public void GenerateNewCredentials(ApiCredentialsPart part)
{
// we use base64 to prevent possible encoding issues on transmission
var key = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)),
Base64FormattingOptions.None);
// test that we haven't used this already. It's random but better safe than sorry.
while (GetPartByKey(key) != null)
{
key = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)),
Base64FormattingOptions.None);
}
part.ApiKey = key;
// encryption and hashing of the secret
var secret = Convert.ToBase64String(
Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString()),
Base64FormattingOptions.None);
// save an encrypted secret so we can display it to authorized users
part.ApiSecret = Convert.ToBase64String(
_encryptionService.Encode(
Encoding.UTF8.GetBytes(secret)));
// save an hashed secret for validation when signing in
part.HashAlgorithm = BearerTokenHelpers.PBKDF2;
BearerTokenHelpers.SetSecretHashed(part, secret);
part.CreatedUtc = _clock.UtcNow;
}
public bool ValidateSignIn(ApiCredentialsPart part)
{
if (part == null)
{
return(false);
}
var user = part.As <UserPart>();
if (user == null)
{
return(false);
}
if (user.EmailStatus != UserStatus.Approved)
{
return(false);
}
if (user.RegistrationStatus != UserStatus.Approved)
{
return(false);
}
return(true);
}
private bool TestSecret(ApiCredentialsPart userApi, string secret)
{
var valid = BearerTokenHelpers.TestSecret(userApi, secret);
// TODO: migrate secrets hashed with "old" algorithms
// This will have to happen here whenever we change the default hash algorithm
// See how the similar thing is done in Orchard.Users
return(valid);
}
public static void SetSecretHashed(ApiCredentialsPart credentialsPart, string secret)
{
var saltBytes = new byte[0x10];
using (var random = new RNGCryptoServiceProvider()) {
random.GetBytes(saltBytes);
}
credentialsPart.ApiSecretHash = ComputeHashBase64(credentialsPart.HashAlgorithm, saltBytes, secret);
credentialsPart.SecretSalt = Convert.ToBase64String(saltBytes);
}
public string GetSecret(ApiCredentialsPart part)
{
if (string.IsNullOrWhiteSpace(part.ApiSecret))
{
return(part.ApiSecret);
}
// decryption
return(Encoding.UTF8.GetString(
_encryptionService.Decode(
Convert.FromBase64String(part.ApiSecret))));
}
public static bool TestSecret(ApiCredentialsPart userApi, string secret)
{
var saltBytes = Convert.FromBase64String(userApi.SecretSalt);
bool isValid;
if (userApi.HashAlgorithm == PBKDF2)
{
// We can't reuse ComputeHashBase64 as the internally generated salt repeated
// calls to Crypto.HashPassword() return different results.
isValid = Crypto.VerifyHashedPassword(
userApi.ApiSecretHash,
Encoding.Unicode.GetString(
CombineSaltAndSecret(saltBytes, secret)));
}
else
{
isValid = SecureStringEquality(
userApi.ApiSecretHash,
ComputeHashBase64(userApi.HashAlgorithm, saltBytes, secret));
}
return(isValid);
}
public ApiCredentialsPartViewModel(ApiCredentialsPart part)
{
Part = part;
}
