local, email if using cloud.";
+        }
+        else if (string.Equals(form.RecoveryMethod, GeneratedSignIn, StringComparison.OrdinalIgnoreCase))
+        {
+            var token = await _passwordlessClient.GenerateAuthenticationTokenAsync(new AuthenticationOptions(user.Id), cancellationToken);
+            query["token"] = token.Token;
+            uriBuilder.Query = query.ToString();
 
-        var message = $"""
-                       New message:
-
-                       Click the link to recover your account
-                       <a href="{uriBuilder}">Link<a>
-                       {Environment.NewLine}
-                       """;
+            var message = $"""
+                           New message:
 
-        await System.IO.File.AppendAllTextAsync("mail.md", message, cancellationToken);
+                           This was generated with manually generated authentication token.
+                           <a href="{uriBuilder}">Link<a>
+                           {Environment.NewLine}
+                           """;
 
-        return RedirectToPage("Recovery", "SuccessfulRecovery", new { message });
+            await System.IO.File.AppendAllTextAsync("mail.md", message, cancellationToken);
+
+            successMessage = message;
+        }
+
+        return RedirectToPage("Recovery", "SuccessfulRecovery", new { message = successMessage });
     }
 }
 
 public class RecoveryForm
 {
     [EmailAddress]
     [Required]
-    public string? Email { get; set; }
+    public string Email { get; set; } = string.Empty;
+
+    [Required]
+    public string RecoveryMethod { get; set; } = string.Empty;
 }
@@ -36,8 +36,9 @@
 
 @if (canAddPasskeys)
 {
-    <script src="https://cdn.passwordless.dev/dist/1.1.0/umd/passwordless.umd.js"></script>
     <script>
+    import { Client } from "https://cdn.passwordless.dev/dist/1.2.0-beta1/esm/passwordless.mjs";
+
     async function register() {
         const username = document.getElementById("username").value;
         const email = document.getElementById("email").value;
@@ -60,8 +61,8 @@
            const registrationResponseJson = await registrationResponse.json();
            const token = registrationResponseJson.token;
 
-                    // we need to use Client from https://cdn.passwordless.dev/dist/1.1.0/umd/passwordless.umd.js which is imported above.
-                    const p = new Passwordless.Client(
+                    // we need to use Client from https://cdn.passwordless.dev/dist/1.2.0-beta1/esm/passwordless.mjs which is imported above.
+                    const p = new Client(
                         {
                             apiKey: "@PasswordlessOptions.Value.ApiKey",
                             apiUrl: "@PasswordlessOptions.Value.ApiUrl"
@@ -70,5 +71,6 @@
                 }
     }
     register();
+
     </script>
 }
@@ -0,0 +1,9 @@
+@page
+@model Passwordless.AspNetIdentity.Example.Pages.Authorized.ElevatedAuthentication
+
+@{
+    ViewData["Title"] = "Elevated Auth";
+}
+<h1>@ViewData["Title"]</h1>
+
+<p>Step up authentication successful.</p>
@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Passwordless.AspNetIdentity.Example.Authorization;
+
+namespace Passwordless.AspNetIdentity.Example.Pages.Authorized;
+
+[Authorize(Policy = StepUpPurposes.StepUp)]
+public class ElevatedAuthentication : PageModel
+{
+    public void OnGet()
+    {
+    }
+}
@@ -42,12 +42,27 @@
             <button type="submit" class="btn-primary">Add Passkey</button>
         </div>
     </form>
+    <div>
+        <h3>Current Claims:</h3>
+        <ul>
+            @foreach (var claim in Model.Claims)
+            {
+                <li>@claim.ClaimName : @claim.ClaimValue</li>
+            }
+        </ul>
+    </div>
 
+    <a asp-page="ElevatedAuthentication">To Elevated Area</a>
 
     @if (Model.CanAddPassKeys)
     {
-        <script src="https://cdn.passwordless.dev/dist/1.1.0/umd/passwordless.umd.js"></script>
         <script>
+            import { Client } from "https://cdn.passwordless.dev/dist/1.2.0-beta1/esm/passwordless.mjs";
+
+            const p = new Client({
+               apiKey: "@PasswordlessOptions.Value.ApiKey",
+               apiUrl: "@PasswordlessOptions.Value.ApiUrl"
+           });
             async function addPasskey() {
                 const addCredentialResponse = await fetch('/passwordless-add-credential', {
                     method: 'POST',
@@ -62,11 +77,6 @@
                     const registrationResponseJson = await addCredentialResponse.json();
                     const token = registrationResponseJson.token;
 
-                    // we need to use Client from https://cdn.passwordless.dev/dist/1.1.0/umd/passwordless.umd.js which is imported above.
-                    const p = new Passwordless.Client({
-                        apiKey: "@PasswordlessOptions.Value.ApiKey",
-                        apiUrl: "@PasswordlessOptions.Value.ApiUrl"
-                    });
                     await p.register(token, '@Model.Nickname');
                 }
             }