Hi,
I am a new user to the ASPNetZero. I have read the documentation on how to extend the login mechanism to check against another table. I am extending the DefaultExternalAuthenticationSource class. Basically here is my code
<span style="color:#8000FF">public override async Task<bool> TryAuthenticateAsync(string userNameOrEmailAddress, string plainPassword, Tenant tenant) { if (tenant != null) { if (tenant.Id == i1holidayConsts.TravelAgentTenantId) // TravelAgent { //Authenticate against WcvCredentials table; var agentcredential = await _agentCredentialRepo.FirstOrDefaultAsync(cr => cr.EmailAddress == userNameOrEmailAddress.Trim()); var result = new PasswordHasher().VerifyHashedPassword(agentcredential.Password, plainPassword); if(result == PasswordVerificationResult.Success) { //check if company is approved var agent = _travelAgentRepo.FirstOrDefault(a => a.Id == agentcredential.TravelAgentId); if (agent == null) return false; if (agent.IsApproved == true) return true; } return false; } } return false; } </span> What I noticed is that, after first successful login, users will inserted into AbpUsers table which is fine...
If I changed the password in my own WcvCredentials table, when I unsucccessfully authenticate using my WcvCredentials table and return false, the system still check and compare the password in AbpUsers table. Since AbpUsers table still used the old password, the login will go thru successfully.
I assumed the basis of external login is that if you return false, it will not check against AbpUsers table at all. Am I doing it correctly?
1 Answer(s)
-
0
Hi,
Yes, it should be improved, I created an issue for it: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/issues/259">https://github.com/aspnetboilerplate/mo ... issues/259</a>.
You have an option. Override the UpdateUserAsync method and set new password of the user.
But, I did not understand why it works like that. Because, it sets a random password when you first authenticate externally (<a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/dev/src/Abp.Zero/Authorization/AbpLoginManager.cs#L295">https://github.com/aspnetboilerplate/mo ... er.cs#L295</a>). It does not store the real password in the database. So, it should not be possible to login with the old password since AbpUsers table has not the old password. Can you debug it carefully to understand what's happening.
Have a nice day.
