Exemple #1
0
        public ActionResult HandleAffiliateLogin(string email, string password, string background, string color)
        {
            var now = Current.Now;

            if (!Models.User.IsValidEmail(ref email))
            {
                // Standard recoverable error stuff doesn't work here, so do it manually
                ViewData["error_message"] = "Invalid email address";
                ViewData["email"]         = email;
                ViewData["affId"]         = CurrentAffiliate.Id;

                return(LoginIFrame(null, background, color));
            }

            var cookie = System.Web.HttpContext.Current.CookieSentOrReceived(Current.AnonymousCookieName);
            var user   = Models.User.FindUserByEmail(email);

            if (user == null)
            {
                // Standard recoverable error stuff doesn't work here, so do it manually
                ViewData["error_message"] = "No account with this email found";
                ViewData["email"]         = email;
                ViewData["affId"]         = CurrentAffiliate.Id;

                IPBanner.BadLoginAttempt(user, Current.RemoteIP);

                return(LoginIFrame(null, background, color));
            }

            if (!user.PasswordMatch(password))
            {
                // Standard recoverable error stuff doesn't work here, so do it manually
                ViewData["error_message"] = "Incorrect password";
                ViewData["email"]         = email;
                ViewData["affId"]         = CurrentAffiliate.Id;

                IPBanner.BadLoginAttempt(user, Current.RemoteIP);

                return(LoginIFrame(null, background, color));
            }

            var callback = Current.GetFromCache <string>(CallbackKey(cookie));

            Current.RemoveFromCache(CallbackKey(cookie));

            user.Login(now);

            if (callback == null)
            {
                return(IrrecoverableError("No Callback Found", "We were unable to find a callback to finish the authentication session."));
            }

            return(AffiliateRedirect(AddIdentifier(callback, Current.LoggedInUser.GetClaimedIdentifier())));
        }
Exemple #2
0
        public ActionResult DoLogin(string email, string password, string session)
        {
            var now = Current.Now;

            if (!Models.User.IsValidEmail(ref email))
            {
                return(RecoverableError("Invalid email address", new { email, session }));
            }

            var user = Models.User.FindUserByEmail(email);

            if (user == null)
            {
                IPBanner.BadLoginAttempt(user, Current.RemoteIP);
                return(RecoverableError("No account with this email found", new { email, session }));
            }
            if (!user.PasswordMatch(password))
            {
                IPBanner.BadLoginAttempt(user, Current.RemoteIP);
                return(RecoverableError("Incorrect password", new { email, session }));
            }

            user.Login(now);

            if (session.HasValue())
            {
                return
                    (SafeRedirect(
                         (Func <string, string, ActionResult>)(new OpenIdController()).ResumeAfterLogin,
                         new
                {
                    session
                }
                         ));
            }

            return
                (SafeRedirect(
                     (Func <ActionResult>)(new UserController()).ViewUser
                     ));
        }
Exemple #3
0
        public ActionResult SendRecovery(string email)
        {
            IPBanner.AttemptedToSendRecoveryEmail(Current.RemoteIP);

            var user = Models.User.FindUserByEmail(email);

            if (user == null)
            {
                return(RecoverableError("No account with that email was found", new { email }));
            }

            var now      = Current.Now;
            var token    = Current.UniqueId().ToString();
            var toInsert =
                new PasswordReset
            {
                CreationDate = now,
                TokenHash    = Current.WeakHash(token),
                UserId       = user.Id
            };

            Current.WriteDB.PasswordResets.InsertOnSubmit(toInsert);
            Current.WriteDB.SubmitChanges();

            var toReset =
                SafeRedirect(
                    (Func <string, string, string, ActionResult>)NewPassword,
                    new { token }
                    );

            var resetLink = Current.Url(toReset.Url);

            if (!Current.Email.SendEmail(email, Email.Template.ResetPassword, new { RecoveryLink = resetLink.AsLink() }))
            {
                return(IrrecoverableError("An error occurred sending the email", "This has been recorded, and will be looked into shortly"));
            }

            return(SuccessEmail("Password Recovery Email Sent to " + email, "Check your email for the link to reset your password."));
        }
Exemple #4
0
        protected override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            using (MiniProfiler.Current.Step("OnActionExecuting"))
            {
                Current.Controller = filterContext.Controller;
                var path = filterContext.HttpContext.Request.Url.AbsolutePath.ToLowerInvariant();

                // Sometimes we know that we want to reject a request, but also want to show the user
                //   something when it happens, so we check here.
                //   Special exception for /openid/provider, since its a "special" route that dodges all our Route magic
                if (path != "/openid/provider" && path != "/affiliate/form/switch" && Current.RejectRequest)
                {
                    filterContext.Result = NotFound();
                    return;
                }

                if (IPBanner.IsBanned(Current.RemoteIP))
                {
                    filterContext.Result = Banned();
                    return;
                }

                // On prod, we can either be running with IIS handling SSL, *or* behind an SSL accelerator
                //   If we're not getting direct SSL, check against the a trusted port we've locked down
                //   for discussion between the accelerator(s) and the web tier
#if !DEBUG
                if (!filterContext.HttpContext.Request.IsSecureConnection)
                {
                    var serverVars    = filterContext.HttpContext.Request.ServerVariables;
                    var originatingIP = serverVars["REMOTE_ADDR"];

                    var forwardedProto = filterContext.HttpContext.Request.Headers["X-Forwarded-Proto"];

                    if (forwardedProto != "https" || !Current.LoadBalancerIPs.Contains(originatingIP))
                    {
                        Current.LogException(new Exception("Warning!  Something is talking to the OpenIdProvider nefariously"));

                        filterContext.Result = GenericSecurityError();
                        return;
                    }
                }
#endif

                // Handle Acccept-Encoding
                //   As a site note: why, in the year 2011 (offically "the future") do we have to opt into this stuff?
                var acceptEncoding = filterContext.HttpContext.Request.Headers["Accept-Encoding"];
                if (acceptEncoding.HasValue())
                {
                    acceptEncoding = acceptEncoding.ToLowerInvariant();
                    var response = filterContext.HttpContext.Response;

                    if (acceptEncoding.Contains("gzip"))
                    {
                        response.AppendHeader("Content-Encoding", "gzip");
                        response.Filter = new GZipStream(response.Filter, CompressionMode.Compress);
                    }
                    else
                    {
                        if (acceptEncoding.Contains("deflate"))
                        {
                            response.AppendHeader("Content-Encoding", "deflate");
                            response.Filter = new DeflateStream(response.Filter, CompressionMode.Compress);
                        }
                    }
                }

                base.OnActionExecuting(filterContext);
            }
        }