Beispiel #1
0
        public async Task <Web_AuthResponse <bool> > SetPassword(string token, int id, string password)
        {
            return(await AuthHelper.WithUser(token, async (user, db) => {
                if (id != user.Id && !user.IsAdmin)
                {
                    throw new AuthException("User does not have permission to reset this password.");
                }
                var dbUser = await db.Users.FirstAsync(x => x.Id == id);

                password = AuthHelper.GetDoubleHashedPassword(password);
                dbUser.PasswordHash = password;
                await db.SaveChangesAsync();

                return true;
            }));
        }
Beispiel #2
0
        public async Task <Web_AuthWrapper> LoginUser(string token, string username, string password)
        {
            var ret = new Web_AuthWrapper();
            await AppDbContext.WithContext(async db => {
                if (username == null || password == null)
                {
                    throw new ArgumentNullException("username or password was null");
                }

                //Make sure the submitted hash isn't the same as the database hash.
                //The whole goal is to prevent reversing the hash and getting the original
                //password, so adding this and then doing an SHA256 makes it harder to do that.
                password = AuthHelper.GetDoubleHashedPassword(password);

                //Rate limit brute force attempts.
                await bruteForceLock.WaitAsync();
                try {
                    await Task.Delay(new Random().Next(25) + 100); //No guessing things from the timeout period.
                }
                finally {
                    bruteForceLock.Release();
                }

                //Get actual work done:
                username = username.ToUpper().Trim();
                var user = await db.Users.FirstOrDefaultAsync(x => x.Email.ToUpper() == username);
                if (user == null)
                {
                    return;
                }
                if (user.ResetPassword)
                {
                    user.PasswordHash  = password;
                    user.ResetPassword = false;
                    await db.SaveChangesAsync();
                }

                if (user.PasswordHash != password)
                {
                    return;
                }
                else
                {
                    var now = DateTimeOffset.Now;
                    if (user.SessionTokenExpiresUtc < now || user.SessionToken == null)
                    {
                        user.SessionToken = "";
                        var r             = RandomNumberGenerator.Create();
                        for (var i = 0; i < 4; i++)
                        {
                            var cryptoBytes = new byte[4];
                            r.GetNonZeroBytes(cryptoBytes);
                            var num = 0;
                            for (int j = 0; j < cryptoBytes.Length; j++)
                            {
                                num += (cryptoBytes[j] << (j * 8));
                            }
                            user.SessionToken += num.ToString();
                        }
                        user.SessionTokenExpiresUtc = now.AddDays(30);
                        await db.SaveChangesAsync();
                    }
                    ret.token   = user.SessionToken;
                    ret.id      = user.Id;
                    ret.name    = user.Name;
                    ret.isAdmin = user.IsAdmin;
                }
            });

            return(ret);
        }