colinin · colinin · Sep 19, 2023 · Sep 19, 2023 · Sep 19, 2023
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,7 +2,7 @@ name: "Tagged Release"
 
 on:
   push:
-    branches: [ rel-7.3.2 ]
+    branches: [ rel-7.3.3 ]
 
 jobs:
   tagged-release:
@@ -14,4 +14,4 @@ jobs:
       with:
         repo_token: "${{ secrets.GITHUB_TOKEN }}"
         prerelease: false
-        automatic_release_tag: "7.3.2"
+        automatic_release_tag: "7.3.3"
diff --git a/aspnet-core/Directory.Build.props b/aspnet-core/Directory.Build.props
@@ -1,8 +1,8 @@
 <Project>
 	<PropertyGroup>
-		<VoloAbpPackageVersion>7.3.2</VoloAbpPackageVersion>
+		<VoloAbpPackageVersion>7.3.3</VoloAbpPackageVersion>
 		<VoloAbpLeptonXThemePackageVersion>2.3.2</VoloAbpLeptonXThemePackageVersion>
-		<LINGYUNAbpPackageVersion>7.3.2</LINGYUNAbpPackageVersion>
+		<LINGYUNAbpPackageVersion>7.3.3</LINGYUNAbpPackageVersion>
 		<DaprPackageVersion>1.11.0</DaprPackageVersion>
 		<DistributedLockRedisPackageVersion>1.0.2</DistributedLockRedisPackageVersion>
 		<DotNetCoreCAPPackageVersion>7.2.0</DotNetCoreCAPPackageVersion>

diff --git a/aspnet-core/common.props b/aspnet-core/common.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <LangVersion>latest</LangVersion>
-    <Version>7.3.2</Version>
+    <Version>7.3.3</Version>
     <Authors>colin</Authors>
     <NoWarn>$(NoWarn);CS1591;CS0436;CS8618;NU1803</NoWarn>
     <PackageProjectUrl>https://github.com/colinin/abp-next-admin</PackageProjectUrl>

diff --git a/.../LINGYUN.Abp.OpenIddict.Portal/LINGYUN/Abp/OpenIddict/Portal/PortalTokenExtensionGrant.cs b/.../LINGYUN.Abp.OpenIddict.Portal/LINGYUN/Abp/OpenIddict/Portal/PortalTokenExtensionGrant.cs
@@ -1,6 +1,5 @@
 using LINGYUN.Platform.Portal;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
@@ -24,6 +23,7 @@
 using Volo.Abp.OpenIddict.ExtensionGrantTypes;
 using Volo.Abp.Uow;
 using Volo.Abp.Validation;
+using static Volo.Abp.OpenIddict.Controllers.TokenController;
 using IdentityUser = Volo.Abp.Identity.IdentityUser;
 using SignInResult = Microsoft.AspNetCore.Identity.SignInResult;
 
@@ -34,7 +34,6 @@ public class PortalTokenExtensionGrant : ITokenExtensionGrant
 
     protected IAbpLazyServiceProvider LazyServiceProvider { get; set; }
     protected ICurrentTenant CurrentTenant => LazyServiceProvider.LazyGetRequiredService<ICurrentTenant>();
-    protected IUnitOfWorkManager UnitOfWorkManager => LazyServiceProvider.LazyGetRequiredService<IUnitOfWorkManager>();
     protected IEnterpriseRepository EnterpriseRepository => LazyServiceProvider.LazyGetRequiredService<IEnterpriseRepository>();
     protected SignInManager<IdentityUser> SignInManager => LazyServiceProvider.LazyGetRequiredService<SignInManager<IdentityUser>>();
     protected IdentityUserManager UserManager => LazyServiceProvider.LazyGetRequiredService<IdentityUserManager>();
@@ -47,12 +46,12 @@ public class PortalTokenExtensionGrant : ITokenExtensionGrant
     protected IOptions<IdentityOptions> IdentityOptions => LazyServiceProvider.LazyGetRequiredService<IOptions<IdentityOptions>>();
     protected IOptions<AbpAspNetCoreMultiTenancyOptions> MultiTenancyOptions => LazyServiceProvider.LazyGetRequiredService<IOptions<AbpAspNetCoreMultiTenancyOptions>>();
     protected IdentitySecurityLogManager IdentitySecurityLogManager => LazyServiceProvider.LazyGetRequiredService<IdentitySecurityLogManager>();
+
+    [UnitOfWork]
     public async virtual Task<IActionResult> HandleAsync(ExtensionGrantContext context)
     {
         LazyServiceProvider = context.HttpContext.RequestServices.GetRequiredService<IAbpLazyServiceProvider>();
 
-        using var scope = ServiceScopeFactory.CreateScope();
-        using var unitOfWork = UnitOfWorkManager.Begin();
         var enterprise = context.Request.GetParameter("EnterpriseId")?.ToString();
 
         Guid? tenantId = null;
@@ -91,8 +90,9 @@ public async virtual Task<IActionResult> HandleAsync(ExtensionGrantContext conte
         }
     }
 
-    protected virtual async Task<IActionResult> HandlePasswordAsync(ExtensionGrantContext context)
+    protected async virtual Task<IActionResult> HandlePasswordAsync(ExtensionGrantContext context)
     {
+        using var scope = ServiceScopeFactory.CreateScope();
         await ReplaceEmailToUsernameOfInputIfNeeds(context.Request);
 
         IdentityUser user = null;
@@ -101,7 +101,7 @@ protected virtual async Task<IActionResult> HandlePasswordAsync(ExtensionGrantCo
         {
             foreach (var externalLoginProviderInfo in AbpIdentityOptions.Value.ExternalLoginProviders.Values)
             {
-                var externalLoginProvider = (IExternalLoginProvider)context.HttpContext.RequestServices
+                var externalLoginProvider = (IExternalLoginProvider)scope.ServiceProvider
                     .GetRequiredService(externalLoginProviderInfo.Type);
 
                 if (await externalLoginProvider.TryAuthenticateAsync(context.Request.Username, context.Request.Password))
@@ -148,6 +148,14 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
         var result = await SignInManager.CheckPasswordSignInAsync(user, context.Request.Password, true);
         if (!result.Succeeded)
         {
+            await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
+            {
+                Identity = OpenIddictSecurityLogIdentityConsts.OpenIddict,
+                Action = result.ToIdentitySecurityLogAction(),
+                UserName = context.Request.Username,
+                ClientId = context.Request.ClientId
+            });
+
             string errorDescription;
             if (result.IsLockedOut)
             {
@@ -157,6 +165,17 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
             else if (result.IsNotAllowed)
             {
                 Logger.LogInformation("Authentication failed for username: {username}, reason: not allowed", context.Request.Username);
+
+                if (user.ShouldChangePasswordOnNextLogin)
+                {
+                    return await HandleShouldChangePasswordOnNextLoginAsync(context, user, context.Request.Password);
+                }
+
+                if (await UserManager.ShouldPeriodicallyChangePasswordAsync(user))
+                {
+                    return await HandlePeriodicallyChangePasswordAsync(context, user, context.Request.Password);
+                }
+
                 errorDescription = "You are not allowed to login! Your account is inactive or needs to confirm your email/phone number.";
             }
             else
@@ -179,14 +198,6 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
             return await HandleTwoFactorLoginAsync(context, user);
         }
 
-        await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
-        {
-            Identity = OpenIddictSecurityLogIdentityConsts.OpenIddict,
-            Action = result.ToIdentitySecurityLogAction(),
-            UserName = context.Request.Username,
-            ClientId = context.Request.ClientId
-        });
-
         return await SetSuccessResultAsync(context, user);
     }
 
@@ -264,6 +275,96 @@ await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
         }
     }
 
+    protected virtual async Task<IActionResult> HandleShouldChangePasswordOnNextLoginAsync(ExtensionGrantContext context, IdentityUser user, string currentPassword)
+    {
+        return await HandleChangePasswordAsync(context, user, currentPassword, ChangePasswordType.ShouldChangePasswordOnNextLogin);
+    }
+
+    protected virtual async Task<IActionResult> HandlePeriodicallyChangePasswordAsync(ExtensionGrantContext context, IdentityUser user, string currentPassword)
+    {
+        return await HandleChangePasswordAsync(context, user, currentPassword, ChangePasswordType.PeriodicallyChangePassword);
+    }
+
+    protected virtual async Task<IActionResult> HandleChangePasswordAsync(ExtensionGrantContext context, IdentityUser user, string currentPassword, ChangePasswordType changePasswordType)
+    {
+        var changePasswordToken = context.Request.GetParameter("ChangePasswordToken")?.ToString();
+        var newPassword = context.Request.GetParameter("NewPassword")?.ToString();
+        if (!changePasswordToken.IsNullOrWhiteSpace() && !currentPassword.IsNullOrWhiteSpace() && !newPassword.IsNullOrWhiteSpace())
+        {
+            if (await UserManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, changePasswordType.ToString(), changePasswordToken))
+            {
+                var changePasswordResult = await UserManager.ChangePasswordAsync(user, currentPassword, newPassword);
+                if (changePasswordResult.Succeeded)
+                {
+                    await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
+                    {
+                        Identity = OpenIddictSecurityLogIdentityConsts.OpenIddict,
+                        Action = IdentitySecurityLogActionConsts.ChangePassword,
+                        UserName = context.Request.Username,
+                        ClientId = context.Request.ClientId
+                    });
+
+                    if (changePasswordType == ChangePasswordType.ShouldChangePasswordOnNextLogin)
+                    {
+                        user.SetShouldChangePasswordOnNextLogin(false);
+                    }
+
+                    await UserManager.UpdateAsync(user);
+                    return await SetSuccessResultAsync(context, user);
+                }
+                else
+                {
+                    Logger.LogInformation("ChangePassword failed for username: {username}, reason: {changePasswordResult}", context.Request.Username, changePasswordResult.Errors.Select(x => x.Description).JoinAsString(", "));
+
+                    var properties = new AuthenticationProperties(new Dictionary<string, string>
+                    {
+                        [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                        [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = changePasswordResult.Errors.Select(x => x.Description).JoinAsString(", ")
+                    });
+                    return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+                }
+            }
+            else
+            {
+                Logger.LogInformation("Authentication failed for username: {username}, reason: InvalidAuthenticatorCode", context.Request.Username);
+
+                var properties = new AuthenticationProperties(new Dictionary<string, string>
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "Invalid authenticator code!"
+                });
+
+                return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+            }
+        }
+        else
+        {
+            Logger.LogInformation($"Authentication failed for username: {{{context.Request.Username}}}, reason: {{{changePasswordType.ToString()}}}");
+
+            await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext
+            {
+                Identity = OpenIddictSecurityLogIdentityConsts.OpenIddict,
+                Action = OpenIddictSecurityLogActionConsts.LoginNotAllowed,
+                UserName = context.Request.Username,
+                ClientId = context.Request.ClientId
+            });
+
+            var properties = new AuthenticationProperties(
+                items: new Dictionary<string, string>
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = changePasswordType.ToString()
+                },
+                parameters: new Dictionary<string, object>
+                {
+                    ["userId"] = user.Id.ToString("N"),
+                    ["changePasswordToken"] = await UserManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, changePasswordType.ToString())
+                });
+
+            return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+        }
+    }
+
     protected virtual async Task<IActionResult> SetSuccessResultAsync(ExtensionGrantContext context, IdentityUser user)
     {
         // Create a new ClaimsPrincipal containing the claims that

diff --git a/...GYUN.Abp.SettingManagement.Application/LINGYUN/Abp/SettingManagement/SettingAppService.cs b/...GYUN.Abp.SettingManagement.Application/LINGYUN/Abp/SettingManagement/SettingAppService.cs
@@ -314,6 +314,18 @@ await SettingManager.GetOrNullAsync(IdentitySettingNames.Password.RequireUpperca
                 await SettingManager.GetOrNullAsync(IdentitySettingNames.Password.RequireNonAlphanumeric, providerName, providerKey),
                 ValueType.Boolean,
                 providerName);
+            passwordSetting.AddDetail(
+                SettingDefinitionManager.Get(IdentitySettingNames.Password.ForceUsersToPeriodicallyChangePassword),
+                StringLocalizerFactory,
+                await SettingManager.GetOrNullAsync(IdentitySettingNames.Password.ForceUsersToPeriodicallyChangePassword, providerName, providerKey),
+                ValueType.Boolean,
+                providerName);
+            passwordSetting.AddDetail(
+                SettingDefinitionManager.Get(IdentitySettingNames.Password.PasswordChangePeriodDays),
+                StringLocalizerFactory,
+                await SettingManager.GetOrNullAsync(IdentitySettingNames.Password.PasswordChangePeriodDays, providerName, providerKey),
+                ValueType.Number,
+                providerName);
 
             #endregion
 

diff --git a/gateways/Directory.Build.props b/gateways/Directory.Build.props
@@ -1,7 +1,7 @@
 <Project>
 	<PropertyGroup>
-		<VoloAbpPackageVersion>7.3.2</VoloAbpPackageVersion>
-		<LINGYUNAbpPackageVersion>7.3.2</LINGYUNAbpPackageVersion>
+		<VoloAbpPackageVersion>7.3.3</VoloAbpPackageVersion>
+		<LINGYUNAbpPackageVersion>7.3.3</LINGYUNAbpPackageVersion>
 		<DaprPackageVersion>1.11.0</DaprPackageVersion>
 		<DotNetCoreCAPPackageVersion>7.2.0</DotNetCoreCAPPackageVersion>
 		<AliyunSDKPackageVersion>1.5.10</AliyunSDKPackageVersion>

diff --git a/gateways/common.props b/gateways/common.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <LangVersion>latest</LangVersion>
-    <Version>7.3.2</Version>
+    <Version>7.3.3</Version>
     <Authors>colin</Authors>
     <NoWarn>$(NoWarn);CS1591;CS0436;CS8618;NU1803</NoWarn>
     <PackageProjectUrl>https://github.com/colinin/abp-next-admin</PackageProjectUrl>
@@ -23,8 +23,4 @@
 	  <None Remove="Modules\**" />
 	</ItemGroup>
 
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
-    <OutputPath>$(SolutionDir)LocalNuget</OutputPath>
-  </PropertyGroup>
-
 </Project>