我正在构建一个ASP。. NET Core 5 Web API使用ASP。. NET Core Identity在使用Dapper ORM的自定义数据访问层之上。从根本上说,事情按预期工作,但我意识到Identity框架提供的密码验证规则没有任何作用,我无法理解发生了什么。以下是我的文件:
首先,因为我依赖于自定义数据访问层,所以我提供了Identity的IUserStore接口的自定义实现。
public class UserStore : IUserStore<AppUser>,
IUserPasswordStore<AppUser>,
IUserEmailStore<AppUser>
{
private IRepository<AppUser> _repository;
public UserStore(IConfiguration configuration)
{
_repository = new AppUserRepository(configuration.GetConnectionString("MyConnectionString"));
}
// IUserStore implementation
// IUserPasswordStore implementation
// IUserEmailStore implementation
}
接下来,有一个绑定模型用于提交创建新帐户所需的信息。
public class RegisterBindingModel
{
[Required]
[Display(Name = "UserName")]
public string UserName
{
get;
set;
}
[Required]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password
{
get;
set;
}
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
[Compare(nameof(Password), ErrorMessage = "The password and confirmation password do not match.")]
public string ConfirmPassword
{
get;
set;
}
// remaining required properties
}
接下来,通过AccountController:
[Authorize]
[ApiController]
[Route("api/Accounts")]
public class AccountController
{
private readonly UserManager<AppUser> _userManager;
private readonly IPasswordHasher<AppUser> _passwordHasher;
public AccountController(UserManager<AppUser> userManager, IPasswordHasher<AppUser> passwordHasher)
{
_userManager = userManager;
_passwordHasher = passwordHasher;
}
[AllowAnonymous]
[HttpPost]
[Route("Register")]
public async Task<ActionResult> Register([FromBody]RegisterBindingModel model)
{
if(model == null)
{
return BadRequest();
}
if(!ModelState.IsValid)
{
return BadRequest(ModelState);
}
var user = new AppUser()
{
UserName = model.UserName,
Firstname = model.Firstname,
Lastname = model.Lastname,
Email = model.Email,
Gender = model.Gender
};
user.PasswordHash = _passwordHasher.HashPassword(user, model.Password);
IdentityResult result = await _userManager.CreateAsync(user);
return GetHttpResponse(result);
}
[AllowAnonymous]
[HttpPost]
[Route("Token")]
public async Task<IActionResult> Login([FromForm]LoginBindingModel model)
{
if(model == null)
{
return BadRequest();
}
if(!ModelState.IsValid)
{
return BadRequest(ModelState);
}
AppUser user = await _userManager.FindByNameAsync(model.UserName);
if(user == null || !await _userManager.CheckPasswordAsync(user, model.Password))
{
return Unauthorized();
}
DateTime currentTime = DateTime.UtcNow;
JwtSecurityTokenHandler jwtTokenHandler = new();
SecurityTokenDescriptor tokenDescriptor = new()
{
Subject = new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, user.AppUserId.ToString()) }),
IssuedAt = currentTime,
Expires = currentTime.AddHours(_accessTokenValidityInHours),
SigningCredentials = _signingCredentialsProvider.GetSigningCredentials()
};
return Ok(jwtTokenHandler.WriteToken(jwtTokenHandler.CreateToken(tokenDescriptor)));
}
...
}
最后,事情是这样连接在一起的:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration
{
get;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityCore<AppUser>(options => Configuration.GetSection(nameof(IdentityOptions)).Bind(options));
services.AddScoped<IPasswordHasher<AppUser>, Identity.PasswordHasher<AppUser>>();
services.AddTransient<IUserStore<AppUser>, UserStore>();
...
}
}
相应的设置保存在appsettings.json文件中:
{
"IdentityOptions": {
"Password": {
"RequiredLength": 6,
"RequiredUniqueChars": 6,
"RequireNonAlphanumeric": true,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireDigit": true
},
"Lockout": {
"AllowedForNewUsers": true,
"MaxFailedAccessAttempts ": 5,
"DefaultLockoutTimeSpan ": "00:05:00"
}
},
...
}
如果我发送一个带有必要帐户数据的HTTP POST请求,那么密码是什么并不重要。即使我将1作为密码,调用也会成功,这显然违反了密码规则。语句if(!ModelState.IsValid)高兴地告诉我模型一切正常。
在我看来,ASP。. NET Core Identity提供了一个PasswordValidator,它显然应该根据提供的设置验证密码。从我得到的结果判断,该验证器没有在我的设置中运行。
我不清楚事情是否应该按照他们的方式工作,或者我是否需要实现我不知道的东西。有没有人有更深刻的见解,能告诉我我遗漏了什么?
编辑:
我刚刚意识到默认的UserManager暴露了IPasswordValidator对象的列表。我是否使用该列表来验证AccountController的Register方法中的密码?
我最终修改了Register方法如下:
[AllowAnonymous]
[HttpPost]
[Route("Register")]
public async Task<ActionResult> Register([FromBody]RegisterBindingModel model)
{
if(model == null)
{
return BadRequest();
}
if(!ModelState.IsValid)
{
return BadRequest(ModelState);
}
AppUser user = new()
{
UserName = model.UserName,
Firstname = model.Firstname,
Lastname = model.Lastname,
Email = model.Email,
Gender = model.Gender
};
IdentityResult result;
foreach(IPasswordValidator<AppUser> passwordValidator in _userManager.PasswordValidators)
{
result = await passwordValidator.ValidateAsync(_userManager, user, model.Password);
if(!result.Succeeded)
{
return BadRequest(result.Errors);
}
}
user.PasswordHash = _userManager.PasswordHasher.HashPassword(user, model.Password);
result = await _userManager.CreateAsync(user);
return GetHttpResponse(result);
}
默认的UserManager包含PasswordValidators属性,允许我访问所有PasswordValidators。我只是循环它们并对用户提交的密码调用ValidateAsync方法。
您的if(!ModelState.IsValid)没有看到任何错误的原因来自这样一个事实,即您的模型RegisterBindingModel的Password参数不包含与应用程序设置上的选项相同的验证。Json,您只验证它是必需的(所以一个字符是可以的)。
如果您想要相同的验证,您需要在Password参数上添加更多属性。我建议你看看这个https://learn.microsoft.com/en-us/aspnet/core/mvc/models/validation?view=aspnetcore-5.0