public void GenerateNewCredentials(ApiCredentialsPart part) { // we use base64 to prevent possible encoding issues on transmission var key = Convert.ToBase64String( Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)), Base64FormattingOptions.None); // test that we haven't used this already. It's random but better safe than sorry. while (GetPartByKey(key) != null) { key = Convert.ToBase64String( Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString(24)), Base64FormattingOptions.None); } part.ApiKey = key; // encryption and hashing of the secret var secret = Convert.ToBase64String( Encoding.UTF8.GetBytes(BearerTokenHelpers.RandomString()), Base64FormattingOptions.None); // save an encrypted secret so we can display it to authorized users part.ApiSecret = Convert.ToBase64String( _encryptionService.Encode( Encoding.UTF8.GetBytes(secret))); // save an hashed secret for validation when signing in part.HashAlgorithm = BearerTokenHelpers.PBKDF2; BearerTokenHelpers.SetSecretHashed(part, secret); part.CreatedUtc = _clock.UtcNow; }
public bool ValidateSignIn(ApiCredentialsPart part) { if (part == null) { return(false); } var user = part.As <UserPart>(); if (user == null) { return(false); } if (user.EmailStatus != UserStatus.Approved) { return(false); } if (user.RegistrationStatus != UserStatus.Approved) { return(false); } return(true); }
private bool TestSecret(ApiCredentialsPart userApi, string secret) { var valid = BearerTokenHelpers.TestSecret(userApi, secret); // TODO: migrate secrets hashed with "old" algorithms // This will have to happen here whenever we change the default hash algorithm // See how the similar thing is done in Orchard.Users return(valid); }
public static void SetSecretHashed(ApiCredentialsPart credentialsPart, string secret) { var saltBytes = new byte[0x10]; using (var random = new RNGCryptoServiceProvider()) { random.GetBytes(saltBytes); } credentialsPart.ApiSecretHash = ComputeHashBase64(credentialsPart.HashAlgorithm, saltBytes, secret); credentialsPart.SecretSalt = Convert.ToBase64String(saltBytes); }
public string GetSecret(ApiCredentialsPart part) { if (string.IsNullOrWhiteSpace(part.ApiSecret)) { return(part.ApiSecret); } // decryption return(Encoding.UTF8.GetString( _encryptionService.Decode( Convert.FromBase64String(part.ApiSecret)))); }
public static bool TestSecret(ApiCredentialsPart userApi, string secret) { var saltBytes = Convert.FromBase64String(userApi.SecretSalt); bool isValid; if (userApi.HashAlgorithm == PBKDF2) { // We can't reuse ComputeHashBase64 as the internally generated salt repeated // calls to Crypto.HashPassword() return different results. isValid = Crypto.VerifyHashedPassword( userApi.ApiSecretHash, Encoding.Unicode.GetString( CombineSaltAndSecret(saltBytes, secret))); } else { isValid = SecureStringEquality( userApi.ApiSecretHash, ComputeHashBase64(userApi.HashAlgorithm, saltBytes, secret)); } return(isValid); }
public ApiCredentialsPartViewModel(ApiCredentialsPart part) { Part = part; }