Question on re-authenticate design

cdmackie · August 25, 2015, 9:44pm

When I login again to an already logged in account, but using the wrong password, it remains authenticated.

For example,

Go to http://mvc.servicestack.net/
Login as “test” “test” so it says “Authenticated”
Login again as “test” “notmypassword”, still says Authenticated

Can you tell me if this is by design? Shouldn’t any re-authentication attempt clear the current one?

If so, where is the best place for me to hook into this to override it and clear down the session on a new attempt.

Thanks,

-c.

mythz · August 25, 2015, 9:49pm

Yeah it short-circuits if you’re already authenticated so the invalid auth wasn’t attempted. You’d need to logout first.

cdmackie · August 25, 2015, 9:58pm

Thanks.

We have a use-case where a re-authentication for confirmation needs to occur, and I was just popping up a login and making them login again, but because of short-circuit it always accepts it.

I don’t really want to log the user out completely beforehand, but don’t want them to proceed if they use the wrong password (and log them out in this case).

Seems like overriding IsAuthorized of my CredentialsAuthProvider is the best place?

mythz · August 25, 2015, 10:18pm

Your custom AuthProvider wont get called if they’re already authenticated.

Sounds like you just want to logout on any Authentication attempt? In which case you can add a Global Request Filter to log the user out for any POST Authenticate request, e.g something like:

GlobalRequestFilters.Add((req,res,dto) => {
    if (dto is Authenticate && req.Verb == HttpMethods.Post)
        req.RemoveSession();
});

cdmackie · August 25, 2015, 10:30pm

Yes, exactly what I wanted. Thanks.

Your custom AuthProvider wont get called if they’re already authenticate

That confuses me, as mine is being called. What I had tried was…

public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
{
	// remove any existing authenticatored user
	if (authService.GetSession().IsAuthenticated)
	{
		authService.RemoveSession();
	}

	:
}

public override bool IsAuthorized(IAuthSession session, IAuthTokens tokens, Authenticate request = null)
{
	// force a re-Authentication if there are credentials
	if (string.IsNullOrEmpty(session.UserAuthId) == false && request != null)
	{
		return false;
	}

	return base.IsAuthorized(session, tokens, request);
}

Your solution was the one liner I was looking for though.

mythz · August 25, 2015, 10:46pm

Yeah it calls IsAuthorized() first to determine whether to TryAuthenticate or not. The default impl is to return true for authenticated users which will short-circuit Authentication.