/// <summary>
		/// Returns null if login failed.
		/// </summary>
		/// <param name="db"></param>
		/// <param name="user"></param>
		/// <param name="password"></param>
		/// <returns></returns>
		public static DBLogin LoginUser (DB db, string login, string password, string ip4, bool @readonly)
		{
			DBLogin result;
			int id;

			using (IDbCommand cmd = db.CreateCommand ()) {
				// TODO: Encrypt passwords somehow, not store as plaintext.
				cmd.CommandText = "SELECT id FROM Person WHERE login = @login AND password = @password;";
				DB.CreateParameter (cmd, "login", login);
				DB.CreateParameter (cmd, "password", password);
				using (IDataReader reader = cmd.ExecuteReader ()) {
					if (!reader.Read ())
						return null;

					id = reader.GetInt32 (0);

					//if (reader.Read ())
					//	return null;
				}
			}

			result = new DBLogin ();
			result.person_id = id;
			result.ip4 = ip4;

			if (!@readonly) {
				result.expires = DateTime.Now.AddDays (1);
				result.cookie = CreateCookie ();

				result.Save (db);
			}

			return result;
		}
		/// <summary>
		/// Returns null if login failed.
		/// </summary>
		/// <param name="db"></param>
		/// <param name="user"></param>
		/// <param name="password"></param>
		/// <returns></returns>
		public static DBLogin Login (DB db, string login, string password, string ip4, bool @readonly)
		{
			DBLogin result;
			int id;

			Console.WriteLine ("DBLogin.Login ('{0}', '{1}', '{2}'. {3})", login, password, ip4, @readonly);

			using (IDbCommand cmd = db.CreateCommand ()) {
				// TODO: Encrypt passwords somehow, not store as plaintext.
				cmd.CommandText = "SELECT id FROM Person WHERE login = @login AND password = @password;";
				DB.CreateParameter (cmd, "login", login);
				DB.CreateParameter (cmd, "password", password);
				using (IDataReader reader = cmd.ExecuteReader ()) {
					if (!reader.Read ())
						return null;

					id = reader.GetInt32 (0);

					//if (reader.Read ())
					//	return null;
				}
			}

			result = new DBLogin ();
			result.person_id = id;
			result.ip4 = ip4;

			if (!@readonly) {
				byte [] data = new byte [32];
				StringBuilder builder = new StringBuilder (data.Length);
				random.GetBytes (data);

				for (int i = 0; i < data.Length; i++)
					builder.Append (string.Format ("{0:x}", data [i]));
				builder.Append (DateTime.Now.Ticks);

				result.expires = DateTime.Now.AddDays (1);
				result.cookie = builder.ToString ();

				result.Save (db);
			}

			return result;
		}
		public static void LoginDB (DB db, LoginResponse response, string username, string roles, string ip4) {
			// We now create an account with an empty password and the specified roles.
			// Note that it is not possible to log into an account with an empty password
			// using the normal login procedure.

			DBPerson open_person = null;

			using (IDbCommand cmd = db.CreateCommand ()) {
				cmd.CommandText = @"SELECT * FROM Person WHERE login = @login;";
				DB.CreateParameter (cmd, "login", username);
				using (var reader = cmd.ExecuteReader ()) {
					if (reader.Read ())
						open_person = new DBPerson (reader);
				}
			}

			if (open_person == null) {
				open_person = new DBPerson ();
				open_person.login = username;
				open_person.roles = roles;
				open_person.Save (db);
			} else {
				// only save if something has changed
				if (open_person.roles != roles) {
					open_person.roles = roles;
					open_person.Save (db);
				}
			}
			WebServiceLogin login = new WebServiceLogin ();
			login.Ip4 = ip4;
			login.User = open_person.login;
			db.Audit (login, "DBLogin_Extensions.Login (username: {0}, ip4: {1})", username, ip4);

			var result = new DBLogin ();
			result.person_id = open_person.id;
			result.ip4 = ip4;
			result.cookie = CreateCookie ();
			result.expires = DateTime.Now.AddDays (1);
			result.Save (db);

			response.User = username;
			response.UserName = username;
			response.UserRoles = open_person.Roles;
			response.Cookie = result.cookie;
		}
		public static void LoginOpenId (DB db, LoginResponse response, string email, string ip4)
		{
			if (string.IsNullOrEmpty (Configuration.OpenIdProvider) && string.IsNullOrEmpty (Configuration.OauthClientId))
				throw new Exception ("No OpenId provider available");

			if (string.IsNullOrEmpty (Configuration.OpenIdRoles))
				throw new Exception ("No OpenId roles specified");

			if (string.IsNullOrEmpty (email))
				throw new Exception ("OpenId authentication requires an email");
			
			string [] specs = Configuration.OpenIdRoles.Split (';');
			foreach (var spec in specs) {
				// email:role1,role2
				string [] split = spec.Split (':');
				if (split.Length != 2) {
					log.ErrorFormat ("AuthenticateOpenId: Invalid role spec: {0}", spec);
					continue;
				}

				if (string.IsNullOrEmpty (split [1])) {
					log.ErrorFormat ("AuthenticateOpenId: No roles specified for {0}", split [0]);
					continue;
				}

				if (!Regex.IsMatch (email, split [0]))
					continue;

				// We now create an account with an empty password and the specified roles.
				// Note that it is not possible to log into an account with an empty password
				// using the normal login procedure.

				DBPerson open_person = null;

				using (IDbCommand cmd = db.CreateCommand ()) {
					cmd.CommandText = @"SELECT * FROM Person WHERE login = @login;";
					DB.CreateParameter (cmd, "login", email);
					using (var reader = cmd.ExecuteReader ()) {
						if (reader.Read ())
							open_person = new DBPerson (reader);
					}
				}

				if (open_person == null) {
					open_person = new DBPerson ();
					open_person.login = email;
					open_person.roles = split [1];
					open_person.Save (db);
				} else {
					// only save if something has changed
					if (open_person.roles != split [1]) {
						open_person.roles = split [1];
						open_person.Save (db);
					}
				}
				WebServiceLogin login = new WebServiceLogin ();
				login.Ip4 = ip4;
				login.User = open_person.login;
				db.Audit (login, "DBLogin_Extensions.LoginOpenId (email: {0}, ip4: {1})", email, ip4);

				var result = new DBLogin ();
				result.person_id = open_person.id;
				result.ip4 = ip4;
				result.cookie = CreateCookie ();
				result.expires = DateTime.Now.AddDays (1);
				result.Save (db);
				
				response.User = email;
				response.UserName = email;
				response.UserRoles = open_person.Roles;
				response.Cookie = result.cookie;

				return;
			}

			throw new Exception ("The provided email address is not allowed to log in");
		}