在同一请求中调用PasswordSignIn和SendTwoFactorCode

Question

我想在asp.net mvc中实现以下用于双因素身份验证的流程:

var res = sign.PasswordSignIn("myusername", "mypassword", false, false);
if(res == SignInStatus.RequiresVerification)
   sign.SendTwoFactorCode("EmailCode");

但是我发现该SendTwoFactorCode函数返回false并且没有发送电子邮件,因为它在内部检查用户是否已经过验证. 在源代码中查看此行. 如果我发出第二个请求,那电话SendTwoFactorCode就像我期待的那样工作.

有没有办法SendTwoFactorCode在打电话后立即正常工作PasswordSignIn？

Answer 1

有没有办法在调用PasswordSignIn后立即使SendTwoFactorCode正常工作？

简答:不

建议的替代方案:

文档中通常建议的流程是

1. 通过用户名和密码验证用户.
2. 如果有效的用户和密码,并且需要额外的验证,因为2FA已启用,则重定向到页面以发送代码.
3. 如果用户启动发送代码,则发送代码,然后将用户重定向到验证页面.

第二步通常是确认提供者,如果有多个(即短信,电子邮件等),用于第二因素验证.

例如,以下是RequiresVerification结果的重定向

帐号登录

//...

var result = await signInManager.PasswordSignInAsync(username, password, false, false);
switch (result) {
    case SignInStatus.Success:
        return RedirectToLocal(returnUrl);
    case SignInStatus.LockedOut:
        return View("Lockout");
    case SignInStatus.RequiresVerification:
        return RedirectToAction("VerifyCode", new { ReturnUrl = returnUrl });
    case SignInStatus.Failure:
    default:
        ModelState.AddModelError("", "Invalid login attempt.");
        return View(model);
}

但由于您已经确定要通过电子邮件发送代码,因此您可以跳过第二步并直接重定向到验证代码,该验证代码可以是代码发送和验证的位置.

帐户/附加码

[AllowAnonymous]
public async Task<ActionResult> VerifyCode(string returnUrl) {
    var provider = "EmailCode";
    // Require that the user has already logged in via username/password
    var userId = await signInManager.GetVerifiedUserIdAsync();
    if (userId == null) {
        return View("Error");
    }
    // Generate the token and send it
    if(!await signInManager.SendTwoFactorCodeAsync(provider)) {
        return View("Error");
    }

    var model = new VerifyCodeViewModel { 
        ReturnUrl = returnUrl
    };

    return View(model);
}

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> VerifyCode(VerifyCodeViewModel model) {
    var provider = "EmailCode";
    if (!ModelState.IsValid) {
        return View(model);
    }

    var result = await signInManager.TwoFactorSignInAsync(provider, model.Code, false, false);
    switch (result) {
        case SignInStatus.Success:
            return RedirectToLocal(returnUrl);
        case SignInStatus.LockedOut:
            return View("Lockout");
        case SignInStatus.RequiresVerification:
            return RedirectToAction("VerifyCode", new { ReturnUrl = returnUrl });
        case SignInStatus.Failure:
        default:
            ModelState.AddModelError("", "Invalid login attempt.");
            return View(model);
    }
}

这应该允许TwoFactorCookie包含在下一个请求中,以便GetVerifiedUserIdAsync按预期运行.

/// <summary>
/// Get the user id that has been verified already or null.
/// </summary>
/// <returns></returns>
public async Task<TKey> GetVerifiedUserIdAsync()
{
    var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.TwoFactorCookie).WithCurrentCulture();
    if (result != null && result.Identity != null && !String.IsNullOrEmpty(result.Identity.GetUserId()))
    {
        return ConvertIdFromString(result.Identity.GetUserId());
    }
    return default(TKey);
}

资源

就像你表示的那样

如果我发出第二个请求,SendTwoFactorCode的调用就像我期望的那样工作.

第二个请求很重要,因为它将包含先前请求中设置的cookie.

参考SignInManager如何检查2FA要求