fix: automatic redirect after logout

Aguafrommars · May 28, 2022 · a5a716d · a5a716d
1 parent 21e69b0
commit a5a716d
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 11 deletions.
diff --git a/src/Aguacongas.TheIdServer.Duende/README.md b/src/Aguacongas.TheIdServer.Duende/README.md
@@ -130,6 +130,24 @@ And the favicon is *wwwroot/favicon.ico*.
 
 By replacing those files you can redefined the site style by yours.
 
+### Configure account options
+
+The section *AccountOptions* is bound to [`AccountOptions`](../Aguacongas.TheIdServer.Shared/Quickstart/Account/AccountOptions.cs).
+
+```json
+"AccountOptions": {
+  "AllowLocalLogin": true,
+  "AllowRememberLogin": true,
+  "RememberMeLoginDuration": "30.00:00:00",
+  "ShowLogoutPrompt": true,
+  "AutomaticRedirectAfterSignOut": false,
+  "InvalidCredentialsErrorMessage": "Invalid username or password",
+  "ShowForgotPassworLink": true,
+  "ShowRegisterLink": true,
+  "ShowResendEmailConfirmationLink": true
+}
+```
+
 ## Configure ASP.Net Core Identity options
 
 The section **IdentityOptions** is binded to the class [`Microsoft.AspNetCore.Identity.IdentityOptions`](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.identityoptions).  

diff --git a/src/Aguacongas.TheIdServer.Shared/Quickstart/SecurityHeadersAttribute.cs b/src/Aguacongas.TheIdServer.Shared/Quickstart/SecurityHeadersAttribute.cs
@@ -2,6 +2,7 @@
 // Copyright (c) 2022 @Olivier Lefebvre
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
+using System.Text;
 
 namespace Aguacongas.TheIdServer.UI
 {
@@ -25,13 +26,28 @@ public override void OnResultExecuting(ResultExecutingContext context)
                 }
 
                 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-                var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
-                // also consider adding upgrade-insecure-requests once you have HTTPS in place for production
-                // csp += "upgrade-insecure-requests;";
+                var builder = new StringBuilder("default-src 'self'");
+#if DEBUG
+                builder.Append(" wss://localhost:44337/Aguacongas.TheIdServer.Duende/");
+#endif
+                builder.Append("; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';upgrade-insecure-requests;");
+                builder.Append("style-src 'self' https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css;");
+                var autorizeScriptsUrl = new[]
+                {
+                    "'sha256-vwa3kDBkD7mP1Y0njpcyAH7GXn3/HkE72HGlVShVMUg='",
+                    "https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js",
+                    "https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.slim.min.js",
+                };
+                builder.Append("script-src 'self'");
+                foreach(var url in autorizeScriptsUrl)
+                {
+                    builder.Append(' ');
+                    builder.Append(url);
+                }
                 // also an example if you need client images to be displayed from twitter
-                // csp += "img-src 'self' https://pbs.twimg.com;";
-                csp += "style-src 'self' https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css;";
-
+                // builder.Append(";img-src 'self' https://pbs.twimg.com;");
+                var csp = builder.ToString();
+                
                 // once for standards compliant browsers
                 if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
                 {

diff --git a/src/Aguacongas.TheIdServer.Shared/Views/Shared/_Layout.cshtml b/src/Aguacongas.TheIdServer.Shared/Views/Shared/_Layout.cshtml
@@ -22,9 +22,18 @@ Copyright (c) 2022 @Olivier Lefebvre
     <title>@Options.Value.Name</title>
     <link rel="icon" type="image/x-icon" href="~/favicon.ico" />
     <link rel="shortcut icon" type="image/x-icon" href="~/favicon.ico" />
-    <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
+    <link rel="stylesheet" 
+        href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" 
+        integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" 
+        crossorigin="anonymous" 
+        referrerpolicy="no-referrer" /> 
     <link rel="stylesheet" href="~/css/site.min.css" />
-    <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.slim.min.js"
+        asp-fallback-src="~/lib/jquery/jquery.min.js"
+        asp-fallback-test="window.jQuery"   
+        integrity="sha512-6ORWJX/LrnSjBzwefdNUyLCMTIsGoNP6NftMy2UAm1JBm6PRZCO1d7OHBStWpVFZLO+RerTvqX/Z9mBFfCJZ4A==" 
+        crossorigin="anonymous" 
+        referrerpolicy="no-referrer"></script>
 </head>
 <body>
     <header>

diff --git a/src/Aguacongas.TheIdServer/Pages/_Host.cshtml b/src/Aguacongas.TheIdServer/Pages/_Host.cshtml
@@ -14,9 +14,20 @@ Copyright (c) 2022 @Olivier Lefebvre
     <title>TheIdServer Admin</title>
     <base href="/" />
     <link rel="icon" type="image/x-icon" href="/favicon.ico" />
-    <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
-    <script src="//code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
-    <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
+    <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" 
+        rel="stylesheet" 
+        integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" 
+        crossorigin="anonymous">
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.slim.min.js"
+        asp-fallback-src="~/lib/jquery/jquery.min.js"
+        asp-fallback-test="window.jQuery"   
+        integrity="sha512-6ORWJX/LrnSjBzwefdNUyLCMTIsGoNP6NftMy2UAm1JBm6PRZCO1d7OHBStWpVFZLO+RerTvqX/Z9mBFfCJZ4A==" 
+        crossorigin="anonymous" 
+        referrerpolicy="no-referrer"></script>
+    <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" 
+        integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" 
+        crossorigin="anonymous" 
+        referrerpolicy="no-referrer"></script>
     <link href="css/app.css" rel="stylesheet" />
 </head>
 <body class="bg-light">