Adding features to ServiceStack auth provider

Question

I am evaluating ServiceStack using OrmLite. The built in Auth service, along with Session and Cache are so much better than ASP.NET membership provider.

However, out of the box the Auth Service does not provide some of the features required for apps we want to build like:

• Change password
• Locking of account after 3 unsuccessful logon attempts
• Disabling user accounts
• Password reminder question and answer
• Audit log of log on attempts

Do I need to build custom auth provider or is there something out there which already does provides this functionality?

Many thanks!

Answer 1

I'm just starting to implement a password reset and can see two ways of achieving it (I've not tested - or even tried - either yet):

1.Create a class that inherits from Registration and handles PUT. It should then be possible to call the UpdateUserAuth method of the registration class which would change the password. The problem - for me - here is that the put validation requires username and password to be specified, not just one (We only use email as an identifier). This could be worked around by turning the validation feature off.

2.Create a password reset service that does what UpdateUserAuth does.

var session = this.GetSession();
var existingUser = UserAuthRepo.GetUserAuth(session, null);
if (existingUser == null)
{
    throw HttpError.NotFound("User does not exist");
}

var newUserAuth = ToUserAuth(request);
UserAuthRepo.UpdateUserAuth(newUserAuth, existingUser, request.Password);

Obviously need to add some appropriate validation in.

UPDATED

I've put my change password reminder/reset service up as a gist (My first gist!)

Answer 2

here's what I did, works well. - I realise the "new" is a code-smell, just inject it :)

        private int LoginAttempts = 0;

    public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
    {
        var authRepo = authService.TryResolve<IUserAuthRepository>();

        if (authRepo == null)
        {
            Log.WarnFormat("Tried to authenticate without a registered IUserAuthRepository");
            return false;
        }


        var session = authService.GetSession();

        UserAuth userAuth = null;

        if (authRepo.TryAuthenticate(userName, password, out userAuth))
        {
            session.PopulateWith(userAuth);

            session.IsAuthenticated = true;

            session.UserAuthId = userAuth.Id.ToString(CultureInfo.InvariantCulture);

            session.ProviderOAuthAccess = authRepo.GetUserOAuthProviders(session.UserAuthId)
                .ConvertAll(x => (IOAuthTokens)x);


            return true;
        }
        else
        {
            LoginAttempts++;

            if (LoginAttempts >= 3)
            {
                ServiceStack.ServiceInterface.Service s = new Service();

                s.Db.ExecuteSql("update [User] set AccountLocked = 'true' where Email='" + userName + "'");
            }

            authService.RemoveSession();
            return false;
        }
    }

and I hope the mod_from_hell manages to leave this alone!!!