Add account management pages and update layout for user authentication

Author: ZeidLab

Docs/Useing-Domain-Events.md

@@ -30,7 +30,7 @@ public sealed class DomainEventPublishingInterceptor : SaveChangesInterceptor
         var context = eventData.Context;
         if (context is null) return result;
 
-        var entities = context.ChangeTracker.Entries<EntityBase<int>>()
+        var entities = context.ChangeTracker.Entries<IHaveDomainEvents>()
             .Where(e => e.Entity.DomainEvents.Count > 0)
             .Select(e => e.Entity)
             .ToList();

EFCoreBlazorWebAppExampleWithAuth/Components/Account/IdentityComponentsEndpointRouteBuilderExtensions.cs

@@ -0,0 +1,117 @@
+using System.Security.Claims;
+using System.Text.Json;
+
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Http.Extensions;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Primitives;
+
+using EFCoreBlazorWebAppExampleWithAuth.Components.Account.Pages;
+using EFCoreBlazorWebAppExampleWithAuth.Components.Account.Pages.Manage;
+using EFCoreBlazorWebAppExampleWithAuth.Data;
+
+namespace Microsoft.AspNetCore.Routing;
+
+internal static class IdentityComponentsEndpointRouteBuilderExtensions
+{
+    // These endpoints are required by the Identity Razor components defined in the /Components/Account/Pages directory of this project.
+    public static IEndpointConventionBuilder MapAdditionalIdentityEndpoints(this IEndpointRouteBuilder endpoints)
+    {
+        ArgumentNullException.ThrowIfNull(endpoints);
+
+        var accountGroup = endpoints.MapGroup("/Account");
+
+        accountGroup.MapPost("/PerformExternalLogin", (
+            HttpContext context,
+            [FromServices] SignInManager<ApplicationUser> signInManager,
+            [FromForm] string provider,
+            [FromForm] string returnUrl) =>
+        {
+            IEnumerable<KeyValuePair<string, StringValues>> query =
+            [
+                new("ReturnUrl", returnUrl),
+                new("Action", ExternalLogin.LoginCallbackAction)
+            ];
+
+            var redirectUrl = UriHelper.BuildRelative(
+                context.Request.PathBase,
+                "/Account/ExternalLogin",
+                QueryString.Create(query));
+
+            var properties = signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
+            return TypedResults.Challenge(properties, [provider]);
+        });
+
+        accountGroup.MapPost("/Logout", async (
+            ClaimsPrincipal user,
+            [FromServices] SignInManager<ApplicationUser> signInManager,
+            [FromForm] string returnUrl) =>
+        {
+            await signInManager.SignOutAsync();
+            return TypedResults.LocalRedirect($"~/{returnUrl}");
+        });
+
+        var manageGroup = accountGroup.MapGroup("/Manage").RequireAuthorization();
+
+        manageGroup.MapPost("/LinkExternalLogin", async (
+            HttpContext context,
+            [FromServices] SignInManager<ApplicationUser> signInManager,
+            [FromForm] string provider) =>
+        {
+            // Clear the existing external cookie to ensure a clean login process
+            await context.SignOutAsync(IdentityConstants.ExternalScheme);
+
+            var redirectUrl = UriHelper.BuildRelative(
+                context.Request.PathBase,
+                "/Account/Manage/ExternalLogins",
+                QueryString.Create("Action", ExternalLogins.LinkLoginCallbackAction));
+
+            var properties = signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl,
+                signInManager.UserManager.GetUserId(context.User));
+            return TypedResults.Challenge(properties, [provider]);
+        });
+
+        var loggerFactory = endpoints.ServiceProvider.GetRequiredService<ILoggerFactory>();
+        var downloadLogger = loggerFactory.CreateLogger("DownloadPersonalData");
+
+        manageGroup.MapPost("/DownloadPersonalData", async (
+            HttpContext context,
+            [FromServices] UserManager<ApplicationUser> userManager,
+            [FromServices] AuthenticationStateProvider authenticationStateProvider) =>
+        {
+            var user = await userManager.GetUserAsync(context.User);
+            if (user is null)
+            {
+                return Results.NotFound($"Unable to load user with ID '{userManager.GetUserId(context.User)}'.");
+            }
+
+            var userId = await userManager.GetUserIdAsync(user);
+            downloadLogger.LogInformation("User with ID '{UserId}' asked for their personal data.", userId);
+
+            // Only include personal data for download
+            var personalData = new Dictionary<string, string>();
+            var personalDataProps = typeof(ApplicationUser).GetProperties()
+                .Where(prop => Attribute.IsDefined(prop, typeof(PersonalDataAttribute)));
+            foreach (var p in personalDataProps)
+            {
+                personalData.Add(p.Name, p.GetValue(user)?.ToString() ?? "null");
+            }
+
+            var logins = await userManager.GetLoginsAsync(user);
+            foreach (var l in logins)
+            {
+                personalData.Add($"{l.LoginProvider} external login provider key", l.ProviderKey);
+            }
+
+            personalData.Add("Authenticator Key", (await userManager.GetAuthenticatorKeyAsync(user))!);
+            var fileBytes = JsonSerializer.SerializeToUtf8Bytes(personalData);
+
+            context.Response.Headers.TryAdd("Content-Disposition", "attachment; filename=PersonalData.json");
+            return TypedResults.File(fileBytes, contentType: "application/json", fileDownloadName: "PersonalData.json");
+        });
+
+        return accountGroup;
+    }
+}

EFCoreBlazorWebAppExampleWithAuth/Components/Account/IdentityNoOpEmailSender.cs

@@ -0,0 +1,24 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Identity.UI.Services;
+
+using EFCoreBlazorWebAppExampleWithAuth.Data;
+
+namespace EFCoreBlazorWebAppExampleWithAuth.Components.Account;
+
+// Remove the "else if (EmailSender is IdentityNoOpEmailSender)" block from RegisterConfirmation.razor after updating with a real implementation.
+internal sealed class IdentityNoOpEmailSender : IEmailSender<ApplicationUser>
+{
+    private readonly IEmailSender emailSender = new NoOpEmailSender();
+
+    public Task SendConfirmationLinkAsync(ApplicationUser user, string email, string confirmationLink) =>
+        emailSender.SendEmailAsync(email, "Confirm your email",
+            $"Please confirm your account by <a href='{confirmationLink}'>clicking here</a>.");
+
+    public Task SendPasswordResetLinkAsync(ApplicationUser user, string email, string resetLink) =>
+        emailSender.SendEmailAsync(email, "Reset your password",
+            $"Please reset your password by <a href='{resetLink}'>clicking here</a>.");
+
+    public Task SendPasswordResetCodeAsync(ApplicationUser user, string email, string resetCode) =>
+        emailSender.SendEmailAsync(email, "Reset your password",
+            $"Please reset your password using the following code: {resetCode}");
+}

EFCoreBlazorWebAppExampleWithAuth/Components/Account/IdentityRedirectManager.cs

@@ -0,0 +1,57 @@
+using System.Diagnostics.CodeAnalysis;
+
+using Microsoft.AspNetCore.Components;
+
+namespace EFCoreBlazorWebAppExampleWithAuth.Components.Account;
+
+internal sealed class IdentityRedirectManager(NavigationManager navigationManager)
+{
+    public const string StatusCookieName = "Identity.StatusMessage";
+
+    private static readonly CookieBuilder StatusCookieBuilder = new()
+    {
+        SameSite = SameSiteMode.Strict, HttpOnly = true, IsEssential = true, MaxAge = TimeSpan.FromSeconds(5),
+    };
+
+    [DoesNotReturn]
+    public void RedirectTo(string? uri)
+    {
+        uri ??= "";
+
+        // Prevent open redirects.
+        if (!Uri.IsWellFormedUriString(uri, UriKind.Relative))
+        {
+            uri = navigationManager.ToBaseRelativePath(uri);
+        }
+
+        // During static rendering, NavigateTo throws a NavigationException which is handled by the framework as a redirect.
+        // So as long as this is called from a statically rendered Identity component, the InvalidOperationException is never thrown.
+        navigationManager.NavigateTo(uri);
+        throw new InvalidOperationException(
+            $"{nameof(IdentityRedirectManager)} can only be used during static rendering.");
+    }
+
+    [DoesNotReturn]
+    public void RedirectTo(string uri, Dictionary<string, object?> queryParameters)
+    {
+        var uriWithoutQuery = navigationManager.ToAbsoluteUri(uri).GetLeftPart(UriPartial.Path);
+        var newUri = navigationManager.GetUriWithQueryParameters(uriWithoutQuery, queryParameters);
+        RedirectTo(newUri);
+    }
+
+    [DoesNotReturn]
+    public void RedirectToWithStatus(string uri, string message, HttpContext context)
+    {
+        context.Response.Cookies.Append(StatusCookieName, message, StatusCookieBuilder.Build(context));
+        RedirectTo(uri);
+    }
+
+    private string CurrentPath => navigationManager.ToAbsoluteUri(navigationManager.Uri).GetLeftPart(UriPartial.Path);
+
+    [DoesNotReturn]
+    public void RedirectToCurrentPage() => RedirectTo(CurrentPath);
+
+    [DoesNotReturn]
+    public void RedirectToCurrentPageWithStatus(string message, HttpContext context)
+        => RedirectToWithStatus(CurrentPath, message, context);
+}

EFCoreBlazorWebAppExampleWithAuth/Components/Account/IdentityRevalidatingAuthenticationStateProvider.cs

@@ -0,0 +1,50 @@
+using System.Security.Claims;
+
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Components.Server;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+
+using EFCoreBlazorWebAppExampleWithAuth.Data;
+
+namespace EFCoreBlazorWebAppExampleWithAuth.Components.Account;
+
+// This is a server-side AuthenticationStateProvider that revalidates the security stamp for the connected user
+// every 30 minutes an interactive circuit is connected.
+internal sealed class IdentityRevalidatingAuthenticationStateProvider(
+    ILoggerFactory loggerFactory,
+    IServiceScopeFactory scopeFactory,
+    IOptions<IdentityOptions> options)
+    : RevalidatingServerAuthenticationStateProvider(loggerFactory)
+{
+    protected override TimeSpan RevalidationInterval => TimeSpan.FromMinutes(30);
+
+    protected override async Task<bool> ValidateAuthenticationStateAsync(
+        AuthenticationState authenticationState, CancellationToken cancellationToken)
+    {
+        // Get the user manager from a new scope to ensure it fetches fresh data
+        await using var scope = scopeFactory.CreateAsyncScope();
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
+        return await ValidateSecurityStampAsync(userManager, authenticationState.User);
+    }
+
+    private async Task<bool> ValidateSecurityStampAsync(UserManager<ApplicationUser> userManager,
+        ClaimsPrincipal principal)
+    {
+        var user = await userManager.GetUserAsync(principal);
+        if (user is null)
+        {
+            return false;
+        }
+        else if (!userManager.SupportsUserSecurityStamp)
+        {
+            return true;
+        }
+        else
+        {
+            var principalStamp = principal.FindFirstValue(options.Value.ClaimsIdentity.SecurityStampClaimType);
+            var userStamp = await userManager.GetSecurityStampAsync(user);
+            return principalStamp == userStamp;
+        }
+    }
+}

EFCoreBlazorWebAppExampleWithAuth/Components/Account/IdentityUserAccessor.cs

@@ -0,0 +1,23 @@
+using Microsoft.AspNetCore.Identity;
+
+using EFCoreBlazorWebAppExampleWithAuth.Data;
+
+namespace EFCoreBlazorWebAppExampleWithAuth.Components.Account;
+
+internal sealed class IdentityUserAccessor(
+    UserManager<ApplicationUser> userManager,
+    IdentityRedirectManager redirectManager)
+{
+    public async Task<ApplicationUser> GetRequiredUserAsync(HttpContext context)
+    {
+        var user = await userManager.GetUserAsync(context.User);
+
+        if (user is null)
+        {
+            redirectManager.RedirectToWithStatus("Account/InvalidUser",
+                $"Error: Unable to load user with ID '{userManager.GetUserId(context.User)}'.", context);
+        }
+
+        return user;
+    }
+}

EFCoreBlazorWebAppExampleWithAuth/Components/Account/Pages/AccessDenied.razor

@@ -0,0 +1,5 @@
+@page "/Account/AccessDenied"
+
+<PageTitle>Access denied</PageTitle>
+
+<MudAlert Severity="Severity.Error">You do not have access to this resource.</MudAlert>

EFCoreBlazorWebAppExampleWithAuth/Components/Account/Pages/ConfirmEmail.razor

@@ -0,0 +1,46 @@
+@page "/Account/ConfirmEmail"
+
+@using System.Text
+@using Microsoft.AspNetCore.Identity
+@using Microsoft.AspNetCore.WebUtilities
+@using EFCoreBlazorWebAppExampleWithAuth.Data
+
+@inject UserManager<ApplicationUser> UserManager
+@inject IdentityRedirectManager RedirectManager
+
+<PageTitle>Confirm email</PageTitle>
+
+<h1>Confirm email</h1>
+<StatusMessage Message="@statusMessage"/>
+
+@code {
+    private string? statusMessage;
+
+    [CascadingParameter] private HttpContext HttpContext { get; set; } = default!;
+
+    [SupplyParameterFromQuery] private string? UserId { get; set; }
+
+    [SupplyParameterFromQuery] private string? Code { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (UserId is null || Code is null)
+        {
+            RedirectManager.RedirectTo("");
+        }
+
+        var user = await UserManager.FindByIdAsync(UserId);
+        if (user is null)
+        {
+            HttpContext.Response.StatusCode = StatusCodes.Status404NotFound;
+            statusMessage = $"Error loading user with ID {UserId}";
+        }
+        else
+        {
+            var code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(Code));
+            var result = await UserManager.ConfirmEmailAsync(user, code);
+            statusMessage = result.Succeeded ? "Thank you for confirming your email." : "Error confirming your email.";
+        }
+    }
+
+}