in src/Web/Controllers/AccountController.cs [132:227]
private async Task<IActionResult> SignInUser(LoginViewModel model, string returnUrl, bool useAP)
{
var applicationUser = new ApplicationUser
{
UserName = model.Email
};
string hashedPassword = _userManager.PasswordHasher.HashPassword(applicationUser, model.Password);
bool rejectSignIn = false;
if (useAP)
{
var user = new AccountProtection.User()
{
UserType = AccountProtection.UserType.Consumer,
Username = model.Email,
UserId = model.Email
};
var device = new AccountProtection.DeviceContext()
{
DeviceContextId = model.DeviceFingerPrinting.SessionId,
IpAddress = _contextAccessor.HttpContext.Connection.RemoteIpAddress.MapToIPv4().ToString(),
Provider = DeviceContextProvider.DFPFingerPrinting.ToString()
};
var metadata = new AccountProtection.EventMetadataAccountLogin()
{
TrackingId = Guid.NewGuid().ToString(),
LoginId = Guid.NewGuid().ToString(),
CustomerLocalDate = DateTime.Now,
MerchantTimeStamp = DateTime.Now
};
var signIn = new AccountProtection.SignIn()
{
Name = "AP.AccountLogin",
Version = "0.5",
Device = device,
User = user,
Metadata = metadata
};
var correlationId = _fraudProtectionService.NewCorrelationId;
var signInResponse = await _fraudProtectionService.PostSignInAP(signIn, correlationId);
var fraudProtectionIO = new FraudProtectionIOModel(correlationId, signIn, signInResponse, "SignIn");
TempData.Put(FraudProtectionIOModel.TempDataKey, fraudProtectionIO);
if (signInResponse is ResponseSuccess response)
{
rejectSignIn = response.ResultDetails.FirstOrDefault()?.Decision != DecisionName.Approve;
}
}
else
{
var signIn = new SignIn
{
SignInId = Guid.NewGuid().ToString(),
PasswordHash = hashedPassword,
MerchantLocalDate = DateTimeOffset.Now,
CustomerLocalDate = model.DeviceFingerPrinting.ClientDate,
UserId = model.Email,
DeviceContextId = model.DeviceFingerPrinting.SessionId,
AssessmentType = AssessmentType.Protect.ToString(),
CurrentIpAddress = _contextAccessor.HttpContext.Connection.RemoteIpAddress.ToString()
};
var correlationId = _fraudProtectionService.NewCorrelationId;
var signInResponse = await _fraudProtectionService.PostSignIn(signIn, correlationId);
var fraudProtectionIO = new FraudProtectionIOModel(correlationId, signIn, signInResponse, "SignIn");
TempData.Put(FraudProtectionIOModel.TempDataKey, fraudProtectionIO);
//2 out of 3 signIn will be successful
rejectSignIn = new Random().Next(0, 3) != 0;
}
if (!rejectSignIn)
{
var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
if (!result.Succeeded)
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return View("SignIn", model);
}
// redirect if signIn is not rejected and password sign-in is success
await TransferBasketToEmailAsync(model.Email);
return RedirectToLocal(returnUrl);
}
else
{
ModelState.AddModelError("", "Signin rejected by Fraud Protection. You can try again as it has a random likelihood of happening in this sample site.");
return View("SignIn", model);
}
}