public static string MakeResetRequest(string userId, string token)
{
try
{
string resetId = FooStringHelper.RandomString(16);
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO Resets (resetId, userId, resetTime) VALUES (@RESETID, @USERID, @RESETTIME);",
CommandType = CommandType.Text,
Connection = conn
};
var resetParam = new NpgsqlParameter
{
ParameterName = "@RESETID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = resetId
};
cmd.Parameters.Add(resetParam);
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.Encrypt(userId, token)
};
cmd.Parameters.Add(idParam);
var timeParam = new NpgsqlParameter
{
ParameterName = "@RESETTIME",
NpgsqlDbType = NpgsqlDbType.Timestamp,
Direction = ParameterDirection.Input,
Value = DateTime.Now
};
cmd.Parameters.Add(timeParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
return(resetId);
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(null);
}
}
public static bool DoLogin(string username, string pass)
{
try
{
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"SELECT passwordhash FROM users WHERE username= @USERNAME",
CommandType = CommandType.Text,
Connection = conn
};
var nameParam = new NpgsqlParameter
{
ParameterName = "@USERNAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = username
};
cmd.Parameters.Add(nameParam);
NpgsqlDataReader dr = cmd.ExecuteReader();
string result = string.Empty;
while (dr.Read())
{
result = dr["passwordhash"].ToString();
}
dr.Close();
if (!string.IsNullOrEmpty(result))
{
string hash = FooCryptHelper.CreateShaHash(pass);
if (hash == result)
{
return(true);
}
}
return(false);
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(false);
}
}
public static bool UpdatePassword(string id, string pass)
{
try
{
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"UPDATE Users SET (passwordhash) = (@PASSWORDHASH) WHERE userid= @USERID;",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = id
};
cmd.Parameters.Add(idParam);
var hashParam = new NpgsqlParameter
{
ParameterName = "@PASSWORDHASH",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.CreateShaHash(pass)
};
cmd.Parameters.Add(hashParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
return(true);
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(false);
}
}
public static string GetAccountForReset(string resetId, string token)
{
try
{
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"SELECT userid FROM resets WHERE resetid= @RESETID",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@RESETID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = resetId
};
cmd.Parameters.Add(idParam);
NpgsqlDataReader dr = cmd.ExecuteReader();
string result = String.Empty;
while (dr.Read())
{
result = dr["userid"].ToString();
}
dr.Close();
return(!String.IsNullOrEmpty(result) ? FooCryptHelper.Decrypt(result, token) : null);
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(null);
}
}
public static string SetToken(HttpContext context)
{
string value = FooStringHelper.RandomString(24);
string encryptedValue = FooCryptHelper.MachineEncrypt(value);
string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"];
var ck = new HttpCookie(cookieName, encryptedValue)
{
Path = FormsAuthentication.FormsCookiePath
};
context.Response.Cookies.Add(ck);
return(value);
}
public static bool IsValidRequest(HttpContext context, string formValue)
{
string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"];
HttpCookie httpCookie = context.Request.Cookies[cookieName];
if (httpCookie != null)
{
string userToken = FooCryptHelper.MachineDecrypt(httpCookie.Value);
if (!FooStringHelper.IsValidAlphanumeric(userToken, 24) ||
!FooStringHelper.IsValidAlphanumeric(formValue, 24))
{
return(false);
}
return(userToken == formValue);
}
return(false);
}
public static bool RegisterNewUser(string id, string alias, string email, string address, string city,
string country,
string username, string pass, string groupId)
{
try
{
using (var conn = new NpgsqlConnection())
{
// App-DB connection.
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO Users (userId, userName, userAlias, passwordHash, groupId, email, address, city, country, profileimg) VALUES (@USERID, @USERNAME, @USERALIAS, @PASSWORDHASH, @GROUPID, @EMAIL, @ADDRESS, @CITY, @COUNTRY, 'profile_default.jpg');",
CommandType = CommandType.Text,
Connection = conn
};
var idParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = id
};
cmd.Parameters.Add(idParam);
var nameParam = new NpgsqlParameter
{
ParameterName = "@USERNAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = username
};
cmd.Parameters.Add(nameParam);
var aliasParam = new NpgsqlParameter
{
ParameterName = "@USERALIAS",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = alias
};
cmd.Parameters.Add(aliasParam);
var hashParam = new NpgsqlParameter
{
ParameterName = "@PASSWORDHASH",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.CreateShaHash(pass)
};
cmd.Parameters.Add(hashParam);
var groupParam = new NpgsqlParameter
{
ParameterName = "@GROUPID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = groupId
};
cmd.Parameters.Add(groupParam);
var emailParam = new NpgsqlParameter
{
ParameterName = "@EMAIL",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = email
};
cmd.Parameters.Add(emailParam);
var addressParam = new NpgsqlParameter
{
ParameterName = "@ADDRESS",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 128,
Direction = ParameterDirection.Input,
Value = address
};
cmd.Parameters.Add(addressParam);
var cityParam = new NpgsqlParameter
{
ParameterName = "@CITY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = city
};
cmd.Parameters.Add(cityParam);
var countryParam = new NpgsqlParameter
{
ParameterName = "@COUNTRY",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = country
};
cmd.Parameters.Add(countryParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
return(true);
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
return(false);
}
}
protected void GridView_Command(object sender, GridViewCommandEventArgs e)
{
string userId = FooStringHelper.RandomString(16);
var txtUserNameFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserNameFooter");
var txtUserAliasFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserAliasFooter");
var txtEmailFooter = (TextBox)userGrid.FooterRow.FindControl("txtEmailFooter");
var txtUserPasswordFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserPasswordFooter");
var groupDropdownFooter = (DropDownList)userGrid.FooterRow.FindControl("groupDropdownFooter");
if (!string.IsNullOrEmpty(txtUserNameFooter.Text) && !string.IsNullOrEmpty(txtUserAliasFooter.Text) &&
!string.IsNullOrEmpty(txtEmailFooter.Text) && FooStringHelper.IsValidEmailAddress(txtEmailFooter.Text) &&
!string.IsNullOrEmpty(txtUserPasswordFooter.Text))
{
try
{
if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value))
{
if (e.CommandName.Equals("AddNew"))
{
using (var conn = new NpgsqlConnection())
{
conn.ConnectionString =
ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString;
conn.Open();
var cmd = new NpgsqlCommand
{
CommandText =
"INSERT INTO users(userid,username,useralias,groupid,email,passwordhash,profileimg) VALUES (@USERID,@NAME,@DISP,@GROUP,@EMAIL,@HASH,'profile_default.jpg')",
CommandType = CommandType.Text,
Connection = conn
};
var userIdParam = new NpgsqlParameter
{
ParameterName = "@USERID",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 16,
Direction = ParameterDirection.Input,
Value = userId
};
cmd.Parameters.Add(userIdParam);
var nameParam = new NpgsqlParameter
{
ParameterName = "@NAME",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserNameFooter.Text
};
cmd.Parameters.Add(nameParam);
var dispParam = new NpgsqlParameter
{
ParameterName = "@DISP",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 32,
Direction = ParameterDirection.Input,
Value = txtUserAliasFooter.Text
};
cmd.Parameters.Add(dispParam);
var groupParam = new NpgsqlParameter
{
ParameterName = "@GROUP",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = groupDropdownFooter.SelectedValue
};
cmd.Parameters.Add(groupParam);
var emailParam = new NpgsqlParameter
{
ParameterName = "@EMAIL",
NpgsqlDbType = NpgsqlDbType.Varchar,
Size = 64,
Direction = ParameterDirection.Input,
Value = txtEmailFooter.Text
};
cmd.Parameters.Add(emailParam);
var hashParam = new NpgsqlParameter
{
ParameterName = "@HASH",
NpgsqlDbType = NpgsqlDbType.Varchar,
Direction = ParameterDirection.Input,
Value = FooCryptHelper.CreateShaHash(txtUserPasswordFooter.Text)
};
cmd.Parameters.Add(hashParam);
cmd.ExecuteNonQuery();
cmd.Dispose();
}
}
}
else
{
errorLabel.Text = "Invalid request.";
}
}
catch (Exception ex)
{
FooLogging.WriteLog(ex.ToString());
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
}
else
{
errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator.";
}
Reset_Page();
}
protected void hashButton_Click(object sender, EventArgs e)
{
outLabel.Text = FooCryptHelper.CreateShaHash(inBox.Text);
}