public ActionResult SwitchAffiliateForms(string to, string nonce, string authCode, string affId, string background, string color, string callback, string newCookie) { var shouldMatch = Current.MakeAuthCode(new { nonce, to, affId, background, color, callback, newCookie }); if (shouldMatch != authCode) { return(GenericSecurityError()); } Nonces.MarkUsed(nonce, Current.RemoteIP); bool addCookie; if (bool.TryParse(newCookie, out addCookie) && addCookie) { Current.GenerateAnonymousXSRFCookie(); // Pull the callback forward into the new cookie var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName); Current.AddToCache(CallbackKey(cookie), callback, TimeSpan.FromMinutes(15)); } switch (to) { case "login": var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName); return(LoginIFrame(null, background, color)); case "signup": return(SignupIFrame(null, background, color)); } return(UnexpectedState("Tried to switch to an unknown form [" + to + "]")); }
public void AcceptableNonceDrift() { var offsetFromNow = TimeSpan.FromSeconds(-60 * 5).Add(TimeSpan.FromSeconds(1)); var max = TimeSpan.FromMinutes(5); while (offsetFromNow < max) { string ignored; for (int i = 0; i < 1000; i++) { var now = DateTime.UtcNow; var nonce = Nonces.Create(now + offsetFromNow); if (!Nonces.IsValid(nonce, "127.0.0.1", out ignored, now)) { DateTime created; Nonces.Parse(nonce, out created); Assert.Fail("Failed on [" + nonce + "] on [" + created + "] diff of [" + (created - now) + "]"); } } offsetFromNow = offsetFromNow.Add(TimeSpan.FromSeconds(1)); } }
/// <summary> /// Returns true if the parameters contain a valid signature for a request. /// </summary> private static bool VerifySignature(Dictionary <string, string> @params, out Affiliate validFor, out string failureReason) { if ([email protected]("authCode") || [email protected]("affId") || [email protected]("nonce")) { validFor = null; failureReason = "Missing parameter"; return(false); } validFor = null; var authCode = @params["authCode"].ToString(); int affId; if (!int.TryParse(@params["affId"], out affId)) { failureReason = "No affId"; return(false); } var nonce = @params["nonce"].ToString(); string nonceMsg; if (!Nonces.IsValid(nonce, Current.RemoteIP, out nonceMsg)) { failureReason = "Invalid Nonce [" + nonceMsg + "]"; return(false); } var affiliate = Current.ReadDB.Affiliates.SingleOrDefault(a => a.Id == affId); if (affiliate == null) { failureReason = "Could not find affiliate"; return(false); } var copy = new Dictionary <string, string>(); foreach (var item in @params.Keys.Where(k => k != "authCode")) { copy[item] = @params[item]; } if (authCode.HasValue() && !affiliate.ConfirmSignature(authCode, Current.RequestUri.AbsolutePath, copy)) { failureReason = "Affiliate signature confirmation failed"; return(false); } validFor = affiliate; Nonces.MarkUsed(nonce, Current.RemoteIP); failureReason = null; return(true); }
public void ValidNonces() { string ignored; for (int i = 0; i < 1000000; i++) { var nonce = Nonces.Create(); Assert.IsTrue(Nonces.IsValid(nonce, "127.0.0.1", out ignored), "Failed on " + nonce); } }
public void DoubleNonceUseFails() { string ignored; for (int i = 0; i < 1000000; i++) { var nonce = Nonces.Create(); Assert.IsTrue(Nonces.IsValid(nonce, "127.0.0.1", out ignored), "Failed on " + nonce); Nonces.MarkUsed(nonce, "127.0.0.1"); Assert.IsFalse(Nonces.IsValid(nonce, "127.0.0.2", out ignored), "Accepted twice " + nonce); } }
/// <summary> /// Generate a link to switch to a specific form /// </summary> private string SwitchLink(string to, string affId, string background, string color, string callback, bool newCookie) { var nonce = Nonces.Create(); var authCode = Current.MakeAuthCode(new { nonce, to, affId, background, color, callback, newCookie = newCookie.ToString() }); var @switch = UnsafeRedirect( "affiliate/form/switch", new { to, nonce, authCode, affId, background, color, callback, newCookie = newCookie.ToString() } ); return(Current.Url(@switch.Url)); }