/// <summary>
/// Strong authentication process.
/// The cient must provide: sha1(sha1(real_password + salt) + token).
/// In this way, the information stored in the database (sha1(real_password + salt))
/// is never sent on the wire.
/// </summary>
/// <param name="username">username</param>
/// <param name="password">sha1(sha1(real_password + salt) + token)</param>
/// <param name="token">token</param>
/// <returns>The User object is the authentication succededs, null if it does not.</returns>
public User getUser(string username, string password, string token)
{
MySqlCommand cmd = new MySqlCommand();
cmd.Connection = this.connection;
cmd.CommandText = "SELECT sha1(concat(password, @token)) as hashed, rootDirectory FROM users WHERE username like @username";
cmd.Prepare();
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@token", token);
MySqlDataReader reader = cmd.ExecuteReader();
if (!reader.Read())
{
reader.Close();
return null;
}
User ret = null;
if(password.Equals((string) reader["hashed"])) {
ret = new User();
ret.rootDirectory = new DirectoryInfo((string)reader["rootDirectory"]);
ret.username = username;
}
reader.Close();
return ret;
}
public string authStep2(string token, string username, string password)
{
User u;
try
{
u = User.authUser(username, password, token);
}
catch (Exception e)
{
Console.WriteLine(e.Message + " " + e.GetType());
throw new FaultException<ServiceErrorMessage>(new ServiceErrorMessage(ServiceErrorMessage.AUTHENTICATIONFAILED));
}
user = u;
token = GetUniqueKey(20);
initializeUser();
return token;
}
