Ejemplo n.º 1
0
        public ActionResult ForgotPassword(string forgottenPasswordEmailAddress, string returnurl)
        {
            //if there isnt a hidden on the page - in this case we always know the return url so dont need one
            if (returnurl == null || returnurl.IsBlank())
            {
                returnurl = "Security/Login";
            }

            PersonList people = Models.PersonList.LoadByEmail(forgottenPasswordEmailAddress);

            if (people.Count > 1)
            {
                Web.ErrorMessage = "Sorry there are multiple users with this email address, therefore we are unable to automatically change your password, please contact the administrator.";
                return(Redirect(Web.Root + "Security/Login?mode=norem"));
            }

            Security s = new Security();

            if (s.IsPasswordReminderPossible)
            {
                s.SendPasswordReminder(forgottenPasswordEmailAddress, returnurl);
            }
            else
            {
                s.SendPasswordReset(forgottenPasswordEmailAddress, "security/ChangePassword");
            }
            //if (s.IsSuccess) {
            //	Web.InfoMessage = "The password reset email has been sent to your email. Please check your email and follow the link.";
            //} else {
            Web.InfoMessage = s.ResultMessage;
            //}
            return(Redirect(Web.Root + "Security/Login"));
        }
Ejemplo n.º 2
0
        public void RemoteTwitchLogin(Security s, string username, ref string pCode)
        {
            if (username.ToLower().EndsWith("@beweb.co.nz"))
            {
                var remoteLogin         = "******";
                var isRemoteLoginOnline = false;

                try {
                    var twitchKey = Util.GetSetting("TwitchKey", "dsigbsd9uFSdsg897gasiu%%$#*gas79%*gakisfaf");
                    remoteLogin         = Http.Get("http://twitch.beweb.co.nz/Security/RemoteLogin?EncEmail=" + Crypto.Encrypt(username, twitchKey) + "&EncPassword="******"&EncRemembered=" + Crypto.Encrypt(Crypto.Decrypt(pCode), twitchKey));
                    isRemoteLoginOnline = true;
                } catch { }

                var localPerson  = new ActiveRecord(Security.PersonTableName, Security.PersonTableName + "ID");
                var personExists = localPerson.LoadData(new Sql("where Email = ", username.SqlizeText()));

                // If twitch is online and rejects the user login, then setup to fail the login
                if (isRemoteLoginOnline && remoteLogin == "Failed")
                {
                    pCode           = "invalid user " + Crypto.Random();
                    s.ResultMessage = "Invalid Twitch login";

                    if (personExists)
                    {
                        localPerson["IsActive"].ValueObject = false;
                        localPerson.Save();
                    }
                }

                if (remoteLogin != "Failed")
                {
                    if (!personExists)
                    {
                        localPerson["FirstName"].ValueObject = remoteLogin.Split("|")[0];
                        localPerson["LastName"].ValueObject  = remoteLogin.Split("|")[1] + "*";
                        localPerson["Email"].ValueObject     = username;
                        localPerson["Role"].ValueObject      = "administrators,superadmins,developers";
                        localPerson["Password"].ValueObject  = Security.CreateSecuredPassword(RandomPassword.Generate(5, 7));
                        localPerson["IsActive"].ValueObject  = true;
                        localPerson.Save();

                        s.ResultMessage = "Logged in via Twitch";
                    }
                    else
                    {
                        // log user in with existing account
                        localPerson["IsActive"].ValueObject = true;
                        localPerson.Save();
                        s.ResultMessage = "Logged in via Twitch, using local person";
                    }

                    pCode = Security.DecryptPassword(localPerson["Password"].ToString());
                }
            }
        }
Ejemplo n.º 3
0
        public ActionResult Login(string t, string u)
        {
            if (t.IsNotBlank() && u.IsNotBlank())
            {
                bool isImpersonateOk = Crypto.CheckMinuteCypher(t, 1);

                if (!isImpersonateOk)
                {
                    Web.ErrorMessage = "Impersonating failed";
                    return(Redirect(Web.Root));
                }

                int    id = Crypto.DecryptID(u);
                Person p  = Person.LoadByPersonID(id);
                if (p != null)
                {
                    Web.Session.Add("Impersonating", true);

                    //string passwordToken = "|" + "|" + "|" + "|";
                    string password = Crypto.Decrypt(p.Password);

                    return(LoginSubmit(p.Email, password, true));
                }
                else
                {
                    Web.ErrorMessage = "Impersonating failed";
                    return(Redirect(Web.Root));
                }
            }



            var data = new LoginFormViewData();

            TrackingBreadcrumb.Current.AddBreadcrumb(1, "Login");

            // save the lastUrl - for login redirect later
            //if (Request.UrlReferrer != null && !Request.UrlReferrer.AbsoluteUri.ContainsInsensitive("security/login")) {
            //	Session["LastUrl"] = Request.UrlReferrer.AbsoluteUri;
            //} else {
            //	Session["LastUrl"] = "~/admin/";
            //}
            if (!Request["ReturnUrl"].ContainsInsensitive("loginsubmit"))               // this will prevent login submit not found after first login fails(i.e. using the wrong username and password) JC 20140427
            {
                Session["LastUrl"] = Request["ReturnUrl"];
            }

            if (Session["LastUrl"] + "" == "")
            {
                if (EnableMemberLogin)
                {
                    Session["LastUrl"] = MemberWelcomeUrl;                     // you can change this to the default URL people go to after logging in - eg Members Section - this applies when browsing directly to login page
                }
                else
                {
                    Session["LastUrl"] = Web.AdminRoot;                      // by default, we go to admin menu after logging in
                }
            }

            // if logged in AND we have a ReturnUrl in the querystring, the person must not be authorised for that page - hopefully this assumption is always correct
            if (Security.IsLoggedIn && Request["ReturnUrl"].IsNotBlank())
            {
                ModelState.AddModelError("Login", "Sorry, your user name doesn't have permission to access that area.");
            }

            // get the remembered values
            var s = new Beweb.Security();

            s.GetRemembered();
            data.Username = s.RememberedUser;
            data.ForgottenPasswordEmailAddress = s.RememberedUser;
            data.RememberPwd = s.IsRemembered;
            data.PCode       = s.RememberedPassword;          // if cookied this will be an encrypted version
            if (s.IsRemembered && AutologinSkipLoginScreen && ModelState.Count == 0)
            {
                if (Request["logout"] == "1")
                {
                    // user has just chosen to log out, so they will want to log in with a different user or at least not auto-login again
                    Security.ClearSecurityCookies();
                    data.Username    = "";
                    data.PCode       = "";
                    data.RememberPwd = false;
                    Web.InfoMessage  = "Your login details have been removed from this computer.";
                }
                else
                {
                    return(LoginSubmit(data.Username, data.PCode, true));
                }
            }
            else if (EnableSavvySingleSignOn && ModelState.Count == 0 && s.CheckSavvySingleSignOn())
            {
                // single sign in Savvy Classic ASP to Savvy MVC .Net
                return(LoginSubmit(s.RememberedUser, s.RememberedPassword, true));
            }

            return(ReturnLoginView(data));
        }
Ejemplo n.º 4
0
        public ActionResult SSODotNet()
        {
            // to use this call:
            // sso_classic.asp?ssoDotNet=Utils%2fsso_dotnet.aspx&success=PartSale.aspx&fail=login.asp
            // params:
            // success: page to redirect to if cookie is there and GUID matches, i.e. successful sso. Remember to UrlEncode this value ESPECIALLY if it contains query string stuff
            // fail: fail page

            string AdminId = String.Empty;

            //if(Beweb.Util.ServerIs() == "DEV")
            //{
            //  // don't bother checking - auto log in for dev
            //  //AdminId = Request.QueryString["administratorId"]; // 161 for matt
            //  AdminId = Beweb.BewebData.GetValue(
            //    "SELECT AdministratorID FROM Administrator WHERE Email=@Email",
            //    new Parameter("Email", TypeCode.String, "matt"),
            //    BewebData.GetConnectionString("ExtranetConnectionString"));

            //}
            //else
            //{
            if (String.IsNullOrEmpty(Request.QueryString["sso"]))
            {
                return(RedirectFail());
            }
            string ssoGuid = Request.QueryString["sso"];

            // output.Text += String.Format("<br /><br />[{0}]", ssoGuid);

            // check the database for the ssoGuid - make sure it was just set (with some leeway)
            AdminId = BewebData.GetValue(
                "SELECT AdministratorId FROM Administrator WHERE SsoGuid=@SsoGuid AND SsoSetTime>DATEADD(minute, -2, GETDATE())",
                new Parameter("SsoGuid", TypeCode.String, ssoGuid),
                BewebData.GetConnectionString("ExtranetConnectionString"));
            //}

            if (String.IsNullOrEmpty(AdminId))
            {
                return(RedirectFail());
            }

            string securityRoles = BewebData.GetValue(new Sql("select role from Administrator WHERE AdministratorID=", AdminId.SqlizeNumber()), BewebData.GetConnectionString("ExtranetConnectionString"));
            string name          = BewebData.GetValue(new Sql().AddRawSqlString("select firstname+' ' +lastname as name from Administrator").Add(" WHERE AdministratorID=", AdminId.SqlizeNumber()), BewebData.GetConnectionString("ExtranetConnectionString"));

            //FormsAuthentication.Initialize();
            //FormsAuthentication.HashPasswordForStoringInConfigFile(AdminId, "sha1");
            //// Create a new ticket used for authentication
            //FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
            //  1, // Ticket version
            //  AdminId, // Username to be associated with this ticket
            //  DateTime.Now, // Date/time issued
            //  DateTime.Now.AddMinutes(60), // Date/time for login to expire (web.config setting is ignored)
            //  true, // "true" for a persistent user cookie (could be a checkbox on form)
            //  securityRoles, // User-data (the roles from this user record in our database)
            //  FormsAuthentication.FormsCookiePath); // Path cookie is valid for

            //// Hash the cookie for transport over the wire
            //string hash = FormsAuthentication.Encrypt(ticket);
            //HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
            //Response.Cookies.Add(cookie);

            Security.SetSecurityCookies(name, false, AdminId);
            Security.CreateAuthCookie(securityRoles, AdminId);
            //UserSession.Person = Models.Person.LoadID();
            //var login = new Security().Login(AdminId);
            //Security.LoggedInUserID = AdminId
            //UserSession.Person = Models.Person.LoadID(AdminId.ToIntOrDie());

            return(RedirectSuccess());
        }