void IUserProfileManagementService.SendPasswordResetToken(string email_id) { try { string connectionString = ConfigurationManager.ConnectionStrings["default"].ConnectionString; using (RegistrationService.EmailServiceReference.EmailServiceClient client = new RegistrationService.EmailServiceReference.EmailServiceClient()) using (SqlConnection conn = new SqlConnection(connectionString)) { RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] token = new byte[32]; rng.GetBytes(token); string message = "Here's your one-time token. This token expires in 24 hours.\n"; message += "TOKEN: " + GetString(token); Int64 user_id = -1; SqlCommand command = new SqlCommand("SELECT _id FROM Users WHERE email_id = @email_id", conn); command.Parameters.AddWithValue("@email_id", email_id); conn.Open(); SqlDataReader reader = command.ExecuteReader(); if (reader.Read()) { user_id = (long)reader["_id"]; } if (user_id == -1) { throw new FaultException("No user with given email id."); } else { command = new SqlCommand("IF EXISTS(SELECT * FROM EmailTokens WHERE user_id = @user_id)" + " UPDATE EmailTokens SET token = @token WHERE user_id = @user_id" + " ELSE" + " INSERT INTO EmailTokens (user_id, token) VALUES (@user_id, @token);", conn); command.Parameters.AddWithValue("@user_id", Convert.ToString(user_id)); command.Parameters.Add("@token", System.Data.SqlDbType.Binary, token.Length).Value = token; command.ExecuteNonQuery(); } client.SendEmail(email_id, "ChessOnline - Password Reset Token", message, false); } } catch (Exception ex) { throw new FaultException(ex.Message); } }
void IUserProfileManagementService.ResetPassword(string token, string email_id, string new_password) { try { string connectionString = ConfigurationManager.ConnectionStrings["default"].ConnectionString; using (RegistrationService.EmailServiceReference.EmailServiceClient client = new RegistrationService.EmailServiceReference.EmailServiceClient()) using (SqlConnection conn = new SqlConnection(connectionString)) { byte[] token_bytes; Int64 user_id = -1; SqlCommand command = new SqlCommand("SELECT _id FROM Users WHERE email_id = @email_id", conn); command.Parameters.AddWithValue("@email_id", email_id); conn.Open(); SqlDataReader reader = command.ExecuteReader(); if (reader.Read()) { user_id = (long)reader["_id"]; } if (user_id == -1) { throw new FaultException("No user with given email id."); } else { command = new SqlCommand("SELECT token FROM EmailTokens WHERE user_id = @user_id", conn); command.Parameters.AddWithValue("@user_id", user_id); reader = command.ExecuteReader(); if (reader.Read()) { token_bytes = (byte[])reader["token"]; string expected_token = GetString(token_bytes); if (expected_token.Equals(token)) { RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); HashAlgorithm hashAlgorithm = new SHA512Managed(); byte[] salt = new byte[32]; byte[] password = Encoding.ASCII.GetBytes(new_password); byte[] pt_password = new byte[salt.Length + password.Length]; byte[] hashed_password; password.CopyTo(pt_password, 0); rng.GetBytes(salt); salt.CopyTo(pt_password, password.Length); hashed_password = hashAlgorithm.ComputeHash(pt_password); command = new SqlCommand("UPDATE Users SET hashed_password = @hashed_password, salt = @salt WHERE _id = @_id", conn); command.Parameters.Add("@hashed_password", System.Data.SqlDbType.Binary, hashed_password.Length).Value = hashed_password; command.Parameters.Add("@salt", System.Data.SqlDbType.Binary, salt.Length).Value = salt; command.Parameters.AddWithValue("@_id", user_id); command.ExecuteNonQuery(); } else { throw new FaultException("InvalidToken"); } } else { throw new FaultException("NoTokenFound"); } } } } catch (Exception ex) { throw new FaultException(ex.Message); } }