Esempio n. 1
0
        public async Task <IActionResult> OnPostAsync()
        {
            // session magic
            byte[] q_bytes;
            HttpContext.Session.TryGetValue("reset_question", out q_bytes);
            int q_id = BitConverter.ToInt32(q_bytes);

            // verify security question
            int u_id = _context.ServiceToken.Where(t => t.URL == AccessURL).FirstOrDefault().UserID;

            if (!_context.SecurityAnswer.Where(a => a.UserID == u_id && a.QuestionID == q_id).FirstOrDefault().Answer.Contains(Answer.ToLower().Replace(" ", "").Replace("\t", "").Replace("\n", "")))
            {
                ViewData["warn"] = "You have answered the security question incorrectly.";
                return(Page());
            }


            // generate salt and password
            Models.Hasher hasher = new Models.Hasher();
            string        Salt   = hasher.GenerateSalt(32);

            this.Password = hasher.HashPassword(this.Password, Salt, 100, 32);

            Models.ServiceToken t_token = _context.ServiceToken.Where(t => t.URL == AccessURL && t.Action == "password" && t.Resolved == false).FirstOrDefault();
            var U = _context.User.Where(u => u.UserID == t_token.UserID).FirstOrDefault();

            U.Salt     = Salt;
            U.Password = Password;

            t_token.Resolved = true;
            t_token.URL      = "";

            await _context.SaveChangesAsync();

            ViewData["message"] = "Password reset successfully. You may now log in.";
            return(Page());
        }
        public async Task <IActionResult> OnPostAsync()
        {
            if (!ModelState.IsValid)
            {
                ViewData["warn"] = "Invalid Username.";
                return(Page());
            }

            if (!string.IsNullOrEmpty(Email))
            {
                if (_context.User.Any(u => u.Email == Email.ToLower()))
                {
                    // get user ID
                    int id = _context.User.Where(u => u.Email == Email).FirstOrDefault().UserID;


                    // remove pending resets
                    foreach (var t in _context.ServiceToken.Where(t => t.UserID == id && t.Action == "password" && t.Resolved == false))
                    {
                        _context.ServiceToken.Remove(t);
                    }


                    // misuse password hasher to make an activation URL
                    Models.Hasher hasher = new Models.Hasher();
                    string        Salt   = hasher.GenerateSalt(8);
                    string        url;
                    do
                    {
                        int i = 0;
                        url = hasher.HashPassword("p" + id + DateTime.UtcNow, "", 10 + i, 8 + (i / 8));
                    } while (_context.ServiceToken.Any(t => t.URL == url));


                    // make reset token
                    Models.ServiceToken newToken;
                    try
                    {
                        newToken = new Models.ServiceToken
                        {
                            UserID     = id,
                            Action     = "password",
                            URL        = url,
                            Creation   = DateTime.UtcNow,
                            Expiration = DateTime.UtcNow.AddHours(12),
                            Resolved   = false
                        };
                    }
                    catch (Exception ex)
                    {
                        ViewData["message"] = "There was an error creating your password reset token.";
                        return(Page());
                    }

                    await _context.ServiceToken.AddAsync(newToken);

                    await _context.SaveChangesAsync();

                    Models.ServiceToken token = _context.ServiceToken.Where(t => t.UserID == id && t.Action == "password" && t.Resolved == false).FirstOrDefault();

                    // TODO: replace with email
                    //return RedirectToPage("./ResetPassword/" + token.URL);
                    ViewData["reset_link"] = "./ResetPassword/" + token.URL;
                    return(Page());
                }
                else
                {
                    ViewData["message"] = "There are no accounts with that email address. "
                                          + "\nIn the future, we will send password resets to you via email.";
                    return(Page());
                }
            }

            return(Page());
        }