public ActionResult HandleAffiliateLogin(string email, string password, string background, string color) { var now = Current.Now; if (!Models.User.IsValidEmail(ref email)) { // Standard recoverable error stuff doesn't work here, so do it manually ViewData["error_message"] = "Invalid email address"; ViewData["email"] = email; ViewData["affId"] = CurrentAffiliate.Id; return(LoginIFrame(null, background, color)); } var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName); var user = Models.User.FindUserByEmail(email); if (user == null) { // Standard recoverable error stuff doesn't work here, so do it manually ViewData["error_message"] = "No account with this email found"; ViewData["email"] = email; ViewData["affId"] = CurrentAffiliate.Id; IPBanner.BadLoginAttempt(user, Current.RemoteIP); return(LoginIFrame(null, background, color)); } if (!user.PasswordMatch(password)) { // Standard recoverable error stuff doesn't work here, so do it manually ViewData["error_message"] = "Incorrect password"; ViewData["email"] = email; ViewData["affId"] = CurrentAffiliate.Id; IPBanner.BadLoginAttempt(user, Current.RemoteIP); return(LoginIFrame(null, background, color)); } var callback = Current.GetFromCache <string>(CallbackKey(cookie)); Current.RemoveFromCache(CallbackKey(cookie)); user.Login(now); if (callback == null) { return(IrrecoverableError("No Callback Found", "We were unable to find a callback to finish the authentication session.")); } return(AffiliateRedirect(AddIdentifier(callback, Current.LoggedInUser.GetClaimedIdentifier()))); }
public ActionResult DoLogin(string email, string password, string session) { var now = Current.Now; if (!Models.User.IsValidEmail(ref email)) { return(RecoverableError("Invalid email address", new { email, session })); } var user = Models.User.FindUserByEmail(email); if (user == null) { IPBanner.BadLoginAttempt(user, Current.RemoteIP); return(RecoverableError("No account with this email found", new { email, session })); } if (!user.PasswordMatch(password)) { IPBanner.BadLoginAttempt(user, Current.RemoteIP); return(RecoverableError("Incorrect password", new { email, session })); } user.Login(now); if (session.HasValue()) { return (SafeRedirect( (Func <string, string, ActionResult>)(new OpenIdController()).ResumeAfterLogin, new { session } )); } return (SafeRedirect( (Func <ActionResult>)(new UserController()).ViewUser )); }
public ActionResult SendRecovery(string email) { IPBanner.AttemptedToSendRecoveryEmail(Current.RemoteIP); var user = Models.User.FindUserByEmail(email); if (user == null) { return(RecoverableError("No account with that email was found", new { email })); } var now = Current.Now; var token = Current.UniqueId().ToString(); var toInsert = new PasswordReset { CreationDate = now, TokenHash = Current.WeakHash(token), UserId = user.Id }; Current.WriteDB.PasswordResets.InsertOnSubmit(toInsert); Current.WriteDB.SubmitChanges(); var toReset = SafeRedirect( (Func <string, string, string, ActionResult>)NewPassword, new { token } ); var resetLink = Current.Url(toReset.Url); if (!Current.Email.SendEmail(email, Email.Template.ResetPassword, new { RecoveryLink = resetLink.AsLink() })) { return(IrrecoverableError("An error occurred sending the email", "This has been recorded, and will be looked into shortly")); } return(SuccessEmail("Password Recovery Email Sent to " + email, "Check your email for the link to reset your password.")); }
protected override void OnActionExecuting(ActionExecutingContext filterContext) { using (MiniProfiler.Current.Step("OnActionExecuting")) { Current.Controller = filterContext.Controller; var path = filterContext.HttpContext.Request.Url.AbsolutePath.ToLowerInvariant(); // Sometimes we know that we want to reject a request, but also want to show the user // something when it happens, so we check here. // Special exception for /openid/provider, since its a "special" route that dodges all our Route magic if (path != "/openid/provider" && path != "/affiliate/form/switch" && Current.RejectRequest) { filterContext.Result = NotFound(); return; } if (IPBanner.IsBanned(Current.RemoteIP)) { filterContext.Result = Banned(); return; } // On prod, we can either be running with IIS handling SSL, *or* behind an SSL accelerator // If we're not getting direct SSL, check against the a trusted port we've locked down // for discussion between the accelerator(s) and the web tier #if !DEBUG if (!filterContext.HttpContext.Request.IsSecureConnection) { var serverVars = filterContext.HttpContext.Request.ServerVariables; var originatingIP = serverVars["REMOTE_ADDR"]; var forwardedProto = filterContext.HttpContext.Request.Headers["X-Forwarded-Proto"]; if (forwardedProto != "https" || !Current.LoadBalancerIPs.Contains(originatingIP)) { Current.LogException(new Exception("Warning! Something is talking to the OpenIdProvider nefariously")); filterContext.Result = GenericSecurityError(); return; } } #endif // Handle Acccept-Encoding // As a site note: why, in the year 2011 (offically "the future") do we have to opt into this stuff? var acceptEncoding = filterContext.HttpContext.Request.Headers["Accept-Encoding"]; if (acceptEncoding.HasValue()) { acceptEncoding = acceptEncoding.ToLowerInvariant(); var response = filterContext.HttpContext.Response; if (acceptEncoding.Contains("gzip")) { response.AppendHeader("Content-Encoding", "gzip"); response.Filter = new GZipStream(response.Filter, CompressionMode.Compress); } else { if (acceptEncoding.Contains("deflate")) { response.AppendHeader("Content-Encoding", "deflate"); response.Filter = new DeflateStream(response.Filter, CompressionMode.Compress); } } } base.OnActionExecuting(filterContext); } }