public ActionResult SwitchAffiliateForms(string to, string nonce, string authCode, string affId, string background, string color, string callback, string newCookie)
{
var shouldMatch = Current.MakeAuthCode(new { nonce, to, affId, background, color, callback, newCookie });
if (shouldMatch != authCode)
{
return(GenericSecurityError());
}
Nonces.MarkUsed(nonce, Current.RemoteIP);
bool addCookie;
if (bool.TryParse(newCookie, out addCookie) && addCookie)
{
Current.GenerateAnonymousXSRFCookie();
// Pull the callback forward into the new cookie
var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName);
Current.AddToCache(CallbackKey(cookie), callback, TimeSpan.FromMinutes(15));
}
switch (to)
{
case "login":
var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName);
return(LoginIFrame(null, background, color));
case "signup": return(SignupIFrame(null, background, color));
}
return(UnexpectedState("Tried to switch to an unknown form [" + to + "]"));
}
/// <summary>
/// Returns true if the parameters contain a valid signature for a request.
/// </summary>
private static bool VerifySignature(Dictionary <string, string> @params, out Affiliate validFor, out string failureReason)
{
if ([email protected]("authCode") || [email protected]("affId") || [email protected]("nonce"))
{
validFor = null;
failureReason = "Missing parameter";
return(false);
}
validFor = null;
var authCode = @params["authCode"].ToString();
int affId;
if (!int.TryParse(@params["affId"], out affId))
{
failureReason = "No affId";
return(false);
}
var nonce = @params["nonce"].ToString();
string nonceMsg;
if (!Nonces.IsValid(nonce, Current.RemoteIP, out nonceMsg))
{
failureReason = "Invalid Nonce [" + nonceMsg + "]";
return(false);
}
var affiliate = Current.ReadDB.Affiliates.SingleOrDefault(a => a.Id == affId);
if (affiliate == null)
{
failureReason = "Could not find affiliate";
return(false);
}
var copy = new Dictionary <string, string>();
foreach (var item in @params.Keys.Where(k => k != "authCode"))
{
copy[item] = @params[item];
}
if (authCode.HasValue() && !affiliate.ConfirmSignature(authCode, Current.RequestUri.AbsolutePath, copy))
{
failureReason = "Affiliate signature confirmation failed";
return(false);
}
validFor = affiliate;
Nonces.MarkUsed(nonce, Current.RemoteIP);
failureReason = null;
return(true);
}
public void DoubleNonceUseFails()
{
string ignored;
for (int i = 0; i < 1000000; i++)
{
var nonce = Nonces.Create();
Assert.IsTrue(Nonces.IsValid(nonce, "127.0.0.1", out ignored), "Failed on " + nonce);
Nonces.MarkUsed(nonce, "127.0.0.1");
Assert.IsFalse(Nonces.IsValid(nonce, "127.0.0.2", out ignored), "Accepted twice " + nonce);
}
}
