public HttpResponseMessage ChangePassword()
{
string success = "no_user";
// Check old password
var u = Request.Content.ReadAsAsync<ChangeCredentials>().Result;
// Need to check that we're logged on
var userId = CredentialController.Authenticate();
if (!string.IsNullOrEmpty(userId))
{
string sql = @"select password from cycli_riders where UserId=@u and AccountStatus='Active'";
// Check against the database
SQLiteDatabase db = new SQLiteDatabase();
string oldHashedPassword = db.ExecuteScalar(sql, "@u", userId);
if (!string.IsNullOrEmpty(oldHashedPassword) && PasswordHash.ValidatePassword(u.oldPassword, oldHashedPassword))
{
string newHashPassword = PasswordHash.CreateHash(u.newPassword);
// Check against the database
sql = @"update cycli_riders set password=@new where userid=@u and AccountStatus='Active'";
if (db.ExecuteNonQuery(sql, "@new", newHashPassword, "@u", userId, "@old", newHashPassword) > 0)
{
success = "ok";
// Emailer.SendRecoveryConfirmation(u.username, userId, code, u.email);
}
else
{
success = "db_failed";
}
}
else
{
success = "wrong_password";
}
db.Close();
}
var response = Request.CreateResponse<string>(HttpStatusCode.OK, success,
new System.Net.Http.Formatting.JsonMediaTypeFormatter());
return response;
}
private string ValidateRecoveryCredentials(RegisterCredentials u)
{
string sql = @"select UserId from cycli_riders where UserName=@username and Email=@email and (AccountStatus='Active' or AccountStatus='Reset')";
// Check against the database
SQLiteDatabase db = new SQLiteDatabase();
string userId = db.ExecuteScalar(sql, "@username", u.username, "@email", u.email);
if (!string.IsNullOrEmpty(userId))
{
string hash = PasswordHash.CreateHash(u.password);
string code = Guid.NewGuid().ToString();
sql = @"update cycli_riders set activationcode=@a, AccountStatus='Reset', password=@p where userid=@u and AccountStatus='Active'";
if (db.ExecuteNonQuery(sql, "@a", code,"@p", hash, "@u", userId) > 0)
{
Emailer.SendRecoveryConfirmation(u.username, userId, code, u.email);
}
}
db.Close();
return userId;
}
