protected void Page_Load(object sender, EventArgs e)
{
string redirect = (Request.Form["redirect"] != null) ? Request.Form["redirect"] : Request.QueryString["redirect"];
string domain = (Request.Form["domain"] != null) ? Request.Form["domain"] : Request.QueryString["domain"];
DnsRecord record = null;
template.Parse("IS_CONTENT", "FALSE");
template.Parse("S_POST", core.Hyperlink.AppendSid("/sign-in/", true));
if (!string.IsNullOrEmpty(domain))
{
try
{
if (domain != Hyperlink.Domain)
{
record = new DnsRecord(core, domain);
}
if (core.Http["mode"] == "sign-out")
{
if (record != null)
{
session.SessionEnd(Request.QueryString["sid"], loggedInMember.UserId, record);
}
else
{
session.SessionEnd(Request.QueryString["sid"], loggedInMember.UserId);
}
if (!string.IsNullOrEmpty(redirect))
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true));
}
else
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true));
}
}
else if (core.LoggedInMemberId > 0)
{
string sessionId = Request.QueryString["sid"];
if (!string.IsNullOrEmpty(sessionId))
{
core.Session.SessionEnd(sessionId, 0, record);
}
sessionId = core.Session.SessionBegin(core.LoggedInMemberId, false, false, false, record, null);
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true));
}
}
catch (InvalidDnsRecordException)
{
core.Display.ShowMessage("Error", "Error starting remote session");
return;
}
}
if (core.Http["mode"] == "sign-out")
{
string sessionId = Request.QueryString["sid"];
if (!string.IsNullOrEmpty(sessionId))
{
core.Session.SessionEnd(sessionId, loggedInMember.UserId);
}
if (!string.IsNullOrEmpty(redirect))
{
Response.Redirect(redirect, true);
}
else
{
Response.Redirect("/", true);
}
return;
}
if (Request.Form["submit"] != null)
{
if (core.Http["mode"] == "reset-password")
{
string email = Request.Form["email"];
if (string.IsNullOrEmpty(email))
{
core.Display.ShowMessage("Error", "An error occured");
return;
}
else
{
try
{
UserEmail userEmail = new UserEmail(core, email);
if (userEmail.IsActivated)
{
string newPassword = BoxSocial.Internals.User.GenerateRandomPassword();
string activateCode = BoxSocial.Internals.User.GenerateActivationSecurityToken();
db.UpdateQuery(string.Format("UPDATE user_info SET user_new_password = '******', user_activate_code = '{1}' WHERE user_id = {2}",
Mysql.Escape(newPassword), Mysql.Escape(activateCode), userEmail.Owner.Id));
string activateUri = string.Format(core.Hyperlink.Uri + "register/?mode=activate-password&id={0}&key={1}",
userEmail.Owner.Id, activateCode);
// send the e-mail
Template emailTemplate = new Template(core.Http.TemplateEmailPath, "new_password.html");
emailTemplate.Parse("SITE_TITLE", core.Settings.SiteTitle);
emailTemplate.Parse("U_SITE", core.Hyperlink.StripSid(core.Hyperlink.AppendAbsoluteSid(core.Hyperlink.BuildHomeUri())));
emailTemplate.Parse("TO_NAME", userEmail.Owner.DisplayName);
emailTemplate.Parse("U_ACTIVATE", activateUri);
emailTemplate.Parse("USERNAME", userEmail.Owner.UserName);
// TODO: do not send a new password in plain text
emailTemplate.Parse("PASSWORD", newPassword);
core.Email.SendEmail(userEmail.Email, core.Settings.SiteTitle + " Password Reset", emailTemplate);
core.Display.ShowMessage("Password reset", "You have been sent an e-mail to the address you entered with your new password. You will need to click the confirmation link before you can sign in");
return;
}
else
{
core.Display.ShowMessage("E-mail not verified", "The e-mail you have entered has not been verified, you need to enter an e-mail address you have verified to reset your password.");
return;
}
}
catch (InvalidUserEmailException)
{
core.Display.ShowMessage("No e-mail registered", "The e-mail you have entered is not associated with a user account.");
return;
}
}
}
else if (core.Http.Form["mode"] == "verify")
{
Authenticator authenticator = new Authenticator();
if (authenticator.CheckCode(core.Session.CandidateMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"]))
{
if (Request.Form["remember"] == "true")
{
session.SessionBegin(core.Session.CandidateMember.UserId, false, true, true);
}
else
{
session.SessionBegin(core.Session.CandidateMember.UserId, false, false, true);
}
if ((!string.IsNullOrEmpty(domain)) && (record != null))
{
string sessionId = core.Session.SessionBegin(core.Session.CandidateMember.UserId, false, false, true, record, null);
core.Hyperlink.Sid = sessionId;
if (!string.IsNullOrEmpty(redirect))
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true));
}
else
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true));
}
return;
}
if (!string.IsNullOrEmpty(redirect))
{
if (redirect.StartsWith("/account", StringComparison.Ordinal))
{
redirect = core.Hyperlink.AppendSid(core.Hyperlink.StripSid(redirect), true);
}
else
{
redirect = core.Hyperlink.AppendSid(redirect);
}
Response.Redirect(redirect, true);
}
else
{
Response.Redirect(core.Hyperlink.AppendSid("/"), true);
}
return; /* stop processing the display of this page */
}
else
{
core.Session.SessionEnd(core.Session.SessionId, core.Session.CandidateMember.UserId);
template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again.");
}
}
else
{
string userName = Request.Form["username"];
string password = BoxSocial.Internals.User.HashPassword(Request.Form["password"]);
DataTable userTable = db.Query(string.Format("SELECT uk.user_name, uk.user_id, ui.user_password, ui.user_two_factor_auth_key, ui.user_two_factor_auth_verified FROM user_keys uk INNER JOIN user_info ui ON uk.user_id = ui.user_id WHERE uk.user_name = '{0}';",
userName));
if (userTable.Rows.Count == 1)
{
DataRow userRow = userTable.Rows[0];
bool authenticated = false;
string dbPassword = (string)userRow["user_password"];
// old phpBB passwords
if (dbPassword.Length == 32)
{
// phpBB2 passwords
if (SessionState.SessionMd5(Request.Form["password"]) == dbPassword.ToLower())
{
authenticated = true;
}
}
else if (dbPassword.Length == 34)
{
// phpBB3 passwords
string itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
if (SessionState.phpBB3Hash(Request.Form["password"], dbPassword, ref itoa64) == dbPassword)
{
authenticated = true;
}
}
else
{
if (dbPassword == password)
{
authenticated = true;
}
}
if (authenticated)
{
if ((byte)userRow["user_two_factor_auth_verified"] > 0)
{
template.SetTemplate("login_two_factor_verify.html");
HiddenField rememberHiddenField = new HiddenField("remember");
rememberHiddenField.Value = core.Http.Form["remember"];
TextBox verifyTextBox = new Forms.TextBox("verify");
template.Parse("S_REMEMBER", rememberHiddenField);
template.Parse("S_VERIFY", verifyTextBox);
if (Request.Form["remember"] == "true")
{
session.SessionBegin((long)userRow["user_id"], false, true, false);
}
else
{
session.SessionBegin((long)userRow["user_id"], false, false, false);
}
}
else
{
if (Request.Form["remember"] == "true")
{
session.SessionBegin((long)userRow["user_id"], false, true);
}
else
{
session.SessionBegin((long)userRow["user_id"], false, false);
}
if ((!string.IsNullOrEmpty(domain)) && (record != null))
{
string sessionId = core.Session.SessionBegin((long)userRow["user_id"], false, false, false, record, null);
core.Hyperlink.Sid = sessionId;
if (!string.IsNullOrEmpty(redirect))
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true));
}
else
{
Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true));
}
return;
}
if (!string.IsNullOrEmpty(redirect))
{
if (redirect.StartsWith("/account", StringComparison.Ordinal))
{
redirect = core.Hyperlink.AppendSid(core.Hyperlink.StripSid(redirect), true);
}
else
{
redirect = core.Hyperlink.AppendSid(redirect);
}
Response.Redirect(redirect, true);
}
else
{
Response.Redirect(core.Hyperlink.AppendSid("/"), true);
}
return; /* stop processing the display of this page */
}
}
else
{
template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again.");
}
}
else
{
template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again.");
}
}
}
if (core.Http["mode"] == "reset-password")
{
template.Parse("S_POST", core.Hyperlink.AppendSid("/sign-in/?mode=reset-password", true));
template.SetTemplate("password_reset.html");
EndResponse();
return;
}
else
{
template.Parse("U_FORGOT_PASSWORD", core.Hyperlink.AppendSid("/sign-in/?mode=reset-password"));
}
template.Parse("DOMAIN", domain);
template.Parse("REDIRECT", redirect);
EndResponse();
}
void AccountSecurity_Save(object sender, EventArgs e)
{
AuthoriseRequestSid();
bool fail = false;
if (core.Http.Form["mode"] == "enable" && (!LoggedInMember.UserInfo.TwoFactorAuthVerified))
{
Authenticator authenticator = new Authenticator();
if (authenticator.CheckCode(LoggedInMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"]))
{
LoggedInMember.UserInfo.TwoFactorAuthVerified = true;
}
else
{
LoggedInMember.UserInfo.TwoFactorAuthKey = string.Empty;
fail = true;
}
LoggedInMember.UserInfo.Update();
// Temporary, this should be done on an elevated session which is higher than two factor
UpdateQuery uQuery = new UpdateQuery(typeof(Session));
uQuery.AddField("session_signed_in", (byte)SessionSignInState.TwoFactorValidated);
uQuery.AddCondition("session_id", core.Session.SessionId);
core.Db.Query(uQuery);
}
if (LoggedInMember.UserInfo.TwoFactorAuthVerified)
{
core.Display.ShowMessage("Two Factor Authentication Enabled", "Two factor authentication has been enabled for this account.");
}
else if (fail)
{
core.Display.ShowMessage("Two Factor Authentication Failed", "Two factor authentication has not been enabled for this account. Check you entered the code correctly.");
}
else
{
core.Display.ShowMessage("Two Factor Authentication Disabled", "Two factor authentication has been disabled for this account.");
}
SetRedirectUri(BuildUri());
}
void AccountSecurity_Show(object sender, EventArgs e)
{
template.SetTemplate("account_security.html");
Save(new EventHandler(AccountSecurity_Save));
if (core.Http.Query["mode"] == "enrole_phone" && (!LoggedInMember.UserInfo.TwoFactorAuthVerified))
{
template.SetTemplate("account_security_twofactor.html");
AuthoriseRequestSid();
}
else if (core.Http.Query["mode"] == "enrole_authenticator" && (!LoggedInMember.UserInfo.TwoFactorAuthVerified))
{
template.SetTemplate("account_security_twofactor.html");
AuthoriseRequestSid();
Authenticator authenticator = new Authenticator();
string key = authenticator.GenerateKey();
Dictionary<string, string> args = new Dictionary<string, string>();
args.Add("mode", "qr_code");
args.Add("secret", key);
string qrCode = core.Hyperlink.AppendSid(BuildUri("security", args), true);
BoxSocial.Forms.Image qrCodeImage = new Forms.Image("qr_code", qrCode);
BoxSocial.Forms.TextBox verifyTextBox = new Forms.TextBox("verify");
BoxSocial.Forms.HiddenField keyHiddenField = new Forms.HiddenField("key");
keyHiddenField.Value = key;
template.Parse("S_ENROLE_AUTHENTICATOR", "TRUE");
template.Parse("I_QR_CODE", qrCodeImage);
template.Parse("S_KEY", keyHiddenField);
template.Parse("S_VERIFY", verifyTextBox);
template.Parse("USERNAME", LoggedInMember.UserName);
LoggedInMember.UserInfo.TwoFactorAuthKey = key;
LoggedInMember.UserInfo.Update();
}
else if (LoggedInMember.UserInfo.TwoFactorAuthVerified)
{
template.Parse("S_ENABLED", "TRUE");
template.Parse("U_DISABLE", core.Hyperlink.AppendSid(BuildUri("security", "disable"), true));
}
else
{
template.Parse("S_DISABLED", "TRUE");
template.Parse("U_ENABLE", core.Hyperlink.AppendSid(BuildUri("security", "enrole_phone"), true));
}
// Show all active sessions
SelectQuery query = SessionKey.GetSelectQueryStub(core, typeof(SessionKey));
query.AddCondition(new DataField(typeof(SessionKey), "user_id"), LoggedInMember.Id);
query.AddSort(SortOrder.Descending, "key_last_visit_ut");
System.Data.Common.DbDataReader sessionsReader = db.ReaderQuery(query);
while (sessionsReader.Read())
{
SessionKey sessionKey = new SessionKey(core, sessionsReader);
VariableCollection sessionsVariableCollection = template.CreateChild("sessions_list");
sessionsVariableCollection.Parse("IP", sessionKey.Ip);
sessionsVariableCollection.Parse("TIME", core.Tz.DateTimeToString(sessionKey.GetVisit(core.Tz)));
sessionsVariableCollection.Parse("BROWSER_STRING", sessionKey.BrowserString);
}
sessionsReader.Close();
sessionsReader.Dispose();
}
private void OAuthApprove()
{
string oauthToken = core.Http.Form["oauth_token"];
bool success = false;
try
{
OAuthToken token = new OAuthToken(core, oauthToken);
ApplicationEntry ae = token.Application;
OAuthApplication oae = new OAuthApplication(core, ae);
if (core.Http.Form["mode"] == "verify")
{
Authenticator authenticator = new Authenticator();
if (authenticator.CheckCode(core.Session.CandidateMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"]))
{
success = true;
}
else
{
showVerificationForm(ae, oauthToken, core.Session.SessionId);
return;
}
}
else
{
bool authenticated = false;
string userName = Request.Form["username"];
string password = BoxSocial.Internals.User.HashPassword(Request.Form["password"]);
DataTable userTable = db.Query(string.Format("SELECT uk.user_name, uk.user_id, ui.user_password, ui.user_two_factor_auth_key, ui.user_two_factor_auth_verified FROM user_keys uk INNER JOIN user_info ui ON uk.user_id = ui.user_id WHERE uk.user_name = '{0}';",
userName));
if (userTable.Rows.Count == 1)
{
DataRow userRow = userTable.Rows[0];
string dbPassword = (string)userRow["user_password"];
if (dbPassword == password)
{
authenticated = true;
}
if (authenticated)
{
if ((byte)userRow["user_two_factor_auth_verified"] > 0)
{
string sessionId = session.SessionBegin((long)userRow["user_id"], false, false, false);
showVerificationForm(ae, oauthToken, sessionId);
return;
}
else
{
string sessionId = session.SessionBegin((long)userRow["user_id"], false, false);
success = true;
}
}
else
{
OAuthAuthorize(true);
return;
}
}
}
if (success)
{
OAuthVerifier verifier = OAuthVerifier.Create(core, token, core.Session.CandidateMember);
token.UseToken();
db.CommitTransaction();
if (!string.IsNullOrEmpty(oae.CallbackUrl))
{
Response.Redirect(string.Format("{0}?oauth_token={1}&oauth_verifier={2}", oae.CallbackUrl, Uri.EscapeDataString(token.Token), Uri.EscapeDataString(verifier.Verifier)));
}
else
{
core.Response.SendRawText("", string.Format("oauth_token={0}&oauth_verifier={1}", Uri.EscapeDataString(token.Token), Uri.EscapeDataString(verifier.Verifier)));
}
}
else
{
// Incorrect password
OAuthAuthorize(true);
return;
}
}
catch (InvalidOAuthTokenException)
{
core.Functions.Generate403();
}
EndResponse();
}
