public void UsersPasswordChangeTest()
        {
            var updateInfo = new UpdateUserPasswordDTO {
                Password = "******", UserID = new Guid("e4eec242-58fb-4952-a78d-a65501281276")
            };

            using (var db = new DataContext())
            {
                //Update the password
                var            user         = db.Users.Find(updateInfo.UserID);
                string         newHash      = updateInfo.Password.ComputeHash();
                DateTimeOffset dateBack     = DateTimeOffset.UtcNow.AddDays(ConfigurationManager.AppSettings["PreviousDaysPasswordRestriction"].ToInt32() * -1);
                int            previousUses = ConfigurationManager.AppSettings["PreviousPasswordUses"].ToInt32();

                var param = new LastUsedPasswordCheckParams {
                    User = user, DateRange = dateBack, NumberOfEntries = previousUses, Hash = newHash
                };

                var query = new LastUsedPasswordCheckQuery(db);

                if (user.PasswordHash == newHash || query.Execute(param))
                {
                    Assert.Fail("The password has already been used previously");
                }
            }
        }
예제 #2
0
        public async Task <ActionResult> PasswordExpired(string newPassword)
        {
            if (Lpp.Dns.Data.User.CheckPasswordStrength(newPassword) != DTO.Enums.PasswordScores.VeryStrong)
            {
                ModelState.AddModelError("Error", "The password specified is not strong enough. Please ensure that the password has at least one upper-case letter, a number and at least one symbol and does not include: ':;<'.");
                return(View("~/Views/Home/ExpiredPassword.cshtml"));
            }

            if (Auth.ApiIdentity.IsAuthenticated == false)
            {
                ModelState.AddModelError("Error", "You must login before changing your password.");
                return(View("~/Views/Home/ExpiredPassword.cshtml"));
            }

            var user = await DataContext.Users.FindAsync(Auth.ApiIdentity.ID);

            string         newHash      = newPassword.ComputeHash();
            DateTimeOffset dateBack     = DateTimeOffset.UtcNow.AddDays(ConfigurationManager.AppSettings["PreviousDaysPasswordRestriction"].ToInt32() * -1);
            int            previousUses = ConfigurationManager.AppSettings["PreviousPasswordUses"].ToInt32();

            var param = new LastUsedPasswordCheckParams {
                User = user, DateRange = dateBack, NumberOfEntries = previousUses, Hash = newHash
            };

            var query = new LastUsedPasswordCheckQuery(DataContext);

            if (user.PasswordHash == newHash || await query.ExecuteAsync(param))
            {
                ModelState.AddModelError("Error", "Your new password must be different than your previous password(s).");
                return(View("~/Views/Home/ExpiredPassword.cshtml"));
            }

            DataContext.LogsUserPasswordChange.Add(new Data.Audit.UserPasswordChangeLog {
                UserID = Auth.ApiIdentity.ID, UserChangedID = user.ID, OriginalPassword = user.PasswordHash, Method = UserPasswordChange.Profile
            });


            user.PasswordHash       = newHash;
            user.PasswordExpiration = DateTime.Now.AddMonths(ConfigurationManager.AppSettings["ConfiguredPasswordExpiryMonths"].ToInt32());

            //Save it
            await DataContext.SaveChangesAsync();

            Auth.SetCurrentUser(user, AuthenticationScope.WebSession);

            var expireMinutes = WebConfigurationManager.AppSettings["SessionExpireMinutes"];

            if (string.IsNullOrWhiteSpace(expireMinutes))
            {
                expireMinutes = "30";
            }


            var sModel     = Newtonsoft.Json.JsonConvert.SerializeObject(new LoginResponseModel(user, newPassword, user.OrganizationID, user.PasswordExpiration, expireMinutes.ToInt32()));
            var authCookie = new HttpCookie("Authorization", sModel)
            {
                Shareable = false,
                Expires   = DateTime.MinValue,
            };

            Response.Cookies.Remove("Authorization");
            Response.Cookies.Add(authCookie);

            return(Redirect("~/"));
        }