public void PasswordHash_CheckStrength()
{
PasswordScore s = PasswordHash.CheckStrength("");
Assert.AreEqual(s, PasswordScore.Blank);
s = PasswordHash.CheckStrength("abc");
Assert.AreEqual(s, PasswordScore.VeryWeak);
s = PasswordHash.CheckStrength("abc");
Assert.AreEqual(s, PasswordScore.VeryWeak);
s = PasswordHash.CheckStrength("sdfttsae");
Assert.AreEqual(s, PasswordScore.Weak);
s = PasswordHash.CheckStrength("123456789ab");
Assert.AreEqual(s, PasswordScore.Medium);
s = PasswordHash.CheckStrength("123456789abcd");
Assert.AreEqual(s, PasswordScore.Strong);
s = PasswordHash.CheckStrength("#A23456789abcd");
Assert.AreEqual(s, PasswordScore.VeryStrong);
}
//Install Step 1.0 - This is done as user is typing in controls.
//
private void ValidateUserAccount(object sender, EventArgs e)
{
this.grpDatabaseInstall.Enabled = false;
txtMsg.Text = "";
if (string.IsNullOrWhiteSpace(txtUserName.Text))
{
return;
}
if (string.IsNullOrWhiteSpace(txtPassword.Text))
{
this.txtMsg.Text = "Password cannot be blank!";
return;
}
if (PasswordHash.IsCommonPassword(txtPassword.Text))
{
this.txtMsg.Text = "Easily hacked password!";
return;
}
if (PasswordHash.CheckStrength(txtPassword.Text) < PasswordScore.Medium)
{
this.txtMsg.Text = "Password is WEAK!";
return;
}
if (txtPassword.Text != txtConfirmPassword.Text)
{
this.txtMsg.Text = "Password doesn't match the confirmation password.";
return;
}
if (string.IsNullOrWhiteSpace(txtPasswordQuestion.Text) ||
string.IsNullOrWhiteSpace(txtPasswordAnswer.Text))
{
this.txtMsg.Text = "Password hint question or answer cannot be empty.";
return;
}
if (txtPasswordAnswer.Text == txtPasswordQuestion.Text)
{
this.txtMsg.Text = "Hint answer cannot be the same as the question.";
return;
}
this.grpDatabaseInstall.Enabled = true;
}
public ServiceResult ChangePassword(ChangePassword frm)
{
if (frm == null)
{
return(ServiceResponse.Error("Invalid data."));
}
NetworkHelper network = new NetworkHelper();
string ipAddress = network.GetClientIpAddress(this.Request);
string sessionToken = "";
User u = null;
UserManager userManager = new UserManager(Globals.DBConnectionKey, Request.Headers?.Authorization?.Parameter);
if (frm.ResetPassword)
{//if a reset then the user isn't logged in, so get the user by alt means.
//only use captcha on reset
if (string.IsNullOrWhiteSpace(frm.ConfirmationCode))
{
return(ServiceResponse.Error("Invalid confirmation code. You must use the link provided in the email in order to reset your password."));
}
u = userManager.GetUsers(false).FirstOrDefault(dw => (dw.ProviderUserKey == frm.ConfirmationCode && dw.Email.EqualsIgnoreCase(frm.Email)));
if (u == null)
{
return(ServiceResponse.Error("Invalid confirmation code."));
}
}
else
{
if (Request.Headers.Authorization == null)
{
return(ServiceResponse.Error("You must be logged in to change your password."));
}
sessionToken = Request.Headers?.Authorization?.Parameter;
u = GetUser(sessionToken);//since the user session doesn't contain the password, wi have to pull it.
u = (User)userManager.GetBy(u.UUID, false);
}
if (u == null)
{
SessionManager.DeleteSession(sessionToken);
return(ServiceResponse.Error("Session error. If your logged in try logging out and back in."));
}
if (frm.NewPassword != frm.ConfirmPassword)
{
return(ServiceResponse.Error("Password don't match."));
}
if (string.IsNullOrWhiteSpace(frm.NewPassword) || string.IsNullOrWhiteSpace(frm.ConfirmPassword))
{
return(ServiceResponse.Error("Password can't be empty. "));
}
if (PasswordHash.CheckStrength(frm.NewPassword) < PasswordHash.PasswordScore.Medium)
{
return(ServiceResponse.Error("Password is too weak. "));
}
if (frm.ResetPassword)
{
if (u.ProviderName != UserFlags.ProviderName.ForgotPassword || u.ProviderUserKey != frm.ConfirmationCode || u.Email.EqualsIgnoreCase(frm.Email) == false)
{//
string msg = "Invalid informaition posted to server";
SystemLogger logger = new SystemLogger(Globals.DBConnectionKey);
logger.InsertSecurity(msg, "AccountController", "ChangePassword");
return(ServiceResponse.Error("Invalid confirmation code."));
}
}
else //just a user updating their password.
{ // verify old password
if (!PasswordHash.ValidatePassword(frm.OldPassword, u.PasswordHashIterations + ":" + u.PasswordSalt + ":" + u.Password))
{
return(ServiceResponse.Error("Invalid password."));
}
}
ServiceResult sr = userManager.IsUserAuthorized(u, ipAddress);
if (sr.Status == "ERROR")
{
return(sr);
}
string tmpHashPassword = PasswordHash.CreateHash(frm.NewPassword);
u.Password = PasswordHash.ExtractHashPassword(tmpHashPassword);
u.PasswordHashIterations = PasswordHash.ExtractIterations(tmpHashPassword);
u.PasswordSalt = PasswordHash.ExtractSalt(tmpHashPassword);
u.ProviderName = "";
u.ProviderUserKey = "";
u.LastPasswordChangedDate = DateTime.UtcNow;
ServiceResult updateResult = userManager.Update(u, false);
if (updateResult.Code != 200)
{
return(ServiceResponse.Error("Error updating password. Try again later."));
}
return(ServiceResponse.OK("Password has been updated."));
}
public ServiceResult CreateAccounts(AppInfo appSettings)
{
if (IsInstallReady() == false)
{
return(ServiceResponse.Error("Website is not ready to be installed. Check the intall.json file."));
}
if (string.IsNullOrWhiteSpace(appSettings.UserName))
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Username is empty."
}
}
;
if (appSettings.UserPassword != appSettings.ConfirmPassword)
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Passwords don't match."
}
}
;
if (PasswordHash.CheckStrength(appSettings.UserPassword) < PasswordHash.PasswordScore.Medium)
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Password is too weak."
}
}
;
if (PasswordHash.CheckStrength(appSettings.UserPassword) < PasswordHash.PasswordScore.Strong)
{
return(ServiceResponse.Error("Your password is weak. Try again."));
}
WebApplication wa = new WebApplication();
if (!wa.SaveConfigSetting("SiteAdmins", appSettings.UserName?.ToLower()))
{
return(ServiceResponse.Error("Error saving SiteAdmins to .config:" + appSettings.UserName));
}
//Create the initial account as the domain
if (string.IsNullOrWhiteSpace(appSettings.AccountName))
{
appSettings.AccountName = appSettings.SiteDomain;
}
if (string.IsNullOrWhiteSpace(appSettings.UserEmail))
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Email is empty."
}
}
;
if (string.IsNullOrWhiteSpace(appSettings.AccountEmail))
{
appSettings.AccountEmail = appSettings.UserEmail;
}
if (string.IsNullOrWhiteSpace(appSettings.SecurityQuestion))
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Security question is empty."
}
}
;
if (string.IsNullOrWhiteSpace(appSettings.UserSecurityAnswer))
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Security answer is empty."
}
}
;
if (string.IsNullOrWhiteSpace(Globals.DBConnectionKey)) //appSettings.ActiveDbConnectionKey))
{
return(ServiceResponse.Error("ActiveDbConnectionKey is not set. This must be set to save values to the database."));
}
AppManager am = new AppManager(Globals.DBConnectionKey, "web", "");
return(am.CreateAccounts(appSettings));
}
//Install Step 2
//Save Account info
private ServiceResult CreateAccounts(AppInfo appSettings)
{
if (string.IsNullOrWhiteSpace(appSettings.UserName))
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Username is empty."
}
}
;
if (appSettings.UserPassword != appSettings.ConfirmPassword)
{
return new ServiceResult()
{
Code = 500, Status = "ERROR", Message = "Passwords don't match."
}
}
;
if (PasswordHash.CheckStrength(appSettings.UserPassword) < PasswordHash.PasswordScore.Medium)
{
return(ServiceResponse.Error("Your password is weak. Try again."));
}
if (!ClientCore.Application.SaveConfigSetting("SiteAdmins", appSettings.UserName?.ToLower()))
{
return(ServiceResponse.Error("Error saving SiteAdmins to .config:" + appSettings.UserName));
}
//Create the initial account as the domain
if (string.IsNullOrWhiteSpace(appSettings.AccountName))
{
appSettings.AccountName = appSettings.SiteDomain;
}
//if (string.IsNullOrWhiteSpace(appSettings.UserEmail))return ServiceResponse.Error("Email is empty.");
//if (string.IsNullOrWhiteSpace(appSettings.AccountEmail))appSettings.AccountEmail = appSettings.UserEmail;
if (string.IsNullOrWhiteSpace(appSettings.SecurityQuestion))
{
return(ServiceResponse.Error("Security question is empty."));
}
if (string.IsNullOrWhiteSpace(appSettings.UserSecurityAnswer))
{
return(ServiceResponse.Error("Security answer is empty."));
}
if (!_passwordEncrypted)
{
appSettings.UserSecurityAnswer = Cipher.Crypt(appSettings.AppKey, appSettings.UserSecurityAnswer, true);
_appInfo.UserSecurityAnswer = appSettings.UserSecurityAnswer;
}
if (string.IsNullOrWhiteSpace(appSettings.ActiveDbConnectionKey))
{
return(ServiceResponse.Error("ActiveDbConnectionKey is not set. This must be set to save values to the database."));
}
_passwordEncrypted = true;
AppManager am = new AppManager(appSettings.ActiveDbConnectionKey, "FORMS", "");
ServiceResult res = am.CreateAccounts(appSettings);
if (res.Code != 200)
{
return(res);
}
_appInfo.UserPassword = appSettings.UserPassword;
_appInfo.ConfirmPassword = appSettings.ConfirmPassword;
return(res);
}