public async Task <IActionResult> LoginWithPushValidator([FromBody] GetAuthenticationResultModel model)
{
var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
if (user == null)
{
throw new ApplicationException($"Unable to load two-factor authentication user.");
}
var result = PushValidator.SDK.Web.ValidateResponse(_pushValidatorSettings.Value.SecretKey,
model,
_pushValidatorSettings.Value.ServerIPs,
_pushValidatorSettings.Value.ServerFingerprints,
_pushValidatorSettings.Value.ServerURIs);
if (!result)
{
return(BadRequest());
}
if (!model.Result)
{
// User responded to the push notification with a deny
return(Unauthorized());
}
// TODO: Perform check for server URI and server certficate fingerprint comparison
// Success so finish signing in user
var signinResult = await _signInManager.TwoFactorSignInAsync("PUSHVALIDATOR", string.Empty, false, false);
return(Json(signinResult.Succeeded));
}
/// <summary>
/// Validates an authentication result returned from the PushValidator service
/// </summary>
/// <param name="secretKey">Secret key used to calculate the HMAC</param>
/// <param name="result">The authentication result to be verified</param>
/// <param name="serverIPs">Application expected host IPs</param>
/// <param name="serverCertificateFingerprints">Application expected certificate fingerprints</param>
/// <param name="serverURIs">Application expected URIs</param>
/// <returns></returns>
public static bool ValidateResponse(string secretKey,
GetAuthenticationResultModel result,
IEnumerable <string> serverIPs,
IEnumerable <string> serverCertificateFingerprints,
IEnumerable <string> serverURIs)
{
var calculatedSignature = result.CalculateSignature(secretKey);
var signatureBytes = Convert.FromBase64String(result.Signature);
var verifySignature = signatureBytes.SequenceEqual(calculatedSignature);
var serverIPMatch = serverIPs.Contains(result.ServerIP);
var serverFingerprintMatch = serverCertificateFingerprints.Contains(result.CertificateFingerprint);
var serverDomain = new Uri(result.ServerURI);
var serverURIMatch = serverURIs.Contains(serverDomain.Host);
return(verifySignature &&
serverIPMatch &&
serverURIMatch &&
serverFingerprintMatch);
}
public async Task <IActionResult> CheckAuthentication(Guid transactionId)
{
var result = _dbContext.AuthenticationResults
.FirstOrDefault(x => x.TransactionId == transactionId);
if (result == null)
{
return(NotFound());
}
var transaction = await _dbContext.Transactions.FindAsync(result.TransactionId);
if (transaction == null)
{
return(NotFound());
}
var application = await _dbContext.Applications.FindAsync(transaction.ApplicationId);
if (application == null)
{
return(NotFound());
}
var model = new GetAuthenticationResultModel
{
ActualClientIP = result.ActualClientIP,
CertificateFingerprint = result.CertificateFingerprint,
ClientIPMatch = result.ClientIPMatch,
Result = result.Result,
ServerIP = result.ServerIP,
ServerURI = result.ServerURI,
TransactionId = result.TransactionId
};
model.Signature = Convert.ToBase64String(model.CalculateSignature(application.Key));
return(Json(model));
}