public async Task <IHttpActionResult> Validate(NoncePairDto noncePair)
{
if (ModelState.IsValid)
{
var session = await
db.Sessions.SingleOrDefaultAsync(
QueryHelper.GetSessionObjectValidationQuery(noncePair.Session));
if (session != null)
{
var validator = db.UserPhoneNumberValidators.Where(v => v.UserId == session.User.Id).OrderByDescending(v => v.CreatedAt)
.First();
if (validator.SecurityToken == HasherHelper.sha256_hash(noncePair.Nonce.ToString()))
{
validator.IsValidated = true;
validator.ValidatedAt = DateTime.Now;
return(Ok());
}
return(NotFound()); //Wrong Nonce
}
return(Unauthorized());
}
return(BadRequest());
}
public UserController(SqliteContext sqliteContext, UserHelper userHelper, ValidationHelper validationHelper, HasherHelper hasherHelper, TokenHelper tokenHelper, ApplicationSettings applicationSettings)
{
db = sqliteContext;
UserHelper = userHelper;
ValidationHelper = validationHelper;
HasherHelper = hasherHelper;
TokenHelper = tokenHelper;
ApplicationSettings = applicationSettings;
}
public bool Register(UserRegisterDTO userRegisterDTO)
{
_userService.Add(new User
{
FullName = userRegisterDTO.FullName,
Username = userRegisterDTO.UserName,
Password = HasherHelper.ComputeSha256Hash(userRegisterDTO.Password),
});
return(_userService.SaveChanges());
}
/// <summary>
/// Checks whether token is equal to security token, if yes set the primary phone number with temporary.
/// </summary>
/// <param name="token"></param>
/// <returns>
/// True : if old phone number has replaced with new one.
/// False : if old phone number has not replaced with new one.
/// </returns>
public bool ValidateNewPhoneNumber(AppDbContext db, int token)
{
var validator = db.UserPhoneNumberValidators.Where(v => v.UserId == Id).OrderByDescending(v => v.CreatedAt)
.First();
if (validator.SecurityToken == HasherHelper.sha256_hash(token.ToString()))
{
PhoneNumber = validator.TargetNumber;
validator.IsValidated = true;
validator.ValidatedAt = DateTime.Now;
return(true);
}
return(false);
}
public async Task <IHttpActionResult> Active(NoncePairDto pendingSession)
{
if (ModelState.IsValid)
{
var session =
await db
.Sessions
.Where(QueryHelper.GetPendingSessionQuery(pendingSession))
.SingleOrDefaultAsync();
if (session == null)
{
return(NotFound()); //Wrong Nonce Entered
}
session.User.State = UserState.ACTIVE;
session.User.UpdatedAt = DateTime.Now;
session.ActivationMoment = DateTime.Now;
session.State = SessionState.ACTIVE;
//We add the registered phone number to user's validated phone number.
if (session.User.PhoneNumber != null)
{
var newValidator = new UserPhoneNumberValidator()
{
UserId = session.User.Id,
TargetNumber = session.User.PhoneNumber,
SecurityToken = HasherHelper.sha256_hash(pendingSession.Nonce.ToString()),
IsValidated = true,
CreatedAt = DateTime.Now,
ValidatedAt = DateTime.Now
};
db.UserPhoneNumberValidators.Add(newValidator);
}
await db.SaveChangesAsync();
SessionInfoObject sessionInfo = new SessionInfoObject()
{
SessionKey = session.SessionKey,
SessionId = session.Id
};
return(Ok(sessionInfo));
}
return(BadRequest());
}
public void Hash_password()
{
var Password = "******";
var result = string.Empty;
try
{
result = HasherHelper.Hash(Password);
}
catch (Exception ex)
{
result = null;
}
Assert.IsNotNull(result);
}
public IActionResult PasswordReset(string token, [FromBody] ResetPasswordDataModel model)
{
//http://stackoverflow.com/questions/25372035/not-able-to-validate-json-web-token-with-net-key-to-short
if (ModelState.IsValid)
{
if (model.NewPassword == null || model.NewPassword == "")
{
return(BadRequest("Password is required"));
}
if (model.NewPassword != model.ConfirmPassword)
{
return(BadRequest("Passwords do not match"));
}
if (!UserHelper.IsValidPassword(model.NewPassword))
{
return(BadRequest("Password is not complex enough."));
}
PasswordRecoveryToken recoveryToken = TokenHelper.DecodeStandardJwtToken <PasswordRecoveryToken>(token);
User user = UserHelper.GetUserById(recoveryToken.UserId);
string newSalt = UserHelper.CreatUserSalt();
string newPasswordHash = HasherHelper.GetHash(model.NewPassword + newSalt);
var updatePasswordAndSalt = Builders <User> .Update
.Set(u => u.Salt, newSalt)
.Set(u => u.Password, newPasswordHash);
user.Salt = newSalt;
user.Password = newPasswordHash;
db.Users.Update(user);
return(Ok());
}
else
{
return(BadRequest(ModelState));
}
}
public bool Login(UserLoginDTO userLoginDTO, out SessionUser sessionUser)
{
sessionUser = null;
var hasshedpass = HasherHelper.ComputeSha256Hash(userLoginDTO.Password);
var user = _userService.FirstOrDefault(x => x.Username.ToLower() == userLoginDTO.UserName && x.Password == hasshedpass);
if (user != null)
{
sessionUser = new SessionUser
{
Id = user.Id,
FullName = user.FullName,
Username = user.Username,
Role = user.Role,
};
return(true);
}
return(false);
}
public ActionResult Edit(AdminViewModel admin)
{
if (ModelState.IsValid)
{
var adminInDb = db.Admins.SingleOrDefault(s => s.Id == admin.Id);
if (adminInDb != null)
{
adminInDb.Username = admin.Username;
adminInDb.Password = HasherHelper.sha256_hash(admin.Password);
adminInDb.Email = admin.Email;
adminInDb.FirstName = admin.FirstName;
adminInDb.LastName = admin.LastName;
adminInDb.IsCompleted = true;
db.SaveChanges();
return(RedirectToAction("Index", "Home"));
}
}
return(new HttpStatusCodeResult(HttpStatusCode.BadRequest, "Bad Request"));
}
public async Task <IHttpActionResult> ForgotPasswordReset(
ForgotPasswordValidationDto forgotPasswordValidationDto)
{
if (ModelState.IsValid)
{
User user = await db.Users.SingleOrDefaultAsync(q =>
q.SecurityToken == forgotPasswordValidationDto.ForgetPassCode);
if (user == null)
{
return(NotFound()); //Wrong Code
}
user.Password = HasherHelper.sha256_hash(forgotPasswordValidationDto.Password);
user.SecurityToken = 0;
await db.SaveChangesAsync();
return(Ok());
}
return(BadRequest());
}
/// <summary>
/// Set temporary phone number and send security token to the user's new phone number.
/// </summary>
/// <param name="newPhoneNumber"></param>
/// <returns>smsSent</returns>
public bool ChangePhoneNumber(AppDbContext db, string newPhoneNumber)
{
bool smsSent = true;
int nonce = RandomHelper.RandomInt(10000, 99999);
var validator = new UserPhoneNumberValidator()
{
UserId = Id,
TargetNumber = newPhoneNumber,
SecurityToken = HasherHelper.sha256_hash(nonce.ToString()),
IsValidated = false,
CreatedAt = DateTime.Now
};
db.UserPhoneNumberValidators.Add(validator);
if (MessageHelper.SendSMS_K(nonce.ToString(), newPhoneNumber,
MessageHelper.SMSMode.VERIFICATION) != null)
{
smsSent = false;
}
return(smsSent);
}
public async Task <IHttpActionResult> Create(PhoneNumberValidatorDto phoneNumberValidatorDto)
{
if (ModelState.IsValid)
{
var session = await
db.Sessions.SingleOrDefaultAsync(
QueryHelper.GetSessionObjectValidationQuery(phoneNumberValidatorDto.Session));
if (session != null)
{
var smsSent = true;
int nonce = RandomHelper.RandomInt(10000, 99999);
var validator = new UserPhoneNumberValidator()
{
UserId = session.User.Id,
TargetNumber = phoneNumberValidatorDto.PhoneNumber,
SecurityToken = HasherHelper.sha256_hash(nonce.ToString()),
IsValidated = false,
CreatedAt = DateTime.Now
};
db.UserPhoneNumberValidators.Add(validator);
await db.SaveChangesAsync();
if (MessageHelper.SendSMS_K(nonce.ToString(), phoneNumberValidatorDto.PhoneNumber,
MessageHelper.SMSMode.VERIFICATION) != null)
{
smsSent = false;
}
return(Ok());
}
return(Unauthorized());
}
return(BadRequest());
}
public ActionResult Login(AdminLoginViewModel adminLogin)
{
if (ModelState.IsValid)
{
var admin = db.Admins.SingleOrDefault(a => a.Username == adminLogin.Username);
if (admin != null)
{
if (!admin.IsCompleted)
{
CreateSession(admin);
return(RedirectToAction("Edit"));
}
var hashPassword = HasherHelper.sha256_hash(adminLogin.Password);
if (admin.Password == hashPassword)
{
CreateSession(admin);
if (adminLogin.RememberMe)
{
HttpCookie cookie = new HttpCookie("Login");
cookie.Values.Add("Username", adminLogin.Username);
cookie.Expires.AddDays(15);
Response.Cookies.Add(cookie);
}
return(RedirectToAction("Index", "Home"));
}
}
ModelState.AddModelError(string.Empty, "The user name or password is incorrect.");
return(View(adminLogin));
}
return(View(adminLogin));
}
public void Hash_Verify()
{
var Password = "******";
var HashKey = "Qs4gIHiM$TFHASH$V2$dCnbEg1Xb44bZ2GuZuk2/nDm6QUqfUiCmnj6RnDa";
var result = string.Empty;
try
{
if (HasherHelper.Verify(Password, HashKey))
{
result = "TRUE";
}
else
{
result = HasherHelper.Message;
}
}
catch (Exception ex)
{
result = null;
}
Assert.Equals(result, "TRUE");
}
public string ComputeSha256Hash(string data)
{
return(HasherHelper.ComputeSha256Hash(data));
}
public async Task <IHttpActionResult> SignUp(UserSignUpViewModel userSignUp)
{
if (ModelState.IsValid)
{
User user = null;
if (!string.IsNullOrEmpty(userSignUp.PhoneNumber))
{
user = await db.Users.OrderByDescending(v => v.CreatedAt).FirstOrDefaultAsync(q => q.PhoneNumber == userSignUp.PhoneNumber);
}
else if (!string.IsNullOrEmpty(userSignUp.Email))
{
user = await db.Users.OrderByDescending(v => v.CreatedAt).FirstOrDefaultAsync(q => q.Email == userSignUp.Email);
}
else
{
return(BadRequest());
}
Session session = null;
var randomNonce = RandomHelper.RandomInt(10000, 99999);
if (user == null || user.State == UserState.DELETED) //New User
{
user = new User()
{
FirstName = userSignUp.FirstName,
LastName = userSignUp.LastName,
PhoneNumber = userSignUp.PhoneNumber,
Email = userSignUp.Email,
Password = HasherHelper.sha256_hash(userSignUp.Password),
CreatedAt = DateTime.Now,
UpdatedAt = DateTime.Now,
State = UserState.PENDING
};
db.Users.Add(user);
session = new Session()
{
Nonce = randomNonce,
State = SessionState.PENDING,
InitMoment = DateTime.Now,
SessionKey = RandomHelper.RandomString(32),
FCMToken = userSignUp.FCMToken,
SessionPlatform = (SessionPlatform)userSignUp.SessionPlatform,
UniqueCode = userSignUp.UniqueCode,
User = user
};
db.Sessions.Add(session);
await db.SaveChangesAsync();
}
else
{
if (user.State == UserState.PENDING) //multiple requests
{
// We abolish the old sessions first, then we create new sessions
db.Sessions
.Where(q => q.UniqueCode == userSignUp.UniqueCode)
.Where(q => q.State == SessionState.PENDING)
.ToList()
.ForEach(q => q.State = SessionState.ABOLISHED);
session = new Session()
{
Nonce = randomNonce,
State = SessionState.PENDING,
InitMoment = DateTime.Now,
SessionKey = RandomHelper.RandomString(32),
FCMToken = userSignUp.FCMToken,
SessionPlatform = (SessionPlatform)userSignUp.SessionPlatform,
UniqueCode = userSignUp.UniqueCode,
User = user
};
db.Sessions.Add(session);
user.FirstName = userSignUp.FirstName;
user.LastName = userSignUp.LastName;
user.PhoneNumber = userSignUp.PhoneNumber;
user.Email = userSignUp.Email;
user.Password = HasherHelper.sha256_hash(userSignUp.Password);
user.UpdatedAt = DateTime.Now;
await db.SaveChangesAsync();
}
else if (user.State == UserState.ACTIVE) //already registered user - use login form
{
return(Conflict());
}
else if (user.State == UserState.SUSPENDED) //this phonenumber/email has been suspended
{
return(StatusCode(HttpStatusCode.Forbidden));
}
}
var receptorPhone = userSignUp.PhoneNumber;
var receptorMail = userSignUp.Email;
var token = randomNonce.ToString();
if (receptorMail != null) //Mail
{
MessageHelper.CodeVerificationEmail(token, receptorMail, MessageHelper.EmailMode.VERIFICATION);
}
if (receptorPhone != null)
{
if (MessageHelper.SendSMS_K(token, receptorPhone, MessageHelper.SMSMode.VERIFICATION) != null) //SMS
{
return(InternalServerError());
}
}
return(Json(new
{
SessionId = session?.Id ?? -1,
SessionKey = session?.SessionKey ?? null
}));
}
return(BadRequest());
}
public async Task <IHttpActionResult> SignUp(UserSignUpEmailViewModel userSignUpEmail)
{
if (ModelState.IsValid)
{
User user = await db.Users.OrderByDescending(v => v.CreatedAt).FirstOrDefaultAsync(q => q.Email == userSignUpEmail.Email);
Session session = null;
var randomNounce = RandomHelper.RandomInt(10000, 99999);
if (user == null || user.State == UserState.DELETED) //New User
{
user = new User()
{
FirstName = userSignUpEmail.FirstName,
LastName = userSignUpEmail.LastName,
PhoneNumber = userSignUpEmail.PhoneNumber,
Email = userSignUpEmail.Email,
Password = HasherHelper.sha256_hash(userSignUpEmail.Password),
CreatedAt = DateTime.Now,
UpdatedAt = DateTime.Now,
State = UserState.PENDING
};
db.Users.Add(user);
session = new Session()
{
Nonce = randomNounce,
State = SessionState.PENDING,
InitMoment = DateTime.Now,
SessionKey = RandomHelper.RandomString(32),
FCMToken = userSignUpEmail.FCMToken,
SessionPlatform = (SessionPlatform)userSignUpEmail.SessionPlatform,
UniqueCode = userSignUpEmail.UniqueCode,
User = user
};
db.Sessions.Add(session);
await db.SaveChangesAsync();
}
else
{
if (user.State == UserState.PENDING) //multiple requests
{
db.Sessions
.Where(q => q.UniqueCode == userSignUpEmail.UniqueCode)
.Where(q => q.State == SessionState.PENDING)
.ToList()
.ForEach(q => q.State = SessionState.ABOLISHED);
session = new Session()
{
Nonce = randomNounce,
State = SessionState.PENDING,
InitMoment = DateTime.Now,
SessionKey = RandomHelper.RandomString(32),
FCMToken = userSignUpEmail.FCMToken,
SessionPlatform = (SessionPlatform)userSignUpEmail.SessionPlatform,
UniqueCode = userSignUpEmail.UniqueCode,
User = user
};
db.Sessions.Add(session);
await db.SaveChangesAsync();
}
else if (user.State == UserState.ACTIVE) //already registered user - use login form
{
return(Conflict());
}
else if (user.State == UserState.SUSPENDED) //this user has been suspended
{
return(StatusCode(HttpStatusCode.Forbidden));
}
}
var receptor = userSignUpEmail.Email;
var token = randomNounce.ToString();
MessageHelper.CodeVerificationEmail(token, receptor, MessageHelper.EmailMode.VERIFICATION);
return(Json(new
{
SessionId = session?.Id ?? -1
}));
}
return(BadRequest());
}
public async Task <IHttpActionResult> Login(LoginDto loginInfo)
{
if (ModelState.IsValid)
{
User user = null;
var hashPassword = HasherHelper.sha256_hash(loginInfo.Password);
if (!string.IsNullOrEmpty(loginInfo.Email))
{
user = await db.Users.SingleOrDefaultAsync(q =>
q.Email == loginInfo.Email && q.Password == hashPassword);
}
else if (!string.IsNullOrEmpty(loginInfo.PhoneNumber))
{
user = await db.Users.SingleOrDefaultAsync(q =>
q.PhoneNumber == loginInfo.PhoneNumber && q.Password == hashPassword);
}
else
{
return(BadRequest());
}
if (user == null) //Not Registered User - Use Sign up form
{
return(NotFound());
}
switch (user.State)
{
case UserState.ACTIVE:
var sessionKey = RandomHelper.RandomString(32);
Session newSession = new Session()
{
Nonce = null,
State = SessionState.ACTIVE,
InitMoment = DateTime.Now,
ActivationMoment = DateTime.Now,
SessionKey = sessionKey,
FCMToken = loginInfo.FCMToken,
SessionPlatform = (SessionPlatform)loginInfo.SessionPlatform,
UniqueCode = loginInfo.UniqueCode,
User = user
};
db.Sessions.Add(newSession);
await db.SaveChangesAsync();
SessionInfoObject sessionIfInfoObject = new SessionInfoObject()
{
SessionKey = sessionKey,
SessionId = newSession.Id,
};
//OK
return(Ok(sessionIfInfoObject));
case UserState.PENDING: //Not confirmed user
return(Conflict());
case UserState.SUSPENDED:
return(StatusCode(HttpStatusCode.Forbidden));
case UserState.DELETED:
return(StatusCode(HttpStatusCode.Gone));
}
}
return(BadRequest());
}
public IActionResult ChangePassword(string id, [FromBody] ChangePasswordDataModel model)
{
if (ModelState.IsValid)
{
User user = UserHelper.GetUserById(User.Identity.Name);
//Ensure that the requesting user is changing their own password. Change this to allow administrators to modify passwords.
if (user?.Id != id)
{
return(BadRequest("Invalid Permissions"));
}
if (model.NewPassword == null || model.NewPassword == "")
{
return(BadRequest("Password is required"));
}
//Password confirm must match
if (model.NewPassword != model.ConfirmPassword)
{
return(BadRequest("Password and Confirmation must match"));
}
//Validate that the password meets the complexity requirements.
if (!UserHelper.IsValidPassword(model.NewPassword))
{
return(BadRequest("Password is not strong enough"));
}
//Ensure they passed the old password
if (model.OldPassword == null)
{
return(BadRequest("Invalid Password"));
}
//Check that they know the existing password
string password = HasherHelper.GetHash(model.OldPassword + user.Salt);
if (user.Password == password)
{
}
else
{
return(BadRequest("Invalid Password"));
}
//Change password is difficult, just remove the password and then add a new password based on the user input.
string newSalt = UserHelper.CreatUserSalt();
string newPasswordHash = HasherHelper.GetHash(model.NewPassword + newSalt);
user.Salt = newSalt;
user.Password = newPasswordHash;
db.Users.Update(user);
return(Ok());
}
else
{
return(BadRequest(ModelState));
}
}
public IActionResult CreateUser([FromBody] RegisterDataModel model)
{
if (ModelState.IsValid)
{
if (model.Email == null || model.Email == "")
{
return(BadRequest("Email is required"));
}
if (ValidationHelper.ValidateEmail(model.Email) == false)
{
return(BadRequest("Valid email address is required"));
}
User existing = UserHelper.GetUserByEmail(model.Email);
if (existing != null)
{
return(BadRequest("Email address already used."));
}
if (model.Password == null || model.Password == "")
{
return(BadRequest("Password is required"));
}
if (model.Password != model.ConfirmPassword)
{
return(BadRequest("Passwords do not match"));
}
if (!UserHelper.IsValidPassword(model.Password))
{
return(BadRequest("Password is not complex enough."));
}
//Create the user
User user = new User();
user.Email = model.Email;
user.Salt = UserHelper.CreatUserSalt();
user.Password = HasherHelper.GetHash(model.Password + user.Salt);
//As part of this demo, manually activate the account here. There are activation services available - just finish tying in the email logic.
user.EmailValidated = true;
bool result = UserHelper.CreateUser(user);
if (result)
{
return(Ok(new IdResponse()
{
Id = user.Id
}));
}
else
{
return(BadRequest("Could not create user profile."));
}
}
else
{
return(BadRequest("Invalid data"));
}
}
