public static UsernamePasswordPair Create(string usernameLine, string passwordLine)
{
UsernamePasswordPair pair = new UsernamePasswordPair();
pair.Username = usernameLine?.Split('\t')[1];
pair.Password = passwordLine?.Split('\t')[1];
pair.HasValue = !string.IsNullOrEmpty(pair.Username) &&
!string.IsNullOrEmpty(pair.Password);
return(pair);
}
public ActionResult Post([FromBody] UsernamePasswordPair auth)
{
AuthenticationService svc = new AuthenticationService();
User user = svc.Authenticate(auth);
if (user.Id != 0)
{
return(Ok(user));
}
else
{
return(Unauthorized());
}
}
private void AuthenticateUser(HttpListenerContext con, out byte[] message)
{
string data = "";
bool dataAvaliable = true;
bool validationOK = true;
uint uid = 0;
while (dataAvaliable)
{
char c = (char)con.Request.InputStream.ReadByte();
if (c != (char)UInt16.MaxValue)
{
data += c;
}
else
{
dataAvaliable = false;
con.Request.InputStream.Close();
}
}
UsernamePasswordPair uandp = new UsernamePasswordPair();
try
{
uandp = JsonConvert.DeserializeObject <UsernamePasswordPair>(data);
}
catch (JsonException) {
con.Response.StatusCode = 406;
validationOK = false;
}
if (!uandp.Equals(default(UsernamePasswordPair)))
{
if (uandp.username.Length <= 4 || uandp.username.Length > 128)
{
validationOK = false;
}
else if (uandp.password.Length <= 4 || uandp.password.Length > 128)
{
validationOK = false;
}
DbDataReader reader = DBHelper.ExecuteReader(
"SELECT id,password FROM user WHERE username = @username",
new Dictionary <string, object> {
{ "@username", uandp.username }
},
true);
if (reader.HasRows)
{
reader.Read();
uid = (uint)reader.GetInt32(0);
string passsalt = (string)reader.GetValue(1);
string salt = passsalt.Substring(0, 64);
string checkhash = HashPassword(uandp.password, salt);
if (checkhash != passsalt)
{
validationOK = false;
}
}
else
{
validationOK = false;
}
reader.Close();
if (!validationOK)
{
message = System.Text.UTF8Encoding.Default.GetBytes("{\"error\":\"Wrong Username/Password\"}");
con.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
}
else
{
SessionObject session = new SessionObject();
session.agent = con.Request.UserAgent;
session.host = con.Request.RemoteEndPoint.Address.ToString();
session.timestamp = Util.GetEpoch();
session.token = GenerateToken();
session.uid = uid;
currentSessions.Add(session.token, session);
con.Response.StatusCode = (int)HttpStatusCode.OK;
//TokenReply reply;
//reply.token = session.token;
con.Response.Cookies.Add(new Cookie("sToken", session.token));
con.Response.ContentType = "text/plain";
message = System.Text.UTF8Encoding.Default.GetBytes("Ok");
DBHelper.ExecuteQuery("INSERT INTO accesslog VALUES(now(),@uid,@host)",
new Dictionary <string, object> {
{ "@uid", uid },
{ "@host", session.host }
});
//Now we wait a little bit to throw off any brute forcers.
Thread.Sleep(new Random(DateTime.Now.Millisecond).Next(0, 250));
}
}
else
{
message = System.Text.UTF8Encoding.Default.GetBytes("{\"error\":\"Invalid JSON\"}");
con.Response.StatusCode = (int)HttpStatusCode.BadRequest;
}
}
