private bool VeriFyPurchase(string verificationResponse)
{
if (verificationResponse.Equals("VERIFIED"))
{
return(true);
}
else if (verificationResponse.Equals("INVALID"))
{
_logger.InsertSecurity("INVALID PAYPAL IPN", "PaymentGateway", "VerifyPurchase");
}
return(false);
}
/// <summary>
/// note: todo we can use the difference in datecreated from submitDate to see if
/// it was submitted too fast. Usually less than three seconds.
/// If submittedDate or dateCreated is null then it could be an api attempt
/// </summary>
/// <param name="node"></param>
/// <param name="ipAddress"></param>
/// <returns></returns>
public bool IsSpamPost(INode node, string ipAddress)
{
if (node == null)
{
return(false);
}
if (!string.IsNullOrWhiteSpace(node.SubmitValue))
{
SystemLogger logger = new SystemLogger(Globals.DBConnectionKey);
logger.InsertSecurity(JsonConvert.SerializeObject(node), ipAddress + "|SPAM", "RegisterAsync");
return(true);
}
return(false);
}
public ServiceResult ChangePassword(ChangePassword frm)
{
if (frm == null)
{
return(ServiceResponse.Error("Invalid data."));
}
NetworkHelper network = new NetworkHelper();
string ipAddress = network.GetClientIpAddress(this.Request);
string sessionToken = "";
User u = null;
UserManager userManager = new UserManager(Globals.DBConnectionKey, Request.Headers?.Authorization?.Parameter);
if (frm.ResetPassword)
{//if a reset then the user isn't logged in, so get the user by alt means.
//only use captcha on reset
if (string.IsNullOrWhiteSpace(frm.ConfirmationCode))
{
return(ServiceResponse.Error("Invalid confirmation code. You must use the link provided in the email in order to reset your password."));
}
u = userManager.GetUsers(false).FirstOrDefault(dw => (dw.ProviderUserKey == frm.ConfirmationCode && dw.Email.EqualsIgnoreCase(frm.Email)));
if (u == null)
{
return(ServiceResponse.Error("Invalid confirmation code."));
}
}
else
{
if (Request.Headers.Authorization == null)
{
return(ServiceResponse.Error("You must be logged in to change your password."));
}
sessionToken = Request.Headers?.Authorization?.Parameter;
u = GetUser(sessionToken);//since the user session doesn't contain the password, wi have to pull it.
u = (User)userManager.GetBy(u.UUID, false);
}
if (u == null)
{
SessionManager.DeleteSession(sessionToken);
return(ServiceResponse.Error("Session error. If your logged in try logging out and back in."));
}
if (frm.NewPassword != frm.ConfirmPassword)
{
return(ServiceResponse.Error("Password don't match."));
}
if (string.IsNullOrWhiteSpace(frm.NewPassword) || string.IsNullOrWhiteSpace(frm.ConfirmPassword))
{
return(ServiceResponse.Error("Password can't be empty. "));
}
if (PasswordHash.CheckStrength(frm.NewPassword) < PasswordHash.PasswordScore.Medium)
{
return(ServiceResponse.Error("Password is too weak. "));
}
if (frm.ResetPassword)
{
if (u.ProviderName != UserFlags.ProviderName.ForgotPassword || u.ProviderUserKey != frm.ConfirmationCode || u.Email.EqualsIgnoreCase(frm.Email) == false)
{//
string msg = "Invalid informaition posted to server";
SystemLogger logger = new SystemLogger(Globals.DBConnectionKey);
logger.InsertSecurity(msg, "AccountController", "ChangePassword");
return(ServiceResponse.Error("Invalid confirmation code."));
}
}
else //just a user updating their password.
{ // verify old password
if (!PasswordHash.ValidatePassword(frm.OldPassword, u.PasswordHashIterations + ":" + u.PasswordSalt + ":" + u.Password))
{
return(ServiceResponse.Error("Invalid password."));
}
}
ServiceResult sr = userManager.IsUserAuthorized(u, ipAddress);
if (sr.Status == "ERROR")
{
return(sr);
}
string tmpHashPassword = PasswordHash.CreateHash(frm.NewPassword);
u.Password = PasswordHash.ExtractHashPassword(tmpHashPassword);
u.PasswordHashIterations = PasswordHash.ExtractIterations(tmpHashPassword);
u.PasswordSalt = PasswordHash.ExtractSalt(tmpHashPassword);
u.ProviderName = "";
u.ProviderUserKey = "";
u.LastPasswordChangedDate = DateTime.UtcNow;
ServiceResult updateResult = userManager.Update(u, false);
if (updateResult.Code != 200)
{
return(ServiceResponse.Error("Error updating password. Try again later."));
}
return(ServiceResponse.OK("Password has been updated."));
}
/// <summary>
///
/// </summary>
/// <param name="Approved"></param>
/// <param name="ipAddress"></param>
/// <returns></returns>
public async Task <ServiceResult> RegisterUserAsync(UserRegister ur, bool Approved, string ipAddress)
{
if (string.IsNullOrEmpty(ur.Name))
{
return(ServiceResponse.Error("Invalid username."));
}
if (ur.Password != ur.ConfirmPassword)
{
return(ServiceResponse.Error("Passwords must match."));
}
if (Validator.IsEmailInjectionAttempt(ur.Email))
{
_logger.InsertSecurity(ur.Email, "UserManager", "RegisterUser.IsEmailInjectionAttempt");
return(ServiceResponse.Error("Dangerous email format."));
}
if (!Validator.IsValidEmailFormat(ur.Email))
{
return(ServiceResponse.Error("Invalid email format."));
}
if (Validator.HasReservedLoginName(ur.Email))
{
_logger.InsertSecurity(ur.Email, "UserManager", "RegisterUser.HasReservedLoginName");
return(ServiceResponse.Error("Invalid email name."));
}
User dbUser;
using (var context = new TreeMonDbContext(this._connectionKey))
{
dbUser = context.GetAll <User>().FirstOrDefault(uw => (uw.Email?.EqualsIgnoreCase(ur.Email) ?? false) || (uw.Name?.EqualsIgnoreCase(ur.Name) ?? false));
}
if (dbUser != null && dbUser.Approved == false)
{
return(ServiceResponse.Error("The email account you provided is already on registered, but has not been validated. <br />Please check your email account and follow the instructions on the message sent.<br/><br/>Thank you,<br/> "));
}
else if (dbUser != null)
{
return(ServiceResponse.Error("Username or email already exists."));
}
if (string.IsNullOrWhiteSpace(ur.AccountUUID))
{
ur.AccountUUID = SystemFlag.Default.Account;
}
string tmpHashPassword = PasswordHash.CreateHash(ur.Password);
bool approved = true;// false;TODO make this false when the email url is fixed
//if mobile the email validation isn't going to be sent for them to validate=> approve. So auto approve.
if (ur.ClientType == "mobile.app")
{
approved = true;
}
User u = new User()
{
AccountUUID = ur.AccountUUID,
Name = ur.Name,
Password = PasswordHash.ExtractHashPassword(tmpHashPassword),
PasswordAnswer = ur.SecurityAnswer,
PasswordQuestion = ur.SecurityQuestion,
Active = true,
DateCreated = DateTime.UtcNow,
Deleted = false,
PasswordSalt = PasswordHash.ExtractSalt(tmpHashPassword),
PasswordHashIterations = PasswordHash.ExtractIterations(tmpHashPassword),
Email = ur.Email,
SiteAdmin = false,
Approved = approved,
Anonymous = false,
Banned = false,
LockedOut = false,
Private = true, // Since its a site admin we'll make it private appSettings.UserIsPrivate,
FailedPasswordAnswerAttemptWindowStart = 0,
FailedPasswordAttemptCount = 0,
FailedPasswordAnswerAttemptCount = 0,
ProviderUserKey = Cipher.RandomString(12),
ProviderName = UserFlags.ProviderName.ValidateEmail
};
ServiceResult res = await InsertUserAsync(u, ipAddress);
if (res.Code != 200)
{
return(res);
}
res.Result = u;
return(res);
}