public async Task <Account> ValidatePasswordAsync(string username, string password)
{
using (var sqlConnection = new MySqlConnection(_connectionString))
{
sqlConnection.Open();
var accounts = await sqlConnection.QueryAsync <Account>("SELECT * FROM hm_accounts WHERE accountaddress = @accountaddress", new
{
accountaddress = username
});
var account = accounts.SingleOrDefault();
if (account == null)
{
return(null);
}
// TODO: Support old hashing methods.
var salter = new Salter();
if (salter.ValidateHash(password, account.Password))
{
return(account);
}
return(null);
}
}
public UserAuthenticationService(IUserRepository userRepository, Hasher hasher, Salter salter, IOptions <Secrets> secrets)
{
_userRepository = userRepository;
_hasher = hasher;
_salter = salter;
// TODO: Added by me, but should still be refactored.
secretKey = secrets.Value != null && secrets.Value.SuperStrongPassword != null ?
secrets.Value.SuperStrongPassword :
Environment.GetEnvironmentVariable("SuperStrongPassword", EnvironmentVariableTarget.Machine);
}
static void Main(string[] args)
{
Console.WriteLine("Hello World!");
Salter salter = new Salter();
var salt = salter.CreateRandomSalt();
Console.WriteLine(salt);
Hasher hasher = new Hasher();
var hash = hasher.CreateHashOfPasswordAndSalt("ILoveNiels", salt);
Console.WriteLine(hash);
}
public void TestStringCypherWithSalt()
{
IStringCypherService service = new StringCypherService();
ISalter salter = new Salter();
var salt = salter.GenerateSalt(64);
var cyphertext = service.Encrypt(_plaintext, _password, salt);
var decrypted = service.Decrypt(cyphertext, _password, salt);
Assert.AreEqual(_plaintext, decrypted);
salt = salter.GenerateSalt(64);
_ = service.Decrypt(cyphertext, _password, salt);
}
public UserServiceTests()
{
_userRepository = Substitute.For <IUserRepository>();
_hasher = new Hasher();
_salter = new Salter();
_options = Substitute.For <IOptions <Secrets> >();
_secrets = new Secrets {
SuperStrongPassword = "******"
};
_options.Value.Returns(_secrets);
_userAuthService = new UserAuthenticationService(_userRepository, _hasher, _salter, _options);
}
public void hashAllPasswords()
{
Console.Write("hello");
using (var con = new SqlConnection("Data Source=db-mssql;Initial Catalog=s18728;Integrated Security=True"))
using (var com = new SqlCommand())
{
com.Connection = con;
com.CommandText = "SELECT IndexNumber, Password FROM Student ";
con.Open();
var dr = com.ExecuteReader();
while (dr.Read())
{
var salt = Salter.CreateSalt();
setSalt(dr["IndexNumber"].ToString(), salt);
var pass = Salter.CreateHash(dr["Password"].ToString(), salt);
setPassword(dr["IndexNumber"].ToString(), pass);
}
dr.Close();
}
}
public IActionResult ChangePassword(ManageUsersViewModel vm, int id)
{
if (!_auth.Authorise(RolesEnum.Admin, _context)) // Check logged in as admin
{
return(Redirect("~/Project/Dashboard"));
}
var salt = Salter.Shake(); // Get a new salt
var hashedPassword = Hasher.Hash(vm.NewPassword + salt); // Hash the salted password
var rec = _context.Users.First(u => u.UserId == id); // Get the record and update the values
rec.Salt = salt;
rec.HashedPassword = hashedPassword;
// Save the changes to the database
_context.SaveChanges();
// Kick the users back to the user management view
return(Redirect($"~/UserManagement/ManageUsers/{id}"));
}
public IActionResult Login(LoginRequestDTO loginRequest)
{
if (loginRequest.Login.Equals("admin") && loginRequest.Password.Equals("admin"))
{
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, loginRequest.Login),
new Claim(ClaimTypes.Name, "admin"),
new Claim(ClaimTypes.Role, "student"),
new Claim(ClaimTypes.Role, "employee")
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["SecretKey"]));
var cred = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken
(
issuer: "JakubSpZoo",
audience: "students",
claims: claims,
expires: DateTime.Now.AddMinutes(10),
signingCredentials: cred
);
return(Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
refreshToken = _dbService.setRefreshToken("admin", Guid.NewGuid().ToString())
}));
}
else
{
var ifStudentExists = _dbService.checkIfStudentExists(loginRequest.Login);
if (!ifStudentExists)
{
return(Unauthorized());
}
var student = _dbService.getStudent(loginRequest.Login);
var salt = _dbService.getSalt(student.IndexNumber);
if (!Salter.Validate(loginRequest.Password, salt, student.Password))
{
return(Unauthorized());
}
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, loginRequest.Login),
new Claim(ClaimTypes.Name, student.FirstName + " " + student.LastName),
new Claim(ClaimTypes.Role, "student")
};
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["SecretKey"]));
var cred = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken
(
issuer: "JakubSpZoo",
audience: "students",
claims: claims,
expires: DateTime.Now.AddMinutes(10),
signingCredentials: cred
);
return(Ok(new
{
token = new JwtSecurityTokenHandler().WriteToken(token),
refreshToken = _dbService.setRefreshToken(student.IndexNumber, Guid.NewGuid().ToString())
}));
}
}
public IActionResult enrollStudent(Student student)
{
Enrollment enrollment = new Enrollment();
using (var con = new SqlConnection(sqlCon))
using (var com = new SqlCommand())
{
SqlTransaction sqlT = null;
try
{
com.Connection = con;
con.Open();
sqlT = con.BeginTransaction();
com.Transaction = sqlT;
com.Parameters.AddWithValue("studiesName", student.Studies);
var wynik = UseProcedure("checkIfExistsStudies", com);
if (wynik.Count == 0)
{
return(new BadRequestResult());
}
com.CommandText = "SELECT 1 FROM Student WHERE Student.IndexNumber = @indexNumber";
com.Parameters.AddWithValue("indexNumber", student.IndexNumber);
var dr = com.ExecuteReader();
if (dr.Read())
{
return(new BadRequestResult());
}
dr.Close();
com.CommandText = "DECLARE @datetmp date = PARSE(@bdate as date USING 'en-GB');" +
" INSERT INTO Student(IndexNumber, FirstName, LastName, BirthDate, IdEnrollment, Password, Salt)" +
" VALUES (@indexNumber, @name, @lname, @datetmp, '1', @pass, @salt)";
com.Parameters.Clear();
com.Parameters.AddWithValue("indexNumber", student.IndexNumber);
var salt = Salter.CreateSalt();
var pass = Salter.CreateHash("pas" + student.IndexNumber, salt);
com.Parameters.AddWithValue("pass", pass);
com.Parameters.AddWithValue("salt", salt);
com.Parameters.AddWithValue("name", student.FirstName);
com.Parameters.AddWithValue("lname", student.LastName);
com.Parameters.AddWithValue("bdate", student.BirthDate);
com.ExecuteNonQuery();
com.Parameters.Clear();
com.Parameters.AddWithValue("studiesName", student.Studies);
com.Parameters.AddWithValue("indexNumber", student.IndexNumber);
wynik = UseProcedure("enrollStudent", com);
enrollment.IdEnrollment = wynik[0][0];
enrollment.IdStudy = wynik[0][2];
enrollment.Semester = wynik[0][1];
enrollment.StartDate = wynik[0][3];
sqlT.Commit();
}
catch (Exception e)
{
Console.WriteLine(e);
sqlT.Rollback();
return(new BadRequestResult());
}
}
ObjectResult objectResult = new ObjectResult(enrollment);
objectResult.StatusCode = 201;
return(objectResult);
}
public UserAuthenticationService(UserRepository userRepository, Hasher hasher, Salter salter)
{
_userRepository = userRepository;
_hasher = hasher;
_salter = salter;
}
public IActionResult AddUser(AddUserViewModel vm)
{
if (!_auth.Authorise(RolesEnum.Admin, _context)) // Check logged in as admin
{
return(Redirect("~/Project/Dashboard"));
}
// Reset error message
vm.ErrorMessage = "";
// Get roles from database and fill in field
List <Roles> roles = _context.Roles.ToList();
vm.AllRoles = roles;
// Create new user
var newUser = new Users();
// If username exists
var userTemp = _context.Users.Any(r => r.UserName == vm.UserName);
if (userTemp)
{
vm.ErrorMessage += "Username already exists\n";
}
//Validate Password
if (vm.Password != vm.ConfirmPassword)
{
vm.ErrorMessage += "Passwords must be equal.\n";
}
// If there's an error message
if (vm.ErrorMessage != "")
{
return(View(vm));
}
// Encrypt Password
// Generate Salt
var salt = Salter.Shake();
// Hash Password
var hashedPass = Hasher.Hash(vm.Password + salt);
// Fill in fields
newUser.UserName = vm.UserName;
newUser.HashedPassword = hashedPass;
newUser.Salt = salt;
newUser.RoleId = _context.Roles.First(r => r.RoleName == vm.RoleName).RoleId;
// check if email is null
if (vm.Email != null)
{
newUser.Email = vm.Email; // Only add email if one exists
}
// Add users to database
_context.Users.Add(newUser);
// Save the database
_context.SaveChanges();
// Redirect to the login page
return(Redirect("/Login/Index"));
}
