Developer forum

Forum » Dynamicweb 9.0 Upgrade issues » GetLoginToken / LogOnWithToken issue

GetLoginToken / LogOnWithToken issue

Peter Leleulya
Peter Leleulya
Reply

Hi guys,

I have a question about the GetLoginToken and LogOnWithToken methods within the Dynamicweb.Frontend.LogonHandler.

We have updated a project from DW 9.4.16 to DW 9.6.8 and since then a custom login functionality doesn't seem to work anymore.
We did not change the code for this functionality, but did change the core (and perhaps some CMS configuration).

How this custom login functionality works / used to work is as following:

1) User tries to logon to the website.
   User is recognized, but user IP is invalid (based on custom logic).
   User is not accepted to the website.
   If user is of certain type (based on custom logic) the user can request a token (Not the Dynamicweb token! A 6 character custom code) to get temporary access from outside it's known IP range.
   This custom token is created by the system and saved to the accessuser with an expiration datetime and also sent to the user by SMS (text message to your phone).
   The system shows an alternative login field for the token input.

2) User submits the token he received by SMS.
   The system runs the function as shown at the bottom:
    - It validates the token format.
    - If valid: it gets the active user from the AccessUser table which has this token value and the expiration date > GetDate().
    - If a user is found: The system Gets the Dynamicweb token by using the GetLoginToken(username, encryptedpassword) method with the found user data.
    - If a token is found: The system logs the user in by using the method LogOnWithToken(username, dwtoken).
    - The system checks if the current user is logged in.

    if any of the above fail it retuns with an error, else it redirects to the welcome page.

Now since our release on the new core the LogOnWithToken method does not log the user in anymore, this log entry confirms this:
2019-06-12 10:16:47.9242 Repository.Helpers.LoginHelper TryLoginByToken - User with ID 8 was not logged in with Dynamicweb log-in token c411398b743a59847acc8c8cedba2ebf8edb58229e1b5a0687b86ec47ced1328 for VMT Access token 5ZE99T.

The method did have a custom token, did find a user, created a dynamicweb token, tried to login but somehow didn't ...

I'm not sure what the token is based on and why it can't login with it anymore.
Are there breaking changes from 9.4.16 to 9.6.8 on this method?
Has it something to do with user encryption?
Has it something to do with comparing encrypted and plain cached values?
Has it something to do with CMS settings?
Is it something else?

This method is a void, so 0 feedback on it ...

This function seems to be used quite a lot and we would like it to work asap again, because it costs our client a lot of sales at the moment ...
Is there anyone who can help me with this?

FUNCTION :

public static void TryLoginByToken(string cultureout string error)
        {
            error = "";
 
            if (CurrentUserIsLoggedIn()) return// already logged in
 
            // get verhoeven token
            var token = GetTokenFromContext();
            if (string.IsNullOrWhiteSpace(token)) return// no token found
 
            // validate verhoeven token
            if (!TokenIsValid(token))
            {
                error = TranslationHelper.Translate("MobileAccess_LoginError"culture);
                Logger.Error($"TryLoginByToken - VMT Access token {token} is not valid.");
                return// invalid token
            }
 
            // get user by verhoeven token
            var user = GetUserByToken(token);
            if (user == null)
            {
                error = TranslationHelper.Translate("MobileAccess_LoginError"culture);
                Logger.Error($"TryLoginByToken - No user for VMT Access token {token} was found.");
                return// no match
            }
 
            // match found, so get dw login token
            var pv = Dynamicweb.Frontend.PageView.Current();                                                    // login needs a pageview, see: https://doc.dynamicweb.com/forum/development/development/custom-user-login
            var logonhandler = new Dynamicweb.Frontend.LogOnHandler();                                          // use LogOnHandler, see: https://doc.dynamicweb.com/forum/dynamicweb-9-0-upgrade-issues/dynamicweb-9-0-upgrade-issues/extranetlogin
            var loginToken = Dynamicweb.Frontend.LogOnHandler.GetLoginToken(user.UserName, user.Password);
            if (string.IsNullOrWhiteSpace(loginToken))
            {
                error = TranslationHelper.Translate("MobileAccess_LoginError"culture);
                Logger.Error($"TryLoginByToken - No Dynamicweb log-in token for VMT Access token {token} and user with ID {user.ID} was found.");
                return// no token
            }
 
            // login to dynamicweb with dw token
            logonhandler.LogOnWithToken(user.UserName, loginToken);                                                          // before login the OnExtranetLoginObserver gets hit!
            if (!CurrentUserIsLoggedIn())
            {
                error = TranslationHelper.Translate("MobileAccess_LoginError"culture);
                Logger.Error($"TryLoginByToken - User with ID {user.ID} was not logged in with Dynamicweb log-in token {loginToken} for VMT Access token {token}.");
                return// login failed
            }
 
            Logger.Trace($"TryLoginByToken - User with ID {user.ID} login with VMT Access token succeeded.");
 
            // user logged in via verhoeven- and dw tokens successfully, redirect to homepage
            var goToUrl = $"{System.Web.HttpContext.Current.Request.Url.Scheme}://{System.Web.HttpContext.Current.Request.Url.Authority}?ID={AreaHelper.GetAreaItemStringValueBySystemNameAndAreaId(StringConstants.PageSystemNames.Homepage, 1)}";
            System.Web.HttpContext.Current.Response.Redirect(goToUrltrue);
 
        }

Replies

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Peter

LogOnWithToken and GetLoginToken have not changed how they work.

You can have configured the encryption of the user database differently?

How does your CurrentUserIsLoggedIn() method looks like? Because that is the one that decides if the user is logged in or not... And I cannot see the logic in that one. If it checks a session variable that can be the cause since we have changed that to be httponly cookie controlled.

BR Nicolai

 
Peter Leleulya
Peter Leleulya
Reply

Hi Nicolai,

Thanks for y9our quick response.

The CurrentUserIsLoggedIn method just returns:

Dynamicweb.Frontend.LogOnHandler.IsUserLoggedIn

This doesn't seem to be obsolete ....

By configuring the encryption, do you mean the settings under Settings > Control Panel > Users > Password security Extranet ?
They are identical in the working version and non-working version.

We also moved the application from Azure back to a Virtual Machine due to performance issues, but I can't see how that could be a factor ....
(this is why I can still access the application as it was running before the update, the azure environment still exists)

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Peter

Do you have changes in the globalsetting, /Globalsettings/Ecom/Users/IncludeShopIdInExtranetLogIn?

Do you have the option to attach a debugger to this and see the result where it is not authenticating?

BR Nicolai

 
Morten Bengtson
Morten Bengtson
Reply

Hi Peter,

Have you tried to implement a subscriber for OnExtranetLoginFailed?

[Dynamicweb.Extensibility.Notifications.Subscribe(Dynamicweb.Notifications.Standard.User.OnExtranetLoginFailed)]
public class OnExtranetLogOnFailedObserver : Dynamicweb.Extensibility.Notifications.NotificationSubscriber
{
    public override void OnNotify(string notification, Dynamicweb.Extensibility.Notifications.NotificationArgs args)
    {
        var failedArgs = (Dynamicweb.Notifications.Standard.User.OnExtranetLoginFailedArgs)args;
 
        var failedReason = failedArgs.FailedReason;
            
        // TODO: check failedReason to see why the log on failed
    }
}
 
Peter Leleulya
Peter Leleulya
Reply

When I debug I get into my TryLoginByToken and where the LogOnWithToken method is called it jumps to my OnExtranetLoginObserver.
It passes all logic in there and at the end it jums to my OnExtranetLoginFailedObserver and returns fail reason: Dynamicweb.Security.UserManagement.LogOnFailedReason.IncorrectLogin.

In my test scenario for getting the token the username was Peter and the encrypted password 1d205b03f9c42a15fb4439d28f7c281debbd38ef1f83a44791e3416da3b56319d434af0c91b189c517562bead2acc1164ca5992db087f2ae9b5ba44dfb75be21
In my test scenario to login by token the username was Peter and the token c411398b743a59847acc8c8cedba2ebf8edb58229e1b5a0687b86ec47ced1328

Is there a way to 'calculate' what token was expected?

 
Peter Leleulya
Peter Leleulya
Reply

@ Nicolai the global setting value is what it has been since forever:

<Users>
      <IncludeShopIdInExtranetLogIn>1</IncludeShopIdInExtranetLogIn>
    </Users>

 

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Try removing this 1 - set it to 0 and see if this fixes it.

 
Peter Leleulya
Peter Leleulya
Reply

@Nicolai I debugged with the setting set to 0, but it did not make a difference.
Because I have no idea what the consequenses are of changing this setting I'll set it back to 1 for now ...

As part of the updated project we DID introduce an extra website (and its language variants) and an extra ecom shop.
So this could be a thought into the right direction, perhaps there is something else?

Thanks for your help so far, I sure hope we can find the cause ...
 

 
Hans Kloppenborg
Reply

As far as I can see when I compare the code in the two releases, it seems to me that this check in the Dynamicweb.Security.User Authenticate method is incorrect

      if (password != null && password.Length == 32 || password != null && password.Length == 128)
        return (User) null;

Since our password is encrypted, and its length is 128, and thus the method will allways fail, or am I seeing something wrong? 

This line did not exist in 9.4.16, but exists in the Dynamicweb.Security package 8.1.0 (and latest 8.1.2).

 

 
Morten Bengtson
Morten Bengtson
Reply

Hi Peter and Hans,

I can see the issue. This has been registered as bug # 66011 and it will be fixed ASAP.

Sorry for the inconvenience.

/Morten

 

You must be logged in to post in the forum