public IHttpActionResult SubmitAnswers(AccountPostAnswersDTO answers) { Validate(answers); if (answers.Username == null || answers.SecurityQuestions == null) { return(BadRequest("Bad Request")); } var response = _controllerLogic.AnswersSubmission(answers); IHttpActionResult actionResultResponse = ResponseMessage(response); return(actionResultResponse); }
/// <summary> /// Logic takes posted answers to security questions associated with the user's account /// and tests if they match with their stored answers after salting /// Request is rejected if answers do not match /// </summary> /// <param name="answers"></param> /// <returns></returns> public HttpResponseMessage AnswersSubmission(AccountPostAnswersDTO answers) { // Retrieve original salts and answers to stored security questions by username var saltSecurityAnswers = _saltSecurityAnswerLogic.GetAllByUsername(answers.Username); var securityQuestionsAccounts = _securityQuestionsAccountLogic.GetAllByUsername(answers.Username); // Bool to test if matched answers pass bool isAllMatched = true; // Expensive...? // Iterate through security questions in account, salts for stored answers, and new answers // to look for matching security questions to test if answers also match foreach (var securityQuestionsAccount in securityQuestionsAccounts) { foreach (var saltSecurityAnswer in saltSecurityAnswers) { foreach (var securityQuestion in answers.SecurityQuestions) { if (securityQuestionsAccount.SecurityQuestionID == saltSecurityAnswer.SecurityQuestionID && saltSecurityAnswer.SecurityQuestionID == securityQuestion.Question) { // Use stored salt to hash new answer var hashedNewAnswer = HashService.Instance.HashPasswordWithSalt(saltSecurityAnswer.SaltValue, securityQuestion.Answer, true); // Check if new answer matches original answer if (hashedNewAnswer != securityQuestionsAccount.Answer) { isAllMatched = false; } } } } } // Reject user if answers don't match if (!isAllMatched) { return(new HttpResponseMessage { ReasonPhrase = "Incorrect Answers", StatusCode = HttpStatusCode.Forbidden }); } // Otherwise return successful message return(new HttpResponseMessage { StatusCode = HttpStatusCode.OK }); }