internal static string LoginImp(string userName, string password)
{
SetupImp();
if (System.Web.HttpContext.Current != null)
{
Securable s = new Securable(typeof(ApplicationExceptionSecureService).FullName);
IPRegistered ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
ipr = AddIPImp(s);
// ipr.SessionsCreated = ipr.SessionsCreated + 1;
// ipr.Update();
// IPSessionRegistration
CheckIPImp(s, ipr);
}
ModelSession ms = new ModelSession(GenerateSessionTokenImp());
CreateSessionImp(ref ms, userName, password);
return ms.SessionToken;
}
internal static void RegisterIPFailureImp(Securable s, IPRegistered ipr)
{
ipr.Failures = ipr.Failures + 1;
if (ipr.Failures >= s.AllowedIPFailures)
{
ipr.Allowed = false;
ipr.DenialIssuedUntilTime = DateTime.Now.AddMinutes(s.IPFailureTimeDenying);
}
ipr.Update();
}
internal static string LoginAnonymousImp()
{
SetupImp();
Securable s = new Securable(typeof(ApplicationExceptionSecureService).FullName);
if (!s.AllowAnonymousAccess)
return null;
if (System.Web.HttpContext.Current != null)
{
IPRegistered ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
ipr = AddIPImp(s);
// ipr.SessionsCreated = ipr.SessionsCreated + 1;
// ipr.Update();
// IPSessionRegistration
CheckIPImp(s, ipr);
}
ModelSession ms = new ModelSession(GenerateSessionTokenImp());
ms.User = new ModelUser("Everyone");
ms.TimeIssued = DateTime.Now;
ms.TimeIssuedFor = s.TimeSessionIsIssued;
ms.Create();
return ms.SessionToken;
}
internal static void CreateSessionImp(ref ModelSession ms, string userName, string password)
{
if (userName.ToLowerInvariant() == "everyone")
throw new InvalidOperationException("Wrong API call for anonymous access.");
Securable s = new Securable(typeof(ApplicationExceptionSecureService).FullName);
ModelUser mu = new ModelUser(userName);
if (!mu.Exists)
{
if (System.Web.HttpContext.Current != null)
{
IPRegistered ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
RegisterIPFailureImp(s, ipr);
}
throw new UnauthorizedAccessException("Access Denied");
}
if (!Platform.Runtime.Security.Hash.VerifyHash(password, "SHA512", mu.PasswordHash))
{
if (System.Web.HttpContext.Current != null)
{
IPRegistered ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
RegisterIPFailureImp(s, ipr);
}
throw new UnauthorizedAccessException("Access Denied");
}
if (!mu.Enabled && !ApplicationExceptionSecureService.CheckUserRightsImp(userName, "CannotBeDisabled"))
{
if (System.Web.HttpContext.Current != null)
{
IPRegistered ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
RegisterIPFailureImp(s, ipr);
}
throw new UnauthorizedAccessException("Access Denied"); // LoginDisabledException
}
ms.User = mu;
ms.TimeIssued = DateTime.Now;
ms.TimeIssuedFor = s.TimeSessionIsIssued;
ms.Create();
}
internal static ModelSession CheckSessionImp(string sessionToken)
{
// Mark IP first
Securable s = null;
IPRegistered ipr = null;
if (System.Web.HttpContext.Current != null)
{
s = new Securable(typeof(ApplicationExceptionSecureService).FullName);
ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
CheckIPImp(s, ipr);
}
else
{
// What other unique data can be gathered?
}
if (String.IsNullOrEmpty(sessionToken))
{
// Invalid data is a security error
if (s != null)
RegisterIPFailureImp(s, ipr);
throw new UnauthorizedAccessException("The session is invalid");
}
// Check the consistency of the session
ModelSession session = new ModelSession(sessionToken.ToLowerInvariant());
if (!session.Exists)
{
if (s != null)
RegisterIPFailureImp(s, ipr);
throw new UnauthorizedAccessException("The session is invalid");
}
if (session.User == null)
{
if (s != null)
RegisterIPFailureImp(s, ipr);
session.Delete();
throw new UnauthorizedAccessException("The session is invalid");
}
DateTime until = session.TimeIssued.AddMinutes(session.TimeIssuedFor);
if (until < DateTime.Now)
{
session.Delete();
throw new UnauthorizedAccessException("Your session has expired");
}
return session;
}
internal static void CheckIPImp(Securable s, IPRegistered ipr)
{
if (!ipr.Exists)
{
throw new UnauthorizedAccessException("IP has not been authenticated in any way");
}
if (!ipr.Allowed && ipr.DenialIssuedUntilTime >= DateTime.Now)
{
throw new UnauthorizedAccessException("IP has been blocked until " + ipr.DenialIssuedUntilTime.ToString() + " (Server time)");
}
else if (!ipr.Allowed)
{
ipr.Allowed = true;
ipr.Failures = 0;
ipr.Update();
}
else
{
ipr.DenialIssuedUntilTime = DateTime.Now;
ipr.Update();
}
// Very expensive
/*if (!ipr.SessionsRegisteredOnIP.Count >= s.SessionsPerIPAllowed)
{
// Check how many are valid (also clean up the expired ones)
throw new UnauthorizedAccessException("Too many sessions");
}*/
}
internal static IPRegistered AddIPImp(Securable s)
{
IPRegistered ipr = null;
if (System.Web.HttpContext.Current != null)
{
ipr = new IPRegistered(System.Web.HttpContext.Current.Request.UserHostAddress);
if (!ipr.Exists)
{
if (!s.IPsMustBePreregistered)
{
ipr.Allowed = true;
ipr.DenialIssuedUntilTime = DateTime.Now;
ipr.Create();
}
else
throw new UnauthorizedAccessException("Your IP is not registered in our allowed range");
}
else
{
CheckIPImp(s, ipr);
}
}
return ipr;
}
