Beispiel #1
0
        public async Task <ActionResult> Generate()
        {
            string input = null;

            // If not data came in, then return
            if (this.Request.Body == null)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Request content is null", HttpStatusCode.Conflict)));
            }

            // Read the input claims from the request body
            using (StreamReader reader = new StreamReader(Request.Body, Encoding.UTF8))
            {
                input = await reader.ReadToEndAsync();
            }

            // Check input content value
            if (string.IsNullOrEmpty(input))
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Request content is empty", HttpStatusCode.Conflict)));
            }

            // Convert the input string into InputClaimsModel object
            TotpInputClaims inputClaims = TotpInputClaims.Parse(input);

            if (inputClaims == null)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Can not deserialize input claims", HttpStatusCode.Conflict)));
            }

            try
            {
                // Define the URL for the QR code. When user scan this URL, it opens one of the
                // authentication apps running on the mobile device
                byte[] secretKey = KeyGeneration.GenerateRandomKey(20);

                string TOTPUrl = KeyUrl.GetTotpUrl(secretKey, $"{AppSettings.TOTPAccountPrefix}:{inputClaims.UserName}",
                                                   AppSettings.TOTPTimestep);

                TOTPUrl = $"{TOTPUrl}&issuer={AppSettings.TOTPIssuer.Replace(" ", "%20")}";

                // Generate QR code for the above URL
                var              qrCodeGenerator = new QRCodeGenerator();
                QRCodeData       qrCodeData      = qrCodeGenerator.CreateQrCode(TOTPUrl, QRCodeGenerator.ECCLevel.L);
                BitmapByteQRCode qrCode          = new BitmapByteQRCode(qrCodeData);
                byte[]           qrCodeBitmap    = qrCode.GetGraphic(4);

                var output = new B2CResponseContent(string.Empty, HttpStatusCode.OK)
                {
                    QrCodeBitmap = Convert.ToBase64String(qrCodeBitmap),
                    SecretKey    = this.EncryptAndBase64(Convert.ToBase64String(secretKey))
                };

                return(Ok(output));
            }
            catch (Exception ex)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent($"General error (REST API): {ex.Message}", HttpStatusCode.Conflict)));
            }
        }
Beispiel #2
0
        public async Task <ActionResult> Verify()
        {
            string input = null;

            // If not data came in, then return
            if (this.Request.Body == null)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Request content is null", HttpStatusCode.Conflict)));
            }

            // Read the input claims from the request body
            using (StreamReader reader = new StreamReader(Request.Body, Encoding.UTF8))
            {
                input = await reader.ReadToEndAsync();
            }

            // Check input content value
            if (string.IsNullOrEmpty(input))
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Request content is empty", HttpStatusCode.Conflict)));
            }

            // Convert the input string into InputClaimsModel object
            var inputClaims = TotpInputClaims.Parse(input);

            if (inputClaims == null)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("Can not deserialize input claims", HttpStatusCode.Conflict)));
            }

            try
            {
                byte[] secretKey = Convert.FromBase64String(this.DecryptAndBase64(inputClaims.SecretKey));

                Totp totp = new Totp(secretKey);
                long timeStepMatched;

                // Verify the TOTP code provided by the users
                bool verificationResult = totp.VerifyTotp(
                    inputClaims.TotpCode,
                    out timeStepMatched,
                    VerificationWindow.RfcSpecifiedNetworkDelay);

                if (!verificationResult)
                {
                    return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("The verification code is invalid.", HttpStatusCode.Conflict)));
                }

                // Using the input claim 'timeStepMatched', we check whether the verification code has already been used.
                // For sign-up, the 'timeStepMatched' input claim is null and should not be evaluated
                // For sign-in, the 'timeStepMatched' input claim contains the last time last matched (from the user profile), and evaluated with
                // the value of the result of the TOTP out 'timeStepMatched' variable
                if (!string.IsNullOrEmpty(inputClaims.TimeStepMatched) && (inputClaims.TimeStepMatched).Equals(timeStepMatched.ToString()))
                {
                    return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent("The verification code has already been used.", HttpStatusCode.Conflict)));
                }

                var output = new B2CResponseContent(string.Empty, HttpStatusCode.OK)
                {
                    TimeStepMatched = timeStepMatched.ToString()
                };

                return(Ok(output));
            }
            catch (Exception ex)
            {
                return(StatusCode((int)HttpStatusCode.Conflict, new B2CResponseContent($"General error (REST API): {ex.Message}", HttpStatusCode.Conflict)));
            }
        }