public ActionResult Authenticator(OtpModel model)
{
ViewBag.IsOtpBySmsEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumSms) == "True";
ViewBag.IsOtpByEmailEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumEmail) == "True";
ViewBag.IsOtpByAppEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpByGoogleAuthenticator) == "True";
model.IsAllowSafeComputerEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.AllowSafeComputerRemember) == "True";
if (!ModelState.IsValid)
{
return(View(model));
}
var userId = (long)Session["UserId"];
var loginSettings = _loginSettingRepository.Get(userId);
var isValid = TimeBasedOneTimePassword.IsValid(loginSettings.GoogleAuthenticatorSecretKey, model.Otp, 50);
if (!isValid)
{
model.IsOtpVerified = false;
model.FeedbackMessage = FeedbackMessageModel.CreateFailureMessage("The OTP entered is wrong. Please try again.");
return(View(model));
}
if (model.MarkAsSafe)
{
var browserName = Request.Browser.Browser + " " + Request.Browser.Version;
var requestingIp = Request.UserHostAddress;
var safeComputer = new SafeComputerHistory()
{
BrowserType = browserName, ComputerIp = requestingIp, DateCreated = DateTime.Now, DateModified = DateTime.Now, IsActive = true, UserLoginId = userId
};
_safeComputerHistoryService.Save(safeComputer);
}
return(GoToDashboard(userId));
}
//
// POST: /Account/LogOn
private void DoLogOn(LogOnModel model, string returnUrl)
{
try
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
// Prevent the user from attempting to brute force the two factor secret.
// Without this, an attacker, if they know your password already, could try to brute
// force the two factor code. They only need to try 1,000,000 distinct codes in 3 minutes.
// This throttles them down to a managable level.
if (profile.LastLoginAttemptUtc.HasValue && profile.LastLoginAttemptUtc > DateTime.UtcNow - TimeSpan.FromSeconds(1))
{
System.Threading.Thread.Sleep(5000);
}
profile.LastLoginAttemptUtc = DateTime.UtcNow;
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
AsyncManager.Parameters["returnUrl"] = returnUrl;
}
else
{
AsyncManager.Parameters["action"] = "Index";
AsyncManager.Parameters["controller"] = "Home";
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
AsyncManager.Parameters["model"] = model;
}
finally
{
AsyncManager.OutstandingOperations.Decrement();
}
}
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return(Redirect(returnUrl));
}
else
{
return(RedirectToAction("Index", "Home"));
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return(View(model));
} // end LogOn
static void Main(string[] args)
{
for (int i = 0; i < 10; i++)
{
Console.WriteLine(HashedOneTimePassword.GeneratePassword("12345678901234567890", i));
}
long[] seconds = new long[] { 59, 1111111109, 1111111111, 1234567890, 2000000000, 20000000000 };
foreach (var second in seconds)
{
Console.WriteLine(TimeBasedOneTimePassword.GetPassword("12345678901234567890", TimeBasedOneTimePassword.UNIX_EPOCH + TimeSpan.FromSeconds(second), TimeBasedOneTimePassword.UNIX_EPOCH, 30, 8));
}
Base32Encoder enc = new Base32Encoder();
string secret = enc.Encode(Encoding.ASCII.GetBytes("1234567890"));
Console.WriteLine(secret);
Console.WriteLine("Enter your password: "******"1234567890", password))
{
Console.WriteLine("Success!");
}
else
{
Console.WriteLine("ERROR!");
}
return;
while (true)
{
Console.WriteLine(TimeBasedOneTimePassword.GetPassword("1234567890"));
System.Threading.Thread.Sleep(TimeSpan.FromSeconds(10));
}
}
// <summary> Check if the username and password are the same as in the database </summery>
public void Login()
{
// Run model through sql injection prevention
var username = SqlInjection.SafeSqlLiteral(StringManipulation.ToLowerFast(Username));
var savedPassword = String.Empty;
var savedSalt = String.Empty;
var savedId = String.Empty;
var code = String.Empty;
// MySql query
const string result = "SELECT Id, Password, Salt, Owner, Secret, Tfa " +
"FROM users " +
"WHERE Username = ?";
using (var empConnection = DatabaseConnection.DatabaseConnect())
{
using (var showResult = new MySqlCommand(result, empConnection))
{
// Bind parameters
showResult.Parameters.Add("Username", MySqlDbType.VarChar).Value = username;
try
{
DatabaseConnection.DatabaseOpen(empConnection);
// Execute command
using (var myDataReader = showResult.ExecuteReader(CommandBehavior.CloseConnection))
{
while (myDataReader.Read())
{
savedId = myDataReader.GetValue(0).ToString();
savedPassword = myDataReader.GetString(1);
savedSalt = myDataReader.GetString(2);
Owner = Convert.ToInt16(myDataReader.GetValue(3));
code = myDataReader.GetString(4);
TwoFactorEnabled = Convert.ToInt16(myDataReader.GetValue(5));
}
}
// Hash the password and check if the hash is the same as the saved password
if (Crypt.ValidatePassword(Password, savedPassword, savedSalt))
{
if (TwoFactorEnabled == 0 && PluginModel.PluginStatus("1"))
{
if (TimeBasedOneTimePassword.IsValid(code, TwoFactorCode))
{
Cookies.MakeCookie(username, savedId, Owner.ToString(CultureInfo.InvariantCulture));
Done = true;
}
else
{
ErrorCode = true;
}
}
else
{
Cookies.MakeCookie(username, savedId, Owner.ToString(CultureInfo.InvariantCulture));
Done = true;
}
}
}
catch (MySqlException)
{
// MySqlException bail out
Error = true;
}
finally
{
// Always close the connection
DatabaseConnection.DatabaseClose(empConnection);
}
}
}
Error = true;
}
