public ActionResult Edit(long id, Roles roleId)
{
var currentSession = _sessionContext.UserSession.CurrentOrganizationRole;
if (currentSession.UserId == id && currentSession.RoleId == (long)roleId)
{
var profileEditModel = _userProfileService.GetProfileEditModel(id);
if (string.IsNullOrEmpty(profileEditModel.Secret))
{
string secret = "", enc = "";
secret = TimeBasedOneTimePassword.GenerateSecret(out enc);
TempData["EncodedSecret"] = secret;
profileEditModel.EncodedSecret = enc;
}
else
{
TempData["EncodedSecret"] = profileEditModel.Secret;
profileEditModel.EncodedSecret = TimeBasedOneTimePassword.EncodeSecret(profileEditModel.Secret);
}
if (roleId == Roles.Technician)
{
var technicianProfile = _technicianRepository.GetTechnician(currentSession.OrganizationRoleUserId);
profileEditModel.TechnicianPin = technicianProfile != null ? technicianProfile.Pin : "0000";
}
return(View(profileEditModel));
}
Response.RedirectUser("/Home/UnauthorizeAccess");
return(null);
}
public ActionResult Authenticator(OtpModel model)
{
ViewBag.IsOtpBySmsEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumSms) == "True";
ViewBag.IsOtpByEmailEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumEmail) == "True";
ViewBag.IsOtpByAppEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpByGoogleAuthenticator) == "True";
model.IsAllowSafeComputerEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.AllowSafeComputerRemember) == "True";
if (!ModelState.IsValid)
{
return(View(model));
}
var userId = (long)Session["UserId"];
var loginSettings = _loginSettingRepository.Get(userId);
var isValid = TimeBasedOneTimePassword.IsValid(loginSettings.GoogleAuthenticatorSecretKey, model.Otp, 50);
if (!isValid)
{
model.IsOtpVerified = false;
model.FeedbackMessage = FeedbackMessageModel.CreateFailureMessage("The OTP entered is wrong. Please try again.");
return(View(model));
}
if (model.MarkAsSafe)
{
var browserName = Request.Browser.Browser + " " + Request.Browser.Version;
var requestingIp = Request.UserHostAddress;
var safeComputer = new SafeComputerHistory()
{
BrowserType = browserName, ComputerIp = requestingIp, DateCreated = DateTime.Now, DateModified = DateTime.Now, IsActive = true, UserLoginId = userId
};
_safeComputerHistoryService.Save(safeComputer);
}
return(GoToDashboard(userId));
}
private void Test(string sharedSecret, long seconds, string expected)
{
var calculated = TimeBasedOneTimePassword.GetPassword(sharedSecret, TimeBasedOneTimePassword.UNIX_EPOCH + TimeSpan.FromSeconds(seconds), TimeBasedOneTimePassword.UNIX_EPOCH, 30, 8);
Microsoft.VisualStudio.TestTools.UnitTesting.Assert.AreEqual(expected, calculated);
NUnit.Framework.Assert.AreEqual(expected, calculated);
}
//
// POST: /Account/LogOn
private void DoLogOn(LogOnModel model, string returnUrl)
{
try
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
// Prevent the user from attempting to brute force the two factor secret.
// Without this, an attacker, if they know your password already, could try to brute
// force the two factor code. They only need to try 1,000,000 distinct codes in 3 minutes.
// This throttles them down to a managable level.
if (profile.LastLoginAttemptUtc.HasValue && profile.LastLoginAttemptUtc > DateTime.UtcNow - TimeSpan.FromSeconds(1))
{
System.Threading.Thread.Sleep(5000);
}
profile.LastLoginAttemptUtc = DateTime.UtcNow;
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
AsyncManager.Parameters["returnUrl"] = returnUrl;
}
else
{
AsyncManager.Parameters["action"] = "Index";
AsyncManager.Parameters["controller"] = "Home";
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
AsyncManager.Parameters["model"] = model;
}
finally
{
AsyncManager.OutstandingOperations.Decrement();
}
}
public void Generate_DefaultsToHmacSha1Algorithm()
{
byte[] secretKey = new byte[] { 0 };
DateTime dt = DateTime.Now;
string result1 = TimeBasedOneTimePassword.Generate(secretKey, new HMACSHA1());
string result2 = TimeBasedOneTimePassword.Generate(secretKey);
Assert.AreEqual(result1, result2);
}
public ActionResult Setup()
{
//to do : if user pastes the url then move him to dashboard based on condition if the entry is present in the database
if (_sessionContext.UserSession == null)
{
return(RedirectToAction("Index"));
}
var IsOnGlobalSettingChange = false;
var loginSettings = _loginSettingRepository.Get(_sessionContext.UserSession.UserId);
if (TempData["IsOnGlobalSettingChange"] != null)
{
IsOnGlobalSettingChange = (bool)TempData["IsOnGlobalSettingChange"];
}
var setPinOnly = TempData["setPinOnly"];
if (loginSettings != null && loginSettings.IsFirstLogin == false && IsOnGlobalSettingChange == false && (setPinOnly == null || (bool)setPinOnly == false))
{
Response.RedirectUser("/Users/Role/Switch?roleId=" + _sessionContext.UserSession.CurrentOrganizationRole.RoleId + "&organizationId=" + _sessionContext.UserSession.CurrentOrganizationRole.OrganizationId);
return(null);
}
var isTwoFactorAuthrequired = (bool)TempData["IsTwoFactorAuthrequired"];
string secret = "", enc = "";
secret = TimeBasedOneTimePassword.GenerateSecret(out enc);
TempData["EncodedSecret"] = secret;
var role = _roleRepository.GetByRoleId(_sessionContext.UserSession.CurrentOrganizationRole.RoleId);
var model = new SetupViewModel()
{
EncodedSecret = enc,
IsPinRequired = role.IsPinRequired,
UserLoginId = _sessionContext.UserSession.CurrentOrganizationRole.UserId
};
if (isTwoFactorAuthrequired)
{
model.IsOtpBySmsEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumSms) == "True";
model.IsOtpByEmailEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpNotificationMediumEmail) == "True";
model.IsOtpByAppEnabled = _configurationSettingRepository.GetConfigurationValue(ConfigurationSettingName.OtpByGoogleAuthenticator) == "True";
}
if (setPinOnly != null && (bool)setPinOnly)
{
model.IsOtpBySmsEnabled = false;
model.IsOtpByEmailEnabled = false;
model.IsOtpByAppEnabled = false;
}
TempData.Keep("setPinOnly");
TempData.Keep("IsTwoFactorAuthrequired");
TempData.Keep("IsOnGlobalSettingChange");
return(View(model));
}
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = TwoFactorProfile.GetByUserName(model.UserName);
if (profile != null && !string.IsNullOrEmpty(profile.TwoFactorSecret))
{
if (TimeBasedOneTimePassword.IsValid(profile.TwoFactorSecret, model.TwoFactorCode))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") &&
!returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return(Redirect(returnUrl));
}
else
{
return(RedirectToAction("Index", "Home"));
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The two factor code is incorrect.");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return(View(model));
} // end LogOn
static void Main(string[] args)
{
for (int i = 0; i < 10; i++)
{
Console.WriteLine(HashedOneTimePassword.GeneratePassword("12345678901234567890", i));
}
long[] seconds = new long[] { 59, 1111111109, 1111111111, 1234567890, 2000000000, 20000000000 };
foreach (var second in seconds)
{
Console.WriteLine(TimeBasedOneTimePassword.GetPassword("12345678901234567890", TimeBasedOneTimePassword.UNIX_EPOCH + TimeSpan.FromSeconds(second), TimeBasedOneTimePassword.UNIX_EPOCH, 30, 8));
}
Base32Encoder enc = new Base32Encoder();
string secret = enc.Encode(Encoding.ASCII.GetBytes("1234567890"));
Console.WriteLine(secret);
Console.WriteLine("Enter your password: "******"1234567890", password))
{
Console.WriteLine("Success!");
}
else
{
Console.WriteLine("ERROR!");
}
return;
while (true)
{
Console.WriteLine(TimeBasedOneTimePassword.GetPassword("1234567890"));
System.Threading.Thread.Sleep(TimeSpan.FromSeconds(10));
}
}
public void Generate_YieldsExpectedResults()
{
//Values taken from RFC specification
byte[] secret = Encoding.ASCII.GetBytes("12345678901234567890");
//Item1 is the datetime to generate password for
//Item2 is the expected result
//item3 is the hmac algorithm to use.
List <Tuple <DateTime, string, HMAC> > testValues = new List <Tuple <DateTime, string, HMAC> >()
{
new Tuple <DateTime, string, HMAC>(new DateTime(1970, 1, 1, 0, 0, 59), "94287082", new HMACSHA1()),
new Tuple <DateTime, string, HMAC>(new DateTime(1970, 1, 1, 0, 0, 59), "32247374", new HMACSHA256()),
new Tuple <DateTime, string, HMAC>(new DateTime(1970, 1, 1, 0, 0, 59), "69342147", new HMACSHA512()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 29), "07081804", new HMACSHA1()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 29), "34756375", new HMACSHA256()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 29), "63049338", new HMACSHA512()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 31), "14050471", new HMACSHA1()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 31), "74584430", new HMACSHA256()),
new Tuple <DateTime, string, HMAC>(new DateTime(2005, 3, 18, 1, 58, 31), "54380122", new HMACSHA512()),
new Tuple <DateTime, string, HMAC>(new DateTime(2009, 2, 13, 23, 31, 30), "89005924", new HMACSHA1()),
new Tuple <DateTime, string, HMAC>(new DateTime(2009, 2, 13, 23, 31, 30), "42829826", new HMACSHA256()),
new Tuple <DateTime, string, HMAC>(new DateTime(2009, 2, 13, 23, 31, 30), "76671578", new HMACSHA512()),
new Tuple <DateTime, string, HMAC>(new DateTime(2033, 5, 18, 3, 33, 20), "69279037", new HMACSHA1()),
new Tuple <DateTime, string, HMAC>(new DateTime(2033, 5, 18, 3, 33, 20), "78428693", new HMACSHA256()),
new Tuple <DateTime, string, HMAC>(new DateTime(2033, 5, 18, 3, 33, 20), "56464532", new HMACSHA512())
};
foreach (var testValue in testValues)
{
string result = TimeBasedOneTimePassword.Generate(secret, testValue.Item3, testValue.Item1, TimeSpan.Zero, TimeBasedOneTimePassword.DEFAULT_TIME_STEP, OneTimePasswordLength.EightDigits);
Assert.AreEqual(result, testValue.Item2.ToString());
}
}
public ActionResult GetQrCode(long userId)
{
var loginSettings = _loginSettingRepository.Get(userId);
if (loginSettings != null)
{
var secret = loginSettings.GoogleAuthenticatorSecretKey;
Session["EncodedSecret"] = secret;
if (string.IsNullOrEmpty(secret))
{
string enc = "";
secret = TimeBasedOneTimePassword.GenerateSecret(out enc);
Session["EncodedSecret"] = secret;
ViewBag.EncodedSecret = enc;
}
else
{
Session["EncodedSecret"] = secret;
ViewBag.EncodedSecret = TimeBasedOneTimePassword.EncodeSecret(secret);
}
}
return(View());
}
public void Generate_DefaultsToSixDigitCode()
{
string result = TimeBasedOneTimePassword.Generate(new byte[] { 0 });
Assert.IsTrue(result.Length == 6);
}
public void Generate_NegativeTimeStepThrowsException()
{
TimeBasedOneTimePassword.Generate(new byte[] { 0 }, new HMACSHA1(), TimeSpan.FromSeconds(0), OneTimePasswordLength.SixDigits);
}
public void Generate_UndefinedHOTPLengthThrowsException()
{
TimeBasedOneTimePassword.Generate(new byte[] { 0 }, new HMACSHA1(), 0);
}
public void Generate_EmptySecretKeyThrowsException()
{
TimeBasedOneTimePassword.Generate(new byte[0], new HMACSHA1());
}
public void Generate_NullSecretKeyThrowsException()
{
TimeBasedOneTimePassword.Generate(null, new HMACSHA1());
}
public void Generate_NullHmacThrowsException()
{
TimeBasedOneTimePassword.Generate(new byte[] { 0 }, null);
}
public void Generate_CanGenerateEightDigitCodes()
{
string result = TimeBasedOneTimePassword.Generate(new byte[] { 0 }, new HMACSHA1(), OneTimePasswordLength.EightDigits);
Assert.IsTrue(result.Length == 8);
}
public ActionResult Edit(ProfileEditModel profileEditModel)
{
try
{
if (ModelState.IsValid)
{
_userProfileService.SaveProfile(profileEditModel);
if (profileEditModel.IsOtpByAppEnabled || profileEditModel.IsOtpByEmailEnabled || profileEditModel.IsOtpBySmsEnabled || profileEditModel.IsPinRequiredForRole)
{
var loginSettings = _loginSettingRepository.Get(profileEditModel.Id);
loginSettings = loginSettings ?? new LoginSettings {
UserLoginId = profileEditModel.Id
};
loginSettings.DownloadFilePin = profileEditModel.IsPinRequiredForRole ? (string.IsNullOrEmpty(profileEditModel.DownloadFilePin) ? loginSettings.DownloadFilePin : profileEditModel.DownloadFilePin) : null;
if (profileEditModel.UseAuthenticator)
{
loginSettings.AuthenticationModeId = (long)AuthenticationMode.AuthenticatorApp;
loginSettings.GoogleAuthenticatorSecretKey = (string)TempData["EncodedSecret"];
}
else
{
loginSettings.GoogleAuthenticatorSecretKey = null;
loginSettings.AuthenticationModeId = profileEditModel.UseSms && profileEditModel.UseEmail ? (long)AuthenticationMode.BothSmsEmail : (profileEditModel.UseSms ? (long)AuthenticationMode.Sms : (long)AuthenticationMode.Email);
}
_loginSettingRepository.Save(loginSettings);
}
if (_sessionContext.UserSession.CurrentOrganizationRole.RoleId == (long)Roles.Technician)
{
var technicianProfile = _technicianRepository.GetTechnician(_sessionContext.UserSession.CurrentOrganizationRole.OrganizationRoleUserId);
if (technicianProfile != null)
{
technicianProfile.Pin = profileEditModel.TechnicianPin;
}
else
{
technicianProfile = new Technician
{
TechnicianId = _sessionContext.UserSession.CurrentOrganizationRole.OrganizationRoleUserId,
CanDoPreAudit = false,
IsTeamLead = false,
Pin = profileEditModel.TechnicianPin
};
}
var repository = ((IRepository <Technician>)_technicianRepository);
repository.Save(technicianProfile);
}
profileEditModel = _userProfileService.GetProfileEditModel(profileEditModel.Id);
profileEditModel.FeedbackMessage = FeedbackMessageModel.CreateSuccessMessage("Profile Updated Successfully.");
return(View(profileEditModel));
}
var secret = (string)TempData["EncodedSecret"];
profileEditModel.EncodedSecret = TimeBasedOneTimePassword.EncodeSecret(secret);
TempData.Keep("EncodedSecret");
return(View(profileEditModel));
}
catch (Exception ex)
{
profileEditModel.FeedbackMessage = FeedbackMessageModel.CreateFailureMessage(ex.Message);
return(View(profileEditModel));
}
}
private void Test(string sharedSecret, long seconds, string expected)
{
var calculated = TimeBasedOneTimePassword.GetPassword(sharedSecret, TimeBasedOneTimePassword.UNIX_EPOCH + TimeSpan.FromSeconds(seconds), TimeBasedOneTimePassword.UNIX_EPOCH, 30, 8);
Assert.AreEqual(expected, calculated);
}
// <summary> Check if the username and password are the same as in the database </summery>
public void Login()
{
// Run model through sql injection prevention
var username = SqlInjection.SafeSqlLiteral(StringManipulation.ToLowerFast(Username));
var savedPassword = String.Empty;
var savedSalt = String.Empty;
var savedId = String.Empty;
var code = String.Empty;
// MySql query
const string result = "SELECT Id, Password, Salt, Owner, Secret, Tfa " +
"FROM users " +
"WHERE Username = ?";
using (var empConnection = DatabaseConnection.DatabaseConnect())
{
using (var showResult = new MySqlCommand(result, empConnection))
{
// Bind parameters
showResult.Parameters.Add("Username", MySqlDbType.VarChar).Value = username;
try
{
DatabaseConnection.DatabaseOpen(empConnection);
// Execute command
using (var myDataReader = showResult.ExecuteReader(CommandBehavior.CloseConnection))
{
while (myDataReader.Read())
{
savedId = myDataReader.GetValue(0).ToString();
savedPassword = myDataReader.GetString(1);
savedSalt = myDataReader.GetString(2);
Owner = Convert.ToInt16(myDataReader.GetValue(3));
code = myDataReader.GetString(4);
TwoFactorEnabled = Convert.ToInt16(myDataReader.GetValue(5));
}
}
// Hash the password and check if the hash is the same as the saved password
if (Crypt.ValidatePassword(Password, savedPassword, savedSalt))
{
if (TwoFactorEnabled == 0 && PluginModel.PluginStatus("1"))
{
if (TimeBasedOneTimePassword.IsValid(code, TwoFactorCode))
{
Cookies.MakeCookie(username, savedId, Owner.ToString(CultureInfo.InvariantCulture));
Done = true;
}
else
{
ErrorCode = true;
}
}
else
{
Cookies.MakeCookie(username, savedId, Owner.ToString(CultureInfo.InvariantCulture));
Done = true;
}
}
}
catch (MySqlException)
{
// MySqlException bail out
Error = true;
}
finally
{
// Always close the connection
DatabaseConnection.DatabaseClose(empConnection);
}
}
}
Error = true;
}
