Use problem details for login failure

Author: webprofusion-chrisc

src/Certify.Core/Management/Access/AccessControl.cs

@@ -398,7 +398,7 @@ public async Task<bool> AddResourcePolicy(string contextUserId, ResourcePolicy r
             return true;
         }
 
-        public async Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordUpdate passwordUpdate)
+        public async Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordUpdate passwordUpdate, bool requirePasswordConfirmation = true)
         {
             if (passwordUpdate.SecurityPrincipleId != contextUserId && !await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
             {
@@ -410,7 +410,7 @@ public async Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, Se
 
             var principle = await GetSecurityPrinciple(contextUserId, passwordUpdate.SecurityPrincipleId, includePassword: true);
 
-            if (IsPasswordValid(passwordUpdate.Password, principle.Password))
+            if (!requirePasswordConfirmation || (requirePasswordConfirmation && IsPasswordValid(passwordUpdate.Password, principle.Password)))
             {
                 try
                 {
@@ -419,10 +419,10 @@ public async Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, Se
                     await _store.Update<SecurityPrinciple>(nameof(SecurityPrinciple), updateSp);
                     updated = true;
                 }
-                catch
+                catch (Exception exp)
                 {
-                    await AuditWarning("User {contextUserId} attempted to use UpdateSecurityPrinciple password [{principleId}], but was not successful", contextUserId, principle?.Id);
-                    return false;
+                    await AuditError("User {contextUserId} attempted to use UpdateSecurityPrinciple password [{principleId}], but was not successful : {exp}", contextUserId, principle?.Id, exp);
+                    updated = false;
                 }
             }
             else
@@ -453,7 +453,8 @@ public bool IsPasswordValid(string password, string currentHash)
             var components = currentHash.Split('.');
 
             // hash provided password with same salt to compare result
-            return currentHash == HashPassword(password, components[1]);
+            var hashedPassword = HashPassword(password, components[1]);
+            return currentHash == hashedPassword;
         }
 
         /// <summary>

src/Certify.Models/Providers/IAccessControl.cs

@@ -24,7 +24,7 @@ public interface IAccessControl
         Task<RoleStatus> GetSecurityPrincipleRoleStatus(string contextUserId, string id);
         Task<bool> UpdateSecurityPrinciple(string contextUserId, SecurityPrinciple principle);
         Task<bool> UpdateAssignedRoles(string contextUserId, SecurityPrincipleAssignedRoleUpdate update);
-        Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordUpdate passwordUpdate);
+        Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordUpdate passwordUpdate, bool requirePasswordConfirmation = true);
         Task<SecurityPrincipleCheckResponse> CheckSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordCheck passwordCheck);
 
         Task<bool> AddRole(string contextUserId, Role role, bool bypassIntegrityCheck = false);

src/Certify.Server/Certify.Server.Hub.Api/Controllers/v1/AuthController.cs

@@ -80,7 +80,13 @@ public async Task<IActionResult> Login(AuthRequest login)
             }
             else
             {
-                return Unauthorized(new ProblemDetails { Status = StatusCodes.Status401Unauthorized, Title = "Invalid username or password" });
+                //return Unauthorized("Invalid username or password");
+                return Problem(
+       type: "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+       title: "Login Failed",
+       detail: "Invalid username or password",
+       statusCode: StatusCodes.Status401Unauthorized);
+
             }
         }
 

src/Certify.Server/Certify.Server.Hub.Api/Startup.cs

@@ -72,6 +72,8 @@ public void ConfigureServices(IServiceCollection services)
                 });
 
             services.AddRouting(r => r.LowercaseUrls = true);
+            services.AddProblemDetails();
+
 
             services
                 .AddSignalR(opt => opt.MaximumReceiveMessageSize = null)
@@ -285,7 +287,14 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 endpoints.MapHub<InstanceManagementHub>("/api/internal/managementhub");
             });
 
-#if DEBUG          
+
+            // Converts unhandled exceptions into Problem Details responses
+            app.UseExceptionHandler();
+
+            // Returns the Problem Details response for (empty) non-successful responses
+            app.UseStatusCodePages();
+
+#if DEBUG
             // Enable middleware to serve generated Swagger as a JSON endpoint.
             app.UseSwagger();