TSA/chapter-organizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add more secure form handling

Browse Source
This commit is contained in:
James Kolpack
2025-12-02 22:36:41 -05:00
parent 1c38003027
commit 54875e970c
9 changed files with 76 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
WebApp/Authentication/AuthController.cs
+6 -8
View File
@@ -22,12 +22,11 @@ namespace WebApp.Authentication
}
[HttpPost]
[HttpGet] // Support both for navigation from Blazor
[AllowAnonymous]
public async Task<IActionResult> CookieLogin(
string email,
string password,
bool rememberMe = false)
[FromForm] string email,
[FromForm] string password,
[FromForm] bool rememberMe = false)
{
try
{
@@ -42,8 +41,8 @@ namespace WebApp.Authentication
"Login attempt from locked out IP: {IpAddress}. Remaining: {Remaining}",
ipAddress, remaining);
TempData["LoginError"] = $"Too many failed attempts. Try again in {remaining?.Minutes ?? 15} minutes.";
return Redirect("/login");
var errorMsg = Uri.EscapeDataString($"Too many failed attempts. Try again in {remaining?.Minutes ?? 15} minutes.");
return Redirect($"/login?error={errorMsg}");
}
// Validate credentials
@@ -58,8 +57,7 @@ namespace WebApp.Authentication
"Failed login attempt for {Email} from {IpAddress}",
email, ipAddress);
TempData["LoginError"] = "Invalid email or password.";
return Redirect("/login");
return Redirect("/login?error=Invalid%20email%20or%20password.");
}
// Success - clear rate limit tracking
WebApp/Components/Login.razor
+62 -65
View File
@@ -3,9 +3,16 @@
@layout EmptyLayout
@using System.ComponentModel.DataAnnotations
@using WebApp.Authentication
@using Microsoft.AspNetCore.Antiforgery
@using Microsoft.AspNetCore.Components.Web
@using MudInputType = MudBlazor.InputType
@using Microsoft.JSInterop
@using Microsoft.AspNetCore.WebUtilities
@inject NavigationManager Navigation
@inject LoginRateLimitService RateLimitService
@inject IHttpContextAccessor HttpContextAccessor
@inject IAntiforgery Antiforgery
@inject IJSRuntime JS
<div class="d-flex justify-center align-center" style="min-height: 100vh;">
<MudPaper Elevation="3" Class="pa-8" MaxWidth="400px" Style="width: 100%;">
@@ -21,17 +28,18 @@
<MudAlert Severity="Severity.Error" Class="mb-4">@_errorMessage</MudAlert>
}
<EditForm Model="@_loginModel" OnValidSubmit="HandleLogin">
<DataAnnotationsValidator />
<form id="loginForm" method="post" action="/Auth/CookieLogin" @onkeydown="HandleKeyDown">
<input type="hidden" name="__RequestVerificationToken" value="@_antiforgeryToken" />
<input type="hidden" id="emailInput" name="email" value="" />
<input type="hidden" id="passwordInput" name="password" value="" />
<input type="hidden" id="rememberMeInput" name="rememberMe" value="" />
<MudTextField @bind-Value="_loginModel.Email"
Label="Email"
Variant="Variant.Outlined"
InputType="InputType.Email"
InputType="MudInputType.Email"
Required="true"
Class="mb-4"
Disabled="@_isSubmitting"
For="@(() => _loginModel.Email)" />
Class="mb-4" />
<MudTextField @bind-Value="_loginModel.Password"
Label="Password"
@@ -39,107 +47,96 @@
InputType="@_passwordInput"
Required="true"
Class="mb-4"
Disabled="@_isSubmitting"
Adornment="Adornment.End"
AdornmentIcon="@_passwordInputIcon"
OnAdornmentClick="TogglePasswordVisibility"
For="@(() => _loginModel.Password)" />
OnAdornmentClick="TogglePasswordVisibility" />
<div class="d-flex justify-space-between align-center mb-4">
<MudCheckBox @bind-Value="_loginModel.RememberMe"
Label="Remember me?"
Color="Color.Primary"
Disabled="@_isSubmitting" />
Color="Color.Primary" />
</div>
<MudButton ButtonType="ButtonType.Submit"
<MudButton ButtonType="ButtonType.Button"
Variant="Variant.Filled"
Color="Color.Primary"
Size="Size.Large"
FullWidth="true"
Disabled="@_isSubmitting">
@if (_isSubmitting)
{
<MudProgressCircular Size="Size.Small" Indeterminate="true" Class="mr-2" />
<span>Signing in...</span>
}
else
{
<span>Sign In</span>
}
OnClick="HandleFormSubmit">
<span>Sign In</span>
</MudButton>
</EditForm>
</form>
</MudPaper>
</div>
@code {
private LoginModel _loginModel = new();
private string? _errorMessage;
private bool _isSubmitting = false;
private bool _passwordVisibility;
private InputType _passwordInput = InputType.Password;
private MudInputType _passwordInput = MudInputType.Password;
private string _passwordInputIcon = Icons.Material.Filled.VisibilityOff;
private string _antiforgeryToken = string.Empty;
protected override void OnInitialized()
{
// Generate antiforgery token
var httpContext = HttpContextAccessor.HttpContext;
if (httpContext != null)
{
var tokenSet = Antiforgery.GetAndStoreTokens(httpContext);
_antiforgeryToken = tokenSet.RequestToken ?? string.Empty;
}
// Check for error message from query parameter (set by controller on failed login)
var uri = new Uri(Navigation.Uri);
var queryParams = QueryHelpers.ParseQuery(uri.Query);
if (queryParams.TryGetValue("error", out var errorValue))
{
_errorMessage = errorValue.ToString();
}
}
private class LoginModel
{
[Required(ErrorMessage = "Email is required")]
[EmailAddress(ErrorMessage = "Invalid email format")]
public string Email { get; set; } = string.Empty;
[Required(ErrorMessage = "Password is required")]
[MinLength(8, ErrorMessage = "Password must be at least 8 characters")]
public string Password { get; set; } = string.Empty;
public bool RememberMe { get; set; }
}
private void TogglePasswordVisibility()
{
if (_isSubmitting) return;
_passwordVisibility = !_passwordVisibility;
_passwordInputIcon = _passwordVisibility
? Icons.Material.Filled.Visibility
: Icons.Material.Filled.VisibilityOff;
_passwordInput = _passwordVisibility
? InputType.Text
: InputType.Password;
? MudInputType.Text
: MudInputType.Password;
}
private void HandleLogin()
private async Task HandleKeyDown(KeyboardEventArgs e)
{
_isSubmitting = true;
_errorMessage = null;
try
if (e.Key == "Enter")
{
// Get client IP address
var ipAddress = HttpContextAccessor.HttpContext?.Connection.RemoteIpAddress?.ToString()
?? "unknown";
// Blur the active element to ensure MudTextField bindings update
await JS.InvokeVoidAsync("eval", "document.activeElement.blur()");
// Check rate limiting
if (RateLimitService.IsLockedOut(ipAddress))
{
var remaining = RateLimitService.GetRemainingLockoutTime(ipAddress);
_errorMessage = $"Too many failed attempts. Please try again in {remaining?.Minutes ?? 15} minutes.";
return;
}
// Small delay to allow bindings to process
await Task.Delay(50);
// Navigate to controller endpoint with credentials
var uri = $"/Auth/CookieLogin?email={Uri.EscapeDataString(_loginModel.Email)}" +
$"&password={Uri.EscapeDataString(_loginModel.Password)}" +
$"&rememberMe={_loginModel.RememberMe}";
// Now submit the form
await HandleFormSubmit();
}
}
Navigation.NavigateTo(uri, forceLoad: true);
}
catch (Exception ex)
{
_errorMessage = "An error occurred during login. Please try again.";
Console.WriteLine($"Login error: {ex}");
}
finally
{
_isSubmitting = false;
}
private async Task HandleFormSubmit()
{
// Update hidden inputs with current model values, then submit the form
await JS.InvokeVoidAsync("eval", $@"
document.getElementById('emailInput').value = {System.Text.Json.JsonSerializer.Serialize(_loginModel.Email)};
document.getElementById('passwordInput').value = {System.Text.Json.JsonSerializer.Serialize(_loginModel.Password)};
document.getElementById('rememberMeInput').value = '{_loginModel.RememberMe.ToString().ToLower()}';
document.getElementById('loginForm').submit();
");
}
}
WebApp/Components/Pages/EventDefinitionPages/Create.razor
+1
View File
@@ -11,6 +11,7 @@
<EditForm Model="EventDefinition" OnValidSubmit="OnValidSubmit" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator />
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Components/Pages/EventDefinitionPages/Edit.razor
+1
View File
@@ -12,6 +12,7 @@
<EditForm Model="EventDefinition" OnValidSubmit="OnValidSubmit" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator />
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Components/Pages/StudentPages/Create.razor
+1
View File
@@ -11,6 +11,7 @@
<EditForm Model="Student" OnValidSubmit="OnValidSubmit" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator />
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Components/Pages/StudentPages/Edit.razor
+1
View File
@@ -20,6 +20,7 @@ else
/* https://www.mudblazor.com/components/form */
/* https://medium.com/@husainalbar/applying-mudblazor-for-crud-operations-in-our-blazor-project-a343037a52ef */
<EditForm method="post" Model="Student" OnValidSubmit="UpdateStudent" FormName="edit" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator/>
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Components/Pages/TeamPages/Create.razor
+1
View File
@@ -11,6 +11,7 @@
<MudDivider />
<EditForm method="post" Model="Team" OnValidSubmit="AddTeam" FormName="create" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator />
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Components/Pages/TeamPages/Edit.razor
+1
View File
@@ -16,6 +16,7 @@
else
{
<EditForm method="post" Model="Team" OnValidSubmit="UpdateTeam" FormName="edit" Enhance>
<AntiforgeryToken />
<DataAnnotationsValidator/>
<MudGrid>
<MudItem xs="12" sm="7">
WebApp/Program.cs
+2 -2
View File
@@ -38,8 +38,8 @@ builder.Services.AddDatabaseDeveloperPageExceptionFilter();
builder.Services.AddScoped<ClipboardService>();
builder.Services.AddScoped<StateContainer>(); // Server-side
builder.Services.AddSingleton<StateContainer>();//Client-side
// State container for maintaining state per user connection (Blazor Server)
builder.Services.AddScoped<StateContainer>();
// Add authentication services
builder.Services.AddHttpContextAccessor();