/// <summary> /// Authentication using: [Salted password hashing with PBKDF2-SHA1]. /// Implementation available at: [HouseOfSynergy.PowerTools.Library.Security.Cryptography.PasswordHash]. /// The password should never reach here in plain text. It should b encrypted using Sha512 in TypeScript or JavaScript. /// A C# implementation of Sha512 is available at: [HouseOfSynergy.PowerTools.Library.Security.Cryptography.Sha]. /// </summary> /// <param name="sessionType">The origin of the request.</param> /// <param name="username">Username in plain text.</param> /// <param name="passwordHash">Password from client hashed using Sha512.</param> /// <param name="token">The user object fetched.</param> /// <param name="exception">Populates an exception where applicable.</param> /// <returns></returns> public static bool SignIn ( SessionType sessionType, string username, string passwordHash, string clientIpAddress, string userAgent, long ticks, string sessionId, out MasterUserSession masterUserSession, out Exception exception ) { var result = false; var now = DateTime.UtcNow; MasterUser userDatabase = null; MasterSession sessionDatabase = null; exception = null; masterUserSession = null; try { using (var context = new ContextMaster()) { userDatabase = context.Users.SingleOrDefault(u => (u.UserName == username)); if (userDatabase == null) { throw (new UserNotFoundException()); } if (!PasswordHash.ValidatePassword(passwordHash, userDatabase.PasswordHash)) { throw (new AuthenticationException()); } var token = userDatabase.Id.ToString() + EntityConstants.TokenDelimiter + userDatabase.UserName + EntityConstants.TokenDelimiter + userDatabase.AuthenticationType.ToString() + EntityConstants.TokenDelimiter + (userDatabase.ActiveDirectoryId ?? "").Trim() + EntityConstants.TokenDelimiter + "" + EntityConstants.TokenDelimiter + sessionType.ToString() + EntityConstants.TokenDelimiter + EntityConstants.TokenDelimiter + EntityConstants.TokenDelimiter; // TODO: Remove for production. if (AffinityConfiguration.DeploymentLocation == DeploymentLocation.BtsSaleem) { now = now.Add(TimeSpan.FromHours(1)); } sessionDatabase = userDatabase.Sessions.SingleOrDefault ( s => ( (s.DateTimeCreated < now) && (s.DateTimeExpiration > now) && (s.SessionId == sessionId) && (s.Token == token) && (s.UserAgent == userAgent) && (s.IPAddressString == clientIpAddress) && (s.SessionType == sessionType) ) ); var lines = new List <string>(); lines.Add($"--------------------------------------------------------------------------------------------------------------------------------------------------------------"); lines.Add($"SIGNIN"); lines.Add($"Session Found: {sessionDatabase != null}"); lines.Add($"now: {now}"); lines.Add($"SessionId: {sessionId}"); lines.Add($"token: {token}"); lines.Add($"useragent: {userAgent}"); lines.Add($"ipAddressString: {clientIpAddress}"); lines.Add($"sessionType: {sessionType}"); lines.Add($"--------------------------------------------------------------------------------------------------------------------------------------------------------------"); AffinityConfiguration.Messages.Add(string.Join("<br />", lines)); if (sessionDatabase == null) { var guid = Guid.NewGuid(); var rijndaelKey = new byte [GlobalConstants.AlgorithmSymmetricKeySize]; var rijndaelInitializationVector = new byte [GlobalConstants.AlgorithmSymmetricInitializationVectorSize]; var rsaKeyPair = Rsa.GenerateKeyPair(GlobalConstants.AlgorithmAsymmetricKeySize); using (var randomNumberGenerator = RandomNumberGenerator.Create()) { randomNumberGenerator.GetBytes(rijndaelKey); randomNumberGenerator.GetBytes(rijndaelInitializationVector); } do { guid = Guid.NewGuid(); } while (context.Sessions.Any(s => s.Guid == guid)); sessionDatabase = new MasterSession(); sessionDatabase.Guid = guid; sessionDatabase.CultureName = "en"; sessionDatabase.Token = token; sessionDatabase.SessionId = sessionId; sessionDatabase.SessionType = sessionType; sessionDatabase.UserAgent = userAgent; sessionDatabase.IPAddressString = clientIpAddress; sessionDatabase.DeviceType = DeviceType.Unknown; sessionDatabase.DateTimeCreated = now; sessionDatabase.DateTimeExpiration = sessionDatabase.DateTimeCreated.Add(TimeSpan.FromDays(1)); sessionDatabase.RijndaelKey = Convert.ToBase64String(rijndaelKey); sessionDatabase.RijndaelInitializationVector = Convert.ToBase64String(rijndaelInitializationVector); sessionDatabase.RsaKeyPublic = rsaKeyPair.KeyPublic.KeyToString(); sessionDatabase.RsaKeyPrivate = rsaKeyPair.KeyPrivate.KeyToString(); sessionDatabase.User = userDatabase; sessionDatabase.UserId = userDatabase.Id; context.Sessions.Add(sessionDatabase); context.SaveChanges(); } else { sessionDatabase.DateTimeExpiration = DateTime.UtcNow.Add(TimeSpan.FromDays(1)); context.SaveChanges(); } var sessions = userDatabase.Sessions.Where(s => s.DateTimeExpiration < DateTime.UtcNow.Subtract(TimeSpan.FromDays(30))); foreach (var s in sessions) { context.Sessions.Remove(s); } context.SaveChanges(); sessionDatabase = context.Sessions.AsNoTracking().Single(s => s.Id == sessionDatabase.Id); userDatabase = context.Users.AsNoTracking().Include(p => p.Roles).AsNoTracking().Single(u => u.Id == userDatabase.Id); userDatabase.PasswordHash = ""; userDatabase.PasswordSalt = ""; sessionDatabase.RijndaelKey = ""; sessionDatabase.RijndaelInitializationVector = ""; sessionDatabase.RsaKeyPrivate = ""; sessionDatabase.RsaKeyPublic = (sessionType == SessionType.Api) ? sessionDatabase.RsaKeyPublic : ""; masterUserSession = new MasterUserSession(userDatabase, sessionDatabase); result = true; } } catch (Exception e) { exception = e; } return(result); }
/// <summary> /// Authentication using: [Salted password hashing with PBKDF2-SHA1]. /// Implementation available at: [HouseOfSynergy.PowerTools.Library.Security.Cryptography.PasswordHash]. /// The password should never reach here in plain text. It should be hashed using Sha512 in TypeScript or JavaScript. /// A C# implementation of Sha512 is available at: [HouseOfSynergy.PowerTools.Library.Security.Cryptography.Sha]. /// </summary> /// <param name="sessionType">The origin of the request.</param> /// <param name="domain">The domain of the requested tenant.</param> /// <param name="username">Username in plain text.</param> /// <param name="passwordHash">Password from client hashed using Sha512.</param> /// <param name="clientIpAddress">The IP Address the request originated from.</param> /// <param name="userAgent">The User Agent of the request.</param> /// <param name="ticks">The user's timestamp in ticks.</param> /// <param name="ticks">The requests server Session Id.</param> /// <param name="tenantUserSession">Populates the out tenantUserSession if the function succeeds.</param> /// <param name="exception">Populates the out exception where applicable.</param> /// <returns>Returns true if sign-in succeeds. Otherwise, populates the out exception parameter.</returns> public static bool SignIn ( SessionType sessionType, string domain, string username, string passwordHash, string clientIpAddress, string userAgent, long ticks, string sessionId, out TenantUserSession tenantUserSession, out Exception exception ) { var result = false; User userDatabase = null; var now = DateTime.UtcNow; Tenant tenantDatabase = null; Session sessionDatabase = null; exception = null; tenantUserSession = null; try { if (!MasterTenantManagement.GetTenantByDomain(domain, out tenantDatabase, out exception)) { throw (exception); } if (tenantDatabase == null) { throw (new DomainNotFoundException()); } // ContextTenant.Initialize(tenantDatabase.DatabaseConnectionString); using (var context = new ContextTenant(tenantDatabase.DatabaseConnectionString)) { tenantDatabase = context.Tenants.SingleOrDefault(); if (tenantDatabase == null) { throw (new DomainNotFoundException()); } // TODO: Use a single exception for unmatched username/password scenarios. userDatabase = context.Users.SingleOrDefault(u => (u.UserName == username)); if (userDatabase == null) { throw (new AuthenticationException(isValidDomain: true, isValidUsername: false, isValidPassword: null)); } if (!PasswordHash.ValidatePassword(passwordHash, userDatabase.PasswordHash)) { throw (new AuthenticationException(isValidDomain: true, isValidUsername: true, isValidPassword: false)); } var token = tenantDatabase.Id.ToString() + EntityConstants.TokenDelimiter + tenantDatabase.Domain + EntityConstants.TokenDelimiter + userDatabase.Id.ToString() + EntityConstants.TokenDelimiter + userDatabase.UserName + EntityConstants.TokenDelimiter + userDatabase.AuthenticationType.ToString() + EntityConstants.TokenDelimiter + (userDatabase.ActiveDirectory_ObjectId.ToString(GuidUtilities.EnumGuidFormat.N.ToString())).Trim() + EntityConstants.TokenDelimiter + "" + EntityConstants.TokenDelimiter + sessionType.ToString() + EntityConstants.TokenDelimiter + EntityConstants.TokenDelimiter + EntityConstants.TokenDelimiter; // TODO: Remove for production. if (AffinityConfiguration.DeploymentLocation == DeploymentLocation.BtsSaleem) { now = now.Add(TimeSpan.FromHours(1)); } //clientIpAddress.r sessionDatabase = userDatabase.Sessions.SingleOrDefault ( s => ( (s.DateTimeCreated < now) && (s.DateTimeExpiration > now) && (s.SessionId == sessionId) && (s.Token == token) && (s.UserAgent == userAgent) && (s.IPAddressString == clientIpAddress) && (s.SessionType == sessionType) ) ); var lines = new List <string>(); lines.Add($"--------------------------------------------------------------------------------------------------------------------------------------------------------------"); lines.Add($"SIGNIN TOKEN"); lines.Add($"Session Found: {sessionDatabase != null}"); lines.Add($"now: {now}"); lines.Add($"SessionId: {sessionId}"); lines.Add($"token: {token}"); lines.Add($"useragent: {userAgent}"); lines.Add($"ipAddressString: {clientIpAddress}"); lines.Add($"sessionType: {sessionType}"); lines.Add($"--------------------------------------------------------------------------------------------------------------------------------------------------------------"); AffinityConfiguration.Messages.Add(string.Join("<br />", lines)); // TODO: Remove for production. if (AffinityConfiguration.DeploymentLocation == DeploymentLocation.BtsSaleem) { now = now.Subtract(TimeSpan.FromHours(2)); } if (sessionDatabase == null) { var guid = Guid.NewGuid(); var rijndaelKey = new byte[GlobalConstants.AlgorithmSymmetricKeySize]; var rijndaelInitializationVector = new byte[GlobalConstants.AlgorithmSymmetricInitializationVectorSize]; var rsaKeyPair = Rsa.GenerateKeyPair(GlobalConstants.AlgorithmAsymmetricKeySize); using (var randomNumberGenerator = RandomNumberGenerator.Create()) { randomNumberGenerator.GetBytes(rijndaelKey); randomNumberGenerator.GetBytes(rijndaelInitializationVector); } do { guid = Guid.NewGuid(); } while (context.Sessions.Any(s => s.Guid == guid)); sessionDatabase = new Session(); sessionDatabase.Guid = guid; sessionDatabase.CultureName = "en"; sessionDatabase.Token = token; sessionDatabase.SessionId = sessionId; sessionDatabase.SessionType = sessionType; sessionDatabase.UserAgent = userAgent; sessionDatabase.IPAddressString = clientIpAddress; sessionDatabase.DeviceType = DeviceType.Unknown; sessionDatabase.DateTimeCreated = now; sessionDatabase.DateTimeExpiration = sessionDatabase.DateTimeCreated.Add(TimeSpan.FromDays(1)); sessionDatabase.RijndaelKey = Convert.ToBase64String(rijndaelKey); sessionDatabase.RijndaelInitializationVector = Convert.ToBase64String(rijndaelInitializationVector); sessionDatabase.RsaKeyPublic = rsaKeyPair.KeyPublic.KeyToString(); sessionDatabase.RsaKeyPrivate = rsaKeyPair.KeyPrivate.KeyToString(); sessionDatabase.User = userDatabase; sessionDatabase.UserId = userDatabase.Id; sessionDatabase.Tenant = tenantDatabase; sessionDatabase.TenantId = tenantDatabase.Id; context.Sessions.Add(sessionDatabase); context.SaveChanges(); } else { sessionDatabase.DateTimeExpiration = now.Add(TimeSpan.FromDays(1)); context.SaveChanges(); } var sessions = userDatabase.Sessions.Where(s => s.DateTimeExpiration < now.Subtract(TimeSpan.FromDays(30))); foreach (var s in sessions) { context.Sessions.Remove(s); } context.SaveChanges(); sessionDatabase = context.Sessions.AsNoTracking().Single(s => s.Id == sessionDatabase.Id); userDatabase = context.Users.AsNoTracking().Include(p => p.Roles).AsNoTracking().Single(u => u.Id == userDatabase.Id); tenantDatabase = context.Tenants.AsNoTracking().Include(t => t.TenantSubscriptions).Single(t => t.Id == tenantDatabase.Id); userDatabase.PasswordHash = ""; userDatabase.PasswordSalt = ""; sessionDatabase.RijndaelKey = ""; sessionDatabase.RijndaelInitializationVector = ""; sessionDatabase.RsaKeyPrivate = ""; sessionDatabase.RsaKeyPublic = (sessionType == SessionType.Api) ? sessionDatabase.RsaKeyPublic : ""; tenantDatabase.RsaKeyPrivate = ""; tenantDatabase.RsaKeyPublic = (sessionType == SessionType.Api) ? tenantDatabase.RsaKeyPublic : ""; tenantDatabase.StorageAccessKeyPrimary = ""; tenantDatabase.StorageAccessKeySecondary = ""; tenantDatabase.StorageConnectionStringPrimary = (sessionType == SessionType.Mvc) ? tenantDatabase.StorageConnectionStringPrimary : ""; tenantDatabase.StorageConnectionStringSecondary = (sessionType == SessionType.Mvc) ? tenantDatabase.StorageConnectionStringSecondary : ""; if (sessionType == SessionType.Api) { foreach (var ts in tenantDatabase.TenantSubscriptions) { ts.Tenant = null; } foreach (var r in userDatabase.Roles) { r.Users.Clear(); r.UserRoles.Clear(); } } // The out parameter [tenantUserSession] should not be assigned until // the objects passed to its constructor are fully populated and scrubbed. tenantUserSession = new TenantUserSession(tenantDatabase, userDatabase, sessionDatabase); result = true; } } catch (Exception e) { exception = e; } return(result); }