damienbod
diff --git a/‎Changelog.md‎
Lines changed: 5 additions & 0 deletions b/‎Changelog.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/IdentityServer4AspNetCoreIdentityTemplate.nuspec‎
Lines changed: 2 additions & 2 deletions b/‎content/IdentityServer4AspNetCoreIdentityTemplate.nuspec‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎content/StsServerIdentity/Controllers/AccountController.cs‎
Lines changed: 9 additions & 8 deletions b/‎content/StsServerIdentity/Controllers/AccountController.cs‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎content/StsServerIdentity/Controllers/ConsentController.cs‎
Lines changed: 1 addition & 1 deletion b/‎content/StsServerIdentity/Controllers/ConsentController.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/StsServerIdentity/Controllers/GrantsController.cs‎
Lines changed: 1 addition & 1 deletion b/‎content/StsServerIdentity/Controllers/GrantsController.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/StsServerIdentity/Extensions.cs‎
Lines changed: 2 additions & 2 deletions b/‎content/StsServerIdentity/Extensions.cs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎content/StsServerIdentity/Fido2/Fido2Storage.cs‎
Lines changed: 3 additions & 3 deletions b/‎content/StsServerIdentity/Fido2/Fido2Storage.cs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎content/StsServerIdentity/Fido2/FidoStoredCredential.cs‎
Lines changed: 12 additions & 12 deletions b/‎content/StsServerIdentity/Fido2/FidoStoredCredential.cs‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎content/StsServerIdentity/Fido2/MfaFido2RegisterController.cs‎
Lines changed: 4 additions & 2 deletions b/‎content/StsServerIdentity/Fido2/MfaFido2RegisterController.cs‎
Lines changed: 4 additions & 2 deletions
@@ -2,6 +2,11 @@
 
 [Readme](https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate/blob/master/README.md) 
 
+2020-09-12 5.0.4
+- FIDO2 Anti-forgery tokens
+- updated nuget packages 3.1.7
+- update npm packages
+
 2020-08-28 5.0.3
 - updated nuget packages 3.1.7
 
 
@@ -53,7 +53,7 @@ dotnet new -i IdentityServer4AspNetCoreIdentityTemplate
 Locally built nupkg:
 
 ```
-dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.5.0.3.nupkg
+dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.5.0.4.nupkg
 ```
 
 Local folder:
 
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
 	<metadata>
 		<id>IdentityServer4AspNetCoreIdentityTemplate</id>
-		<version>5.0.3</version>
+		<version>5.0.4</version>
 		<title>IdentityServer4.Identity.Template</title>
 		<license type="file">LICENSE</license>
 		<description>
@@ -17,7 +17,7 @@
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<copyright>2020 damienbod</copyright>
 		<summary>This template provides a simle getting started for IdentityServer4 with Identity. Identity is Localized and the UI uses Bootstrap 4, Remove AllowAnonymous from the logout</summary>
-		<releaseNotes>updated nuget packages 3.1.7</releaseNotes>
+		<releaseNotes>FIDO2 Anti-forgery tokens, updated nuget packages 3.1.7, update npm packages</releaseNotes>
 		<repository type="git" url="https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate" />
 		<packageTypes>
 			<packageType name="Template" />
 
@@ -98,7 +98,7 @@ public async Task<IActionResult> Login(LoginInputModel model)
             var requires2Fa = context?.AcrValues.Count(t => t.Contains("mfa")) >= 1;
 
             var user = await _userManager.FindByNameAsync(model.Email);
-            if(user != null && !user.TwoFactorEnabled && requires2Fa)
+            if (user != null && !user.TwoFactorEnabled && requires2Fa)
             {
                 return RedirectToAction(nameof(ErrorEnable2FA));
             }
@@ -161,7 +161,7 @@ public async Task<IActionResult> LoginFido2Mfa(string provider, bool rememberMe,
 
             return View(new MfaModel { /*Provider = provider,*/ ReturnUrl = returnUrl, RememberMe = rememberMe });
         }
-		
+
         [HttpGet]
         [AllowAnonymous]
         public IActionResult ErrorEnable2FA()
@@ -211,7 +211,7 @@ public async Task<IActionResult> Logout(LogoutViewModel model)
                     await _signInManager.SignOutAsync();
                     // await HttpContext.Authentication.SignOutAsync(idp, new AuthenticationProperties { RedirectUri = url });
                 }
-                catch(NotSupportedException)
+                catch (NotSupportedException)
                 {
                 }
             }
@@ -260,7 +260,8 @@ public async Task<IActionResult> Register(RegisterViewModel model, string return
             ViewData["ReturnUrl"] = returnUrl;
             if (ModelState.IsValid)
             {
-                var user = new ApplicationUser {
+                var user = new ApplicationUser
+                {
                     UserName = model.Email,
                     Email = model.Email,
                     IsAdmin = false
@@ -320,7 +321,7 @@ public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null,
             }
 
             var email = info.Principal.FindFirstValue(ClaimTypes.Email);
-  
+
             if (!string.IsNullOrEmpty(email))
             {
                 var user = await _userManager.FindByNameAsync(email);
@@ -450,9 +451,9 @@ public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
                 code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
                 var callbackUrl = Url.Action("ResetPassword", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
                 await _emailSender.SendEmail(
-                   model.Email, 
+                   model.Email,
                    "Reset Password",
-                   $"Please reset your password by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}", 
+                   $"Please reset your password by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}",
                    "Hi Sir");
 
                 return View("ForgotPasswordConfirmation");
@@ -585,7 +586,7 @@ public async Task<IActionResult> VerifyCode(string provider, bool rememberMe, st
                 return View("Error");
             }
 
-            if(string.IsNullOrEmpty(provider))
+            if (string.IsNullOrEmpty(provider))
             {
                 provider = "Authenticator";
             }
 
@@ -204,7 +204,7 @@ private ConsentViewModel CreateConsentViewModel(
             vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources.Select(x => CreateScopeViewModel(x, vm.ScopesConsented.Contains(x.Name) || model == null)).ToArray();
 
             var apiScopes = new List<ScopeViewModel>();
-            foreach(var parsedScope in request.ValidatedResources.ParsedScopes)
+            foreach (var parsedScope in request.ValidatedResources.ParsedScopes)
             {
                 var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
                 if (apiScope != null)
 
@@ -62,7 +62,7 @@ private async Task<GrantsViewModel> BuildViewModelAsync()
             var grants = await _interaction.GetAllUserGrantsAsync();
 
             var list = new List<GrantViewModel>();
-            foreach(var grant in grants)
+            foreach (var grant in grants)
             {
                 var client = await _clients.FindClientByIdAsync(grant.ClientId);
                 if (client != null)
 
@@ -20,8 +20,8 @@ public static bool IsNativeClient(this AuthorizationRequest context)
         public static IActionResult LoadingPage(this Controller controller, string viewName, string redirectUri)
         {
             controller.HttpContext.Response.StatusCode = 200;
-            controller.HttpContext.Response.Headers["Location"] = "";
-            
+            controller.HttpContext.Response.Headers["Location"] = "";
+
             return controller.View(viewName, new RedirectViewModel { RedirectUrl = redirectUri });
         }
     }
 
@@ -11,7 +11,7 @@ namespace StsServerIdentity
 {
     public class Fido2Storage
     {
-       private readonly ApplicationDbContext _applicationDbContext;
+        private readonly ApplicationDbContext _applicationDbContext;
 
         public Fido2Storage(ApplicationDbContext applicationDbContext)
         {
@@ -26,9 +26,9 @@ public async Task<List<FidoStoredCredential>> GetCredentialsByUsername(string us
         public async Task RemoveCredentialsByUsername(string username)
         {
             var items = await _applicationDbContext.FidoStoredCredential.Where(c => c.Username == username).ToListAsync();
-            if(items != null)
+            if (items != null)
             {
-                foreach(var fido2Key in items)
+                foreach (var fido2Key in items)
                 {
                     _applicationDbContext.FidoStoredCredential.Remove(fido2Key);
                 };
 
@@ -5,25 +5,25 @@
 
 namespace StsServerIdentity
 {
-    public class FidoStoredCredential
+    public class FidoStoredCredential
     {
-        [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
-        public int Id { get; set; }
-        public string Username { get; set; }
-        public byte[] UserId { get; set; }
-        public byte[] PublicKey { get; set; }
-        public byte[] UserHandle { get; set; }
-        public uint SignatureCounter { get; set; }
-        public string CredType { get; set; }
-        public DateTime RegDate { get; set; }
+        [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
+        public int Id { get; set; }
+        public string Username { get; set; }
+        public byte[] UserId { get; set; }
+        public byte[] PublicKey { get; set; }
+        public byte[] UserHandle { get; set; }
+        public uint SignatureCounter { get; set; }
+        public string CredType { get; set; }
+        public DateTime RegDate { get; set; }
         public Guid AaGuid { get; set; }
 
-        [NotMapped]
+        [NotMapped]
         public PublicKeyCredentialDescriptor Descriptor
         {
             get { return string.IsNullOrWhiteSpace(DescriptorJson) ? null : JsonConvert.DeserializeObject<PublicKeyCredentialDescriptor>(DescriptorJson); }
             set { DescriptorJson = JsonConvert.SerializeObject(value); }
         }
-        public string DescriptorJson { get; set; }
+        public string DescriptorJson { get; set; }
     }
 }
@@ -29,7 +29,7 @@ public class MfaFido2RegisterController : Controller
         private readonly IStringLocalizer _sharedLocalizer;
 
         public MfaFido2RegisterController(
-            Fido2Storage fido2Storage, 
+            Fido2Storage fido2Storage,
             UserManager<ApplicationUser> userManager,
             IOptions<Fido2Configuration> optionsFido2Configuration,
             IStringLocalizerFactory factory)
@@ -57,6 +57,7 @@ private string FormatException(Exception e)
         }
 
         [HttpPost]
+        [ValidateAntiForgeryToken]
         [Route("/mfamakeCredentialOptions")]
         public async Task<JsonResult> MakeCredentialOptions([FromForm] string username, [FromForm] string displayName, [FromForm] string attType, [FromForm] string authType, [FromForm] bool requireResidentKey, [FromForm] string userVerification)
         {
@@ -78,7 +79,7 @@ public async Task<JsonResult> MakeCredentialOptions([FromForm] string username,
                 // 2. Get user existing keys by username
                 var items = await _fido2Storage.GetCredentialsByUsername(identityUser.UserName);
                 var existingKeys = new List<PublicKeyCredentialDescriptor>();
-                foreach(var publicKeyCredentialDescriptor in items)
+                foreach (var publicKeyCredentialDescriptor in items)
                 {
                     existingKeys.Add(publicKeyCredentialDescriptor.Descriptor);
                 }
@@ -110,6 +111,7 @@ public async Task<JsonResult> MakeCredentialOptions([FromForm] string username,
         }
 
         [HttpPost]
+        [ValidateAntiForgeryToken]
         [Route("/mfamakeCredential")]
         public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestationRawResponse attestationResponse)
         {
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ public async Task<IActionResult> Login(LoginInputModel model)`
`98`	`98`	`var requires2Fa = context?.AcrValues.Count(t => t.Contains("mfa")) >= 1;`
`99`	`99`
`100`	`100`	`var user = await _userManager.FindByNameAsync(model.Email);`
`101`		`- if(user != null && !user.TwoFactorEnabled && requires2Fa)`
	`101`	`+ if (user != null && !user.TwoFactorEnabled && requires2Fa)`
`102`	`102`	`{`
`103`	`103`	`return RedirectToAction(nameof(ErrorEnable2FA));`
`104`	`104`	`}`
`@@ -161,7 +161,7 @@ public async Task<IActionResult> LoginFido2Mfa(string provider, bool rememberMe,`
`161`	`161`
`162`	`162`	`return View(new MfaModel { /Provider = provider,/ ReturnUrl = returnUrl, RememberMe = rememberMe });`
`163`	`163`	`}`
`164`		`-`
	`164`	`+`
`165`	`165`	`[HttpGet]`
`166`	`166`	`[AllowAnonymous]`
`167`	`167`	`public IActionResult ErrorEnable2FA()`
`@@ -211,7 +211,7 @@ public async Task<IActionResult> Logout(LogoutViewModel model)`
`211`	`211`	`await _signInManager.SignOutAsync();`
`212`	`212`	`// await HttpContext.Authentication.SignOutAsync(idp, new AuthenticationProperties { RedirectUri = url });`
`213`	`213`	`}`
`214`		`- catch(NotSupportedException)`
	`214`	`+ catch (NotSupportedException)`
`215`	`215`	`{`
`216`	`216`	`}`
`217`	`217`	`}`
`@@ -260,7 +260,8 @@ public async Task<IActionResult> Register(RegisterViewModel model, string return`
`260`	`260`	`ViewData["ReturnUrl"] = returnUrl;`
`261`	`261`	`if (ModelState.IsValid)`
`262`	`262`	`{`
`263`		`- var user = new ApplicationUser {`
	`263`	`+ var user = new ApplicationUser`
	`264`	`+ {`
`264`	`265`	`UserName = model.Email,`
`265`	`266`	`Email = model.Email,`
`266`	`267`	`IsAdmin = false`
`@@ -320,7 +321,7 @@ public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null,`
`320`	`321`	`}`
`321`	`322`
`322`	`323`	`var email = info.Principal.FindFirstValue(ClaimTypes.Email);`
`323`		`-`
	`324`	`+`
`324`	`325`	`if (!string.IsNullOrEmpty(email))`
`325`	`326`	`{`
`326`	`327`	`var user = await _userManager.FindByNameAsync(email);`
`@@ -450,9 +451,9 @@ public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)`
`450`	`451`	`code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));`
`451`	`452`	`var callbackUrl = Url.Action("ResetPassword", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);`
`452`	`453`	`await _emailSender.SendEmail(`
`453`		`- model.Email,`
	`454`	`+ model.Email,`
`454`	`455`	`"Reset Password",`
`455`		`- $"Please reset your password by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}",`
	`456`	`+ $"Please reset your password by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}",`
`456`	`457`	`"Hi Sir");`
`457`	`458`
`458`	`459`	`return View("ForgotPasswordConfirmation");`
`@@ -585,7 +586,7 @@ public async Task<IActionResult> VerifyCode(string provider, bool rememberMe, st`
`585`	`586`	`return View("Error");`
`586`	`587`	`}`
`587`	`588`
`588`		`- if(string.IsNullOrEmpty(provider))`
	`589`	`+ if (string.IsNullOrEmpty(provider))`
`589`	`590`	`{`
`590`	`591`	`provider = "Authenticator";`
`591`	`592`	`}`
Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ private ConsentViewModel CreateConsentViewModel(`
`204`	`204`	`vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources.Select(x => CreateScopeViewModel(x, vm.ScopesConsented.Contains(x.Name) \|\| model == null)).ToArray();`
`205`	`205`
`206`	`206`	`var apiScopes = new List<ScopeViewModel>();`
`207`		`- foreach(var parsedScope in request.ValidatedResources.ParsedScopes)`
	`207`	`+ foreach (var parsedScope in request.ValidatedResources.ParsedScopes)`
`208`	`208`	`{`
`209`	`209`	`var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);`
`210`	`210`	`if (apiScope != null)`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ private async Task<GrantsViewModel> BuildViewModelAsync()`
`62`	`62`	`var grants = await _interaction.GetAllUserGrantsAsync();`
`63`	`63`
`64`	`64`	`var list = new List<GrantViewModel>();`
`65`		`- foreach(var grant in grants)`
	`65`	`+ foreach (var grant in grants)`
`66`	`66`	`{`
`67`	`67`	`var client = await _clients.FindClientByIdAsync(grant.ClientId);`
`68`	`68`	`if (client != null)`
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,8 @@ public static bool IsNativeClient(this AuthorizationRequest context)`
`20`	`20`	`public static IActionResult LoadingPage(this Controller controller, string viewName, string redirectUri)`
`21`	`21`	`{`
`22`	`22`	`controller.HttpContext.Response.StatusCode = 200;`
`23`		`- controller.HttpContext.Response.Headers["Location"] = "";`
`24`		`-`
	`23`	`+ controller.HttpContext.Response.Headers["Location"] = "";`
	`24`	`+`
`25`	`25`	`return controller.View(viewName, new RedirectViewModel { RedirectUrl = redirectUri });`
`26`	`26`	`}`
`27`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ namespace StsServerIdentity`
`11`	`11`	`{`
`12`	`12`	`public class Fido2Storage`
`13`	`13`	`{`
`14`		`- private readonly ApplicationDbContext _applicationDbContext;`
	`14`	`+ private readonly ApplicationDbContext _applicationDbContext;`
`15`	`15`
`16`	`16`	`public Fido2Storage(ApplicationDbContext applicationDbContext)`
`17`	`17`	`{`
`@@ -26,9 +26,9 @@ public async Task<List<FidoStoredCredential>> GetCredentialsByUsername(string us`
`26`	`26`	`public async Task RemoveCredentialsByUsername(string username)`
`27`	`27`	`{`
`28`	`28`	`var items = await _applicationDbContext.FidoStoredCredential.Where(c => c.Username == username).ToListAsync();`
`29`		`- if(items != null)`
	`29`	`+ if (items != null)`
`30`	`30`	`{`
`31`		`- foreach(var fido2Key in items)`
	`31`	`+ foreach (var fido2Key in items)`
`32`	`32`	`{`
`33`	`33`	`_applicationDbContext.FidoStoredCredential.Remove(fido2Key);`
`34`	`34`	`};`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ public class MfaFido2RegisterController : Controller`
`29`	`29`	`private readonly IStringLocalizer _sharedLocalizer;`
`30`	`30`
`31`	`31`	`public MfaFido2RegisterController(`
`32`		`- Fido2Storage fido2Storage,`
	`32`	`+ Fido2Storage fido2Storage,`
`33`	`33`	`UserManager<ApplicationUser> userManager,`
`34`	`34`	`IOptions<Fido2Configuration> optionsFido2Configuration,`
`35`	`35`	`IStringLocalizerFactory factory)`
`@@ -57,6 +57,7 @@ private string FormatException(Exception e)`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`[HttpPost]`
	`60`	`+ [ValidateAntiForgeryToken]`
`60`	`61`	`[Route("/mfamakeCredentialOptions")]`
`61`	`62`	`public async Task<JsonResult> MakeCredentialOptions([FromForm] string username, [FromForm] string displayName, [FromForm] string attType, [FromForm] string authType, [FromForm] bool requireResidentKey, [FromForm] string userVerification)`
`62`	`63`	`{`
`@@ -78,7 +79,7 @@ public async Task<JsonResult> MakeCredentialOptions([FromForm] string username,`
`78`	`79`	`// 2. Get user existing keys by username`
`79`	`80`	`var items = await _fido2Storage.GetCredentialsByUsername(identityUser.UserName);`
`80`	`81`	`var existingKeys = new List<PublicKeyCredentialDescriptor>();`
`81`		`- foreach(var publicKeyCredentialDescriptor in items)`
	`82`	`+ foreach (var publicKeyCredentialDescriptor in items)`
`82`	`83`	`{`
`83`	`84`	`existingKeys.Add(publicKeyCredentialDescriptor.Descriptor);`
`84`	`85`	`}`
`@@ -110,6 +111,7 @@ public async Task<JsonResult> MakeCredentialOptions([FromForm] string username,`
`110`	`111`	`}`
`111`	`112`
`112`	`113`	`[HttpPost]`
	`114`	`+ [ValidateAntiForgeryToken]`
`113`	`115`	`[Route("/mfamakeCredential")]`
`114`	`116`	`public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestationRawResponse attestationResponse)`
`115`	`117`	`{`