コード例 #1
0
        public IHttpActionResult PostLogin(LoginModel loginModel)
        {
            WebApplication1Context context = new WebApplication1Context();

            string error = "Invalid Username or Password";

            if (!ModelState.IsValid)
            {
                return(BadRequest(ModelState));
            }

            AccountsModel account = context.AccountsModel.Where(a => a.username == loginModel.username).FirstOrDefault();

            if (account.username == loginModel.username)
            {
                byte[] saltInput     = LoginUtils.hash(loginModel.password, account.Salt);
                bool   slowHashCheck = LoginUtils.slowEquals(saltInput, account.SaltedAndHashedPassword);

                if (slowHashCheck == true)
                {
                    // Success!
                    string rawToken        = LoginUtils.makeSimpleToken();
                    string timeStamp       = DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss");
                    string obfuscatedToken = LoginUtils.encryptToken(rawToken, timeStamp);

                    byte[] hashedToken = LoginUtils.hashNoSalt(rawToken);

                    context.TokensModel.Add(
                        new TokenModel
                    {
                        tokenHash = hashedToken,
                        tokenDate = timeStamp,
                        userid    = account.primaryKey
                    });

                    context.SaveChangesAsync();

                    //return Ok(obfuscatedToken); // return the obfuscated token!
                    return(Ok(new
                    {
                        token = obfuscatedToken,
                        userId = account.primaryKey,
                    }));
                }
                else
                {
                    //return BadRequest("i failed here!");
                    return(BadRequest(error));
                }
            }
            else
            {
                //return BadRequest("i failed there!");
                return(BadRequest(error));
            }
        }
コード例 #2
0
        public static bool ValidateToken(string tokenInput, int idInput)
        {
            decryptTokenData       data    = LoginUtils.decryptToken(tokenInput);
            WebApplication1Context context = new WebApplication1Context();

            byte[] checkHash = LoginUtils.hashNoSalt(data.token);

            TokenModel token = context.TokensModel.Where(a => a.tokenHash == checkHash).FirstOrDefault();

            if (idInput == token.userid)
            {
                bool byteCheck = LoginUtils.SafeEquals(token.tokenHash, checkHash);
                if (byteCheck == true)
                {
                    if (data.utcDateTime == token.tokenDate) // TODO -- Add expiry system!
                    {
                        return(true);
                    }
                    else
                    {
                        // TODO - Log the possiblilty of tampering with the user tokens.
                        // This would mean the token had been decrypted and then had the date stamp edited. Suspicious activity!
                        return(false);
                    }
                }
                else
                {
                    return(false);
                }
            }
            else
            {
                // if the given id is not the same as the one connected to the token fail!
                // saves on doing a byte check too! :)
                return(false);
            }
        }