public HttpResponseMessage ChangePassword() { string success = "no_user"; // Check old password var u = Request.Content.ReadAsAsync<ChangeCredentials>().Result; // Need to check that we're logged on var userId = CredentialController.Authenticate(); if (!string.IsNullOrEmpty(userId)) { string sql = @"select password from cycli_riders where UserId=@u and AccountStatus='Active'"; // Check against the database SQLiteDatabase db = new SQLiteDatabase(); string oldHashedPassword = db.ExecuteScalar(sql, "@u", userId); if (!string.IsNullOrEmpty(oldHashedPassword) && PasswordHash.ValidatePassword(u.oldPassword, oldHashedPassword)) { string newHashPassword = PasswordHash.CreateHash(u.newPassword); // Check against the database sql = @"update cycli_riders set password=@new where userid=@u and AccountStatus='Active'"; if (db.ExecuteNonQuery(sql, "@new", newHashPassword, "@u", userId, "@old", newHashPassword) > 0) { success = "ok"; // Emailer.SendRecoveryConfirmation(u.username, userId, code, u.email); } else { success = "db_failed"; } } else { success = "wrong_password"; } db.Close(); } var response = Request.CreateResponse<string>(HttpStatusCode.OK, success, new System.Net.Http.Formatting.JsonMediaTypeFormatter()); return response; }
private string ValidateRecoveryCredentials(RegisterCredentials u) { string sql = @"select UserId from cycli_riders where UserName=@username and Email=@email and (AccountStatus='Active' or AccountStatus='Reset')"; // Check against the database SQLiteDatabase db = new SQLiteDatabase(); string userId = db.ExecuteScalar(sql, "@username", u.username, "@email", u.email); if (!string.IsNullOrEmpty(userId)) { string hash = PasswordHash.CreateHash(u.password); string code = Guid.NewGuid().ToString(); sql = @"update cycli_riders set activationcode=@a, AccountStatus='Reset', password=@p where userid=@u and AccountStatus='Active'"; if (db.ExecuteNonQuery(sql, "@a", code,"@p", hash, "@u", userId) > 0) { Emailer.SendRecoveryConfirmation(u.username, userId, code, u.email); } } db.Close(); return userId; }