/// <summary> /// Strong authentication process. /// The cient must provide: sha1(sha1(real_password + salt) + token). /// In this way, the information stored in the database (sha1(real_password + salt)) /// is never sent on the wire. /// </summary> /// <param name="username">username</param> /// <param name="password">sha1(sha1(real_password + salt) + token)</param> /// <param name="token">token</param> /// <returns>The User object is the authentication succededs, null if it does not.</returns> public User getUser(string username, string password, string token) { MySqlCommand cmd = new MySqlCommand(); cmd.Connection = this.connection; cmd.CommandText = "SELECT sha1(concat(password, @token)) as hashed, rootDirectory FROM users WHERE username like @username"; cmd.Prepare(); cmd.Parameters.AddWithValue("@username", username); cmd.Parameters.AddWithValue("@token", token); MySqlDataReader reader = cmd.ExecuteReader(); if (!reader.Read()) { reader.Close(); return null; } User ret = null; if(password.Equals((string) reader["hashed"])) { ret = new User(); ret.rootDirectory = new DirectoryInfo((string)reader["rootDirectory"]); ret.username = username; } reader.Close(); return ret; }
public string authStep2(string token, string username, string password) { User u; try { u = User.authUser(username, password, token); } catch (Exception e) { Console.WriteLine(e.Message + " " + e.GetType()); throw new FaultException<ServiceErrorMessage>(new ServiceErrorMessage(ServiceErrorMessage.AUTHENTICATIONFAILED)); } user = u; token = GetUniqueKey(20); initializeUser(); return token; }