public string AddUser(CSC425Context db)
{
var user = db.Users.Where(u => u.Username.ToLower().Equals(Username.ToLower())).FirstOrDefault();
if (user == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(404, "Not Found", $"User: {Username} doesn't exist.")));
}
var nv = db.NoteViewers.Where(n => n.NoteId.Equals(this.NoteID) && n.UserId.Equals(user.UserId)).FirstOrDefault();
if (nv != null)
{
return(JsonConvert.SerializeObject(new ReturnCode(403, "Forbidden", $"User: {Username} is already allowed to view this note.")));
}
var noteviewer = new NoteViewers();
noteviewer.NoteId = this.NoteID;
noteviewer.UserId = user.UserId;
db.NoteViewers.Add(noteviewer);
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(200, "OK", $"User: {Username} added successfully.")));
}
public string UsernameAndPasswordUpdate(CSC425Context db, String IPAddress)
{
// Check to make sure a user exists with the given name or email address
var user = db.Users.Where(u => u.Username.ToLower().Equals(CurrentUsername.ToLower())).FirstOrDefault();
if (user == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(404, "Not Found", "Username is invalid")));
}
SendEmails email = new SendEmails();
var salt = Security.Generate(128);
var secret = Security.Generate(64);
// Change username/password
user.Username = NewUsername;
user.EmailAddress = NewEmailAddress;
user.Password = Security.SHA256(Security.Pepper + Password + salt);
user.Salt = salt;
user.IsVerified = false;
user.SecretKey = secret;
db.SaveChangesAsync();
email.SendMessage(new System.Net.Mail.MailAddress(user.EmailAddress, user.Username), "Please verify your account on Rohzek's Note Service", $"Hello!\n\nPlease click this link to verify your account: https://rohzek.cf:8080/api/v1/verify?verification_code={user.SecretKey}");
return(JsonConvert.SerializeObject(new SessionIDHolder(user.Username, user.SessionId)));
}
public string SessionIDOverride(CSC425Context db, String IPAddress)
{
// Check to make sure a user exists with the given name or email address
var user = db.Users.Where(u => u.Username.ToLower().Equals(UsernameOrEmail.ToLower())).FirstOrDefault();
if (user == null)
{
user = db.Users.Where(u => u.EmailAddress.ToLower().Equals(UsernameOrEmail.ToLower())).FirstOrDefault();
if (user == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(404, "Not Found", "Username or Email Address is invalid")));
}
}
// User is properly logged in
if (user.SessionId.Equals(SessionID))
{
return(JsonConvert.SerializeObject(new ReturnCode(200, "OK", $"{SessionID}")));
}
// User failed log in
user.SessionId = null;
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", $"Incorrect SessionID")));
}
public string Delete()
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var NoteID = Int32.Parse(Request.Query["noteid"].ToString());
var Username = Request.Query["username"].ToString();
var note = db.Notes.Where(n => n.NotesId.Equals(NoteID)).FirstOrDefault();
var user = db.Users.Where(u => u.Username.ToLower().Equals(Username.ToLower())).FirstOrDefault();
if (note == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(404, "Not Found", "That note doesn't exist.")));
}
if (!note.UserId.Equals(user.UserId))
{
return(JsonConvert.SerializeObject(new ReturnCode(403, "Forbidden", "That note doesn't belong to you.")));
}
var req = new NoteRequest(db, note, user);
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(req.DeleteNote(db));
}
public string Put([FromBody] AllowedUserRequest user)
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(user.AddUser(db));
}
public string Post([FromBody] UserInfoRequest changes)
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var remoteIPAddress = HttpContext.Features.Get <IHttpConnectionFeature>()?.RemoteIpAddress.ToString();
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(changes.UsernameAndPasswordUpdate(db, remoteIPAddress));
}
public string Post([FromBody] SignupRequest signup)
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var remoteIPAddress = HttpContext.Features.Get <IHttpConnectionFeature>()?.RemoteIpAddress.ToString();
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(signup.Signup(db, remoteIPAddress));
}
public string Get()
{
CSC425Context db = new CSC425Context();
var remoteIPAddress = HttpContext.Features.Get <IHttpConnectionFeature>()?.RemoteIpAddress.ToString();
var secret = Request.Query["verification_code"].ToString();
if (secret.Length == 0)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Verification error. Please contact an administrator.")));
}
return(new VerifyUserRequest(secret).AttemptVerification(db, remoteIPAddress));
}
public string Delete()
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var NoteID = Int32.Parse(Request.Query["noteid"].ToString());
var Username = Request.Query["username"].ToString();
AllowedUserRequest user = new AllowedUserRequest(NoteID, Username);
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(user.RemoveUser(db));
}
public string AttemptVerification(CSC425Context db, string IPAddress)
{
var user = db.Users.Where(u => u.SecretKey.Equals(Secret)).FirstOrDefault();
if (user == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", $"Verification Code was incorrect.")));
}
user.IsVerified = true;
user.SecretKey = null;
user.VerificationIp = IPAddress;
db.SaveChangesAsync();
// Maybe make this a little more fancy? We should be able to return an HTML page with this.
return("Thank you. User was verified successfully.");
}
public string Post([FromBody] LoginRequest login)
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var remoteIPAddress = HttpContext.Features.Get <IHttpConnectionFeature>()?.RemoteIpAddress.ToString();
if (apikey.Length == 0)
{
return(login.SessionIDOverride(db, remoteIPAddress));
}
if (apikey.ToLower() != Security.APIKey.ToLower())
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
return(login.AttemptLogin(db, remoteIPAddress));
}
public string Get()
{
CSC425Context db = new CSC425Context();
var apikey = Request.Query["api_key"].ToString();
var username = Request.Query["username"].ToString();
var search = Request.Query["search"].ToString();
if (apikey.ToLower() != Security.APIKey)
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", "Bad API Key")));
}
if (search.Length > 0)
{
return(NoteRequest.GetNote(db, username, search));
}
return(NoteRequest.GetNote(db, username));
}
public static string GetNote(CSC425Context db, string username, string search)
{
var results = GetAllowedNotes(db, username);
var output = new List <NoteRequest>();
foreach (NoteRequest note in results)
{
if (Regex.IsMatch(note.ClassID, search, RegexOptions.IgnoreCase) ||
Regex.IsMatch(note.Note, search, RegexOptions.IgnoreCase) ||
Regex.IsMatch(note.NoteFileName, search, RegexOptions.IgnoreCase) ||
Regex.IsMatch(note.Extension, search, RegexOptions.IgnoreCase) ||
Regex.IsMatch(note.NoteDate.ToString(), search, RegexOptions.IgnoreCase) ||
Regex.IsMatch(note.UploadDate.ToString(), search, RegexOptions.IgnoreCase))
{
output.Add(note);
}
}
return(JsonConvert.SerializeObject(output));
}
public string AddNote(CSC425Context db)
{
var noteCreator = db.Users.Where(u => u.Username.ToLower().Equals(Username.ToLower())).FirstOrDefault();
if (NoteDate.Year == 0001)
{
this.NoteDate = DateTime.Now;
}
this.UploadDate = DateTime.Now;
Notes note = new Notes();
note.UserId = noteCreator.UserId;
note.ClassId = this.ClassID;
note.Note = this.Note;
note.NoteFile = this.NoteFile;
note.NoteFileName = this.NoteFileName;
note.Extension = this.Extension;
note.NoteDate = this.NoteDate;
note.UploadDate = this.UploadDate;
foreach (string user in Users)
{
var allowedUser = db.Users.Where(u => u.Username.ToLower() == user.ToLower()).FirstOrDefault();
if (allowedUser != null)
{
NoteViewers nv = new NoteViewers();
nv.NoteId = note.NotesId;
nv.UserId = allowedUser.UserId;
note.NoteViewers.Add(nv);
}
}
db.Notes.Add(note);
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(200, "OK", $"Note added successfully.")));
}
public string Signup(CSC425Context db, String IPAddress)
{
var user = db.Users.Where(u => u.EmailAddress.ToLower().Equals(Email.ToLower())).FirstOrDefault();
if (user == null)
{
user = db.Users.Where(u => u.Username.ToLower().Equals(Username.ToLower())).FirstOrDefault();
if (user == null)
{
SendEmails email = new SendEmails();
var salt = Security.Generate(128);
var secret = Security.Generate(64);
var passwordToSave = Security.SHA256(Security.Pepper + Password + salt);
// Create new user
user = new Users();
user.Username = Username;
user.EmailAddress = Email;
user.Salt = salt;
user.Password = passwordToSave;
user.UserRole = "User";
user.CreationIp = IPAddress;
user.VerificationIp = "0.0.0.0";
user.Use2Fa = false;
user.LoginAttempts = 0;
user.SecretKey = secret;
db.Users.Add(user);
db.SaveChangesAsync();
email.SendMessage(new System.Net.Mail.MailAddress(user.EmailAddress, user.Username), "Please verify your account on Rohzek's Note Service", $"Hello!\n\nPlease click this link to verify your account: http://rohzek.cf:8080/api/v1/verify?verification_code={user.SecretKey}");
return(JsonConvert.SerializeObject(new ReturnCode(100, "Continue", "User created successfully, awaiting email verification")));
}
}
return(JsonConvert.SerializeObject(new ReturnCode(409, "Conflict", $"User with username: {Username} and/or Email Address: {Email} already exists.")));
}
public NoteRequest(CSC425Context db, Notes note, Users user)
{
Username = user.Username;
NoteID = note.NotesId;
ClassID = note.ClassId;
Note = note.Note;
NoteFile = note.NoteFile;
NoteFileName = note.NoteFileName;
Extension = note.Extension;
NoteDate = note.NoteDate;
UploadDate = note.UploadDate;
var noteviewers = db.NoteViewers.Where(n => n.NoteId.Equals(NoteID)).ToList();
var list = new List <string>();
foreach (NoteViewers nv in noteviewers)
{
var usr = db.Users.Where(u => u.UserId.Equals(nv.UserId)).FirstOrDefault();
list.Add(user.Username);
}
Users = list.ToArray();
}
public string DeleteNote(CSC425Context db)
{
var noteviewers = db.NoteViewers.Where(n => n.NoteId.Equals(NoteID)).ToList();
if (noteviewers.Count > 0)
{
foreach (NoteViewers nv in noteviewers)
{
db.NoteViewers.Remove(nv);
}
}
var note = db.Notes.Where(n => n.NotesId.Equals(NoteID)).FirstOrDefault();
if (note != null)
{
db.Notes.Remove(note);
}
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(200, "OK", $"Note with ID {NoteID} deleted successfully.")));
}
public string AttemptLogin(CSC425Context db, String IPAddress)
{
// Check to make sure a user exists with the given name or email address
var user = db.Users.Where(u => u.Username.ToLower().Equals(UsernameOrEmail.ToLower())).FirstOrDefault();
if (user == null)
{
user = db.Users.Where(u => u.EmailAddress.ToLower().Equals(UsernameOrEmail.ToLower())).FirstOrDefault();
if (user == null)
{
return(JsonConvert.SerializeObject(new ReturnCode(404, "Not Found", "User with that name or email address does not exist")));
}
}
if (user.IsVerified)
{
if (user.LoginAttempts < 5)
{
// User exists, time to attempt log in
// Check if password is correct
var passwordToCheck = Security.SHA256(Security.Pepper + Password + user.Salt);
if (user.Password.Equals(passwordToCheck))
{
// Password is correct, Login successful
Logins login = new Logins();
login.UsersID = user.UserId;
login.Ipaddress = IPAddress;
login.LoginDate = DateTime.Now;
login.Used2Fa = false;
db.Logins.Add(login);
// Maybe replace this with JSON object that returns a session ID
var sessionID = Security.Generate(32);
user.SessionId = sessionID;
user.LoginAttempts = 0;
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(200, "OK", $"{sessionID}")));
}
// Failed attempt should increment the counter
user.LoginAttempts = (user.LoginAttempts += 1);
db.SaveChangesAsync();
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", $"Password was incorrect")));
}
else // If you've entered the failed password 6 times
{
// Sets up a timed lockout
var lockout = 5; // Minutes to lock the account.
var task = $"DROP EVENT IF EXISTS {user.Username}_Lockout; CREATE EVENT IF NOT EXISTS {user.Username}_Lockout " +
$"ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL {lockout} MINUTE " +
$"ON COMPLETION PRESERVE " +
$"DO " +
$"UPDATE CSC425.Users SET Users.LoginAttempts = 0 WHERE Users.Username = \"{user.Username}\";";
db.Database.ExecuteSqlRawAsync(task);
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", $"Too many failed login attempts. Account locked for {lockout} minutes. Try logging in later.")));
}
}
else
{
return(JsonConvert.SerializeObject(new ReturnCode(401, "Unauthorized", $"Email Address not verified")));
}
}
private static List <NoteRequest> GetAllowedNotes(CSC425Context db, string username)
{
// Get user account that's requesting notes
var user = db.Users.Where(u => u.Username.ToLower().Equals(username.ToLower())).FirstOrDefault();
// Gets notes where you're an allowed viewer, or an owner.
var viewers = db.NoteViewers.Where(u => (u.UserId.Equals(user.UserId))).ToList <NoteViewers>();
var oNotes = db.Notes.Where(u => u.UserId.Equals(user.UserId));
List <Notes> notes = new List <Notes>();
List <NoteRequest> output = new List <NoteRequest>();
// Allowed notes
foreach (NoteViewers viewer in viewers)
{
notes.Add(db.Notes.Where(n => n.NotesId.Equals(viewer.NoteId)).FirstOrDefault());
}
// Owner's notes
foreach (Notes note in oNotes)
{
notes.Add(note);
}
// Sanitize the notes because we don't need a reference to each author's information going back with each one
if (notes.Count > 0)
{
foreach (Notes note in notes)
{
var req = new NoteRequest();
var author = db.Users.Where(u => u.UserId.Equals(note.UserId)).FirstOrDefault();
req.Username = author.Username;
req.NoteID = note.NotesId;
req.ClassID = note.ClassId;
req.Note = note.Note;
req.NoteFile = note.NoteFile;
req.NoteFileName = note.NoteFileName;
req.Extension = note.Extension;
req.NoteDate = note.NoteDate;
req.UploadDate = note.UploadDate;
var totalViewers = db.NoteViewers.Where(n => n.NoteId.Equals(note.NotesId));
var listOfViewers = new List <String>();
foreach (NoteViewers nv in totalViewers.ToList())
{
var usr = db.Users.Where(u => u.UserId.Equals(nv.UserId)).FirstOrDefault();
Debug.WriteLine(usr.Username);
listOfViewers.Add(usr.Username);
}
req.Users = listOfViewers.ToArray();
output.Add(req);
}
}
// Sort notes by most recent, probably
output.Sort();
return(output);
}
public static string GetNote(CSC425Context db, string username)
{
return(JsonConvert.SerializeObject(GetAllowedNotes(db, username)));
}
public string UpdateNote(CSC425Context db)
{
// Note sure if I want to implement this? I doubt notes change. If they do, you can just reupload.
// Leave this here as a placeholder for now though.
return(JsonConvert.SerializeObject(new ReturnCode(100, "Continue", $"Updating not implemented.")));
}
