/// <summary>Creates a deep copy of the HttpInput class</summary>
/// <param name="input">The object to copy</param>
/// <remarks>The function makes a deep copy of quite a lot which can be slow</remarks>
protected HttpInput(HttpInput input)
{
foreach (HttpInputItem item in input)
{
_items.Add(item.Name, new HttpInputItem(item));
}
Name = input._name;
_ignoreChanges = input._ignoreChanges;
}
private static void TestToString()
{
string queryString = "title=hello&firstname=jonas&status=super";
HttpInput input = HttpHelper.ParseQueryString(queryString);
Assert.Equal(queryString, input.ToString(true));
queryString = "title[jonas]=hello&title[arne]=ohno&firstname=jonas&status=super";
input = HttpHelper.ParseQueryString(queryString);
Assert.Equal(queryString, input.ToString(true));
}
/// <summary>
/// Clear everything in the request
/// </summary>
public void Clear()
{
_body.Dispose();
_body = new MemoryStream();
_contentLength = 0;
_method = string.Empty;
_uri = HttpHelper.EmptyUri;
_queryString = HttpInput.Empty;
_bodyBytesLeft = 0;
_headers.Clear();
_connection = ConnectionType.Close;
IsAjax = false;
_form.Clear();
}
private void ReadLogData(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session, BodyWriter bw)
{
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
if (string.IsNullOrEmpty(input["id"].Value))
{
RESTHandler.HandleControlCGI(request, response, session, bw, typeof(RESTMethods.LogData));
}
else
{
var key = string.Format("{0}/{1}", input["id"].Value, Duplicati.Library.Utility.Utility.ParseBool(input["remotelog"].Value, false) ? "remotelog" : "log");
RESTHandler.DoProcess(request, response, session, request.Method, typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
}
/// <summary>
/// Add a sub item.
/// </summary>
/// <param name="name">Can contain array formatting, the item is then parsed and added in multiple levels</param>
/// <param name="value">Value to add.</param>
/// <exception cref="ArgumentNullException">Argument is null.</exception>
/// <exception cref="InvalidOperationException">Cannot add stuff to <see cref="HttpInput.Empty"/>.</exception>
public void Add(string name, string value)
{
if (name == null && value != null)
{
throw new ArgumentNullException("name");
}
if (name == null)
{
return;
}
if (_ignoreChanges)
{
throw new InvalidOperationException("Cannot add stuff to HttpInput.Empty.");
}
int pos = name.IndexOf('[');
if (pos != -1)
{
string name1 = name.Substring(0, pos);
string name2 = HttpInput.ExtractOne(name);
if (!_items.ContainsKey(name1))
{
_items.Add(name1, new HttpInputItem(name1, null));
}
_items[name1].Add(name2, value);
/*
* HttpInputItem item = HttpInput.ParseItem(name, value);
*
* // Add the value to an existing sub item
* if (_items.ContainsKey(item.Name))
* _items[item.Name].Add(item.Value);
* else
* _items.Add(item.Name, item);
*/
}
else
{
if (_items.ContainsKey(name))
{
_items[name].Add(value);
}
else
{
_items.Add(name, new HttpInputItem(name, value));
}
}
}
/// <summary>
/// Clear everything in the request
/// </summary>
public void Clear()
{
//return;
_body.Dispose();
_body = new MemoryStream();
_contentLength = 0;
_method = string.Empty;
_uri = null;
_queryString = HttpInput.Empty;
_bodyBytesLeft = 0;
_headers.Clear();
_connection = ConnectionType.Close;
_param.SetForm(HttpInput.Empty);
_param.SetQueryString(HttpInput.Empty);
IsAjax = false;
_form.Clear();
}
/// <summary>
/// Clear everything in the request
/// </summary>
public void Clear()
{
if (_body != null && _body.CanRead)
{
_body.Dispose();
}
_body = null;
_contentLength = 0;
_method = string.Empty;
_uri = HttpHelper.EmptyUri;
_queryString = HttpInput.Empty;
_bodyBytesLeft = 0;
_headers.Clear();
_connection = ConnectionType.KeepAlive;
IsAjax = false;
_form.Clear();
}
/// <summary>
/// Parses a query string.
/// </summary>
/// <param name="queryString">Query string (URI encoded)</param>
/// <returns>A <see cref="HttpInput"/> object if successful; otherwise <see cref="HttpInput.Empty"/></returns>
/// <exception cref="ArgumentNullException"><c>queryString</c> is null.</exception>
/// <exception cref="FormatException">If string cannot be parsed.</exception>
public static HttpInput ParseQueryString(string queryString)
{
if (queryString == null)
{
throw new ArgumentNullException("queryString");
}
if (queryString == string.Empty)
{
return(HttpInput.Empty);
}
HttpInput input = new HttpInput("QueryString");
queryString = queryString.TrimStart('?', '&');
// a simple value.
if (queryString.IndexOf("&") == -1 && !queryString.Contains("%3d") && !queryString.Contains("%3D") && !queryString.Contains("="))
{
input.Add(string.Empty, queryString);
return(input);
}
int state = 0;
int startpos = 0;
string name = null;
for (int i = 0; i < queryString.Length; ++i)
{
int newIndexPos;
if (state == 0 && IsEqual(queryString, ref i, out newIndexPos))
{
name = queryString.Substring(startpos, i - startpos);
i = newIndexPos;
startpos = i + 1;
++state;
}
else if (state == 1 && IsAmp(queryString, ref i, out newIndexPos))
{
Add(input, name, queryString.Substring(startpos, i - startpos));
i = newIndexPos;
startpos = i + 1;
state = 0;
name = null;
}
}
if (state == 0 && !input.GetEnumerator().MoveNext())
{
throw new FormatException("Not a valid query string: " + queryString);
}
if (startpos <= queryString.Length)
{
if (name != null)
{
Add(input, name, queryString.Substring(startpos, queryString.Length - startpos));
}
else
{
Add(input, string.Empty, queryString.Substring(startpos, queryString.Length - startpos));
}
}
return(input);
}
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
{
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
var auth_token = FindAuthCookie(request);
var xsrf_token = FindXSRFToken(request);
if (!HasXSRFCookie(request))
{
var cookieAdded = AddXSRFTokenToRespone(response);
if (!cookieAdded)
{
response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
response.Reason = "Too Many Concurrent Request, try again later";
return(true);
}
}
Tuple <DateTime, string> tmpTuple;
DateTime tmpDateTime;
if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
{
if (!string.IsNullOrWhiteSpace(auth_token))
{
// Remove the active auth token
m_activeTokens.TryRemove(auth_token, out tmpDateTime);
}
response.Status = System.Net.HttpStatusCode.NoContent;
response.Reason = "OK";
return(true);
}
else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
{
// Remove expired nonces
foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key))
{
m_activeNonces.TryRemove(k, out tmpTuple);
}
if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
{
if (m_activeNonces.Count > 50)
{
response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
response.Reason = "Too many active login attempts";
return(true);
}
var password = Program.DataConnection.ApplicationSettings.WebserverPassword;
if (request.Headers[TRAYICONPASSWORDSOURCE_HEADER] == "database")
{
password = Program.DataConnection.ApplicationSettings.WebserverPasswordTrayIconHash;
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES);
m_prng.GetBytes(buf);
var nonce = Convert.ToBase64String(buf);
var sha256 = System.Security.Cryptography.SHA256.Create();
sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
buf = Convert.FromBase64String(password);
sha256.TransformFinalBlock(buf, 0, buf.Length);
var pwd = Convert.ToBase64String(sha256.Hash);
m_activeNonces.AddOrUpdate(nonce, key => new Tuple <DateTime, string>(expires, pwd), (key, existingValue) =>
{
// Simulate the original behavior => if the nonce, against all odds, is already used
// we throw an ArgumentException
throw new ArgumentException("An element with the same key already exists in the dictionary.");
});
response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
using (var bw = new BodyWriter(response, request))
{
bw.OutputOK(new {
Status = "OK",
Nonce = nonce,
Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
});
}
return(true);
}
else
{
if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
{
var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
if (m_activeNonces.ContainsKey(urldecoded))
{
nonce = urldecoded;
}
if (!m_activeNonces.ContainsKey(nonce))
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var pwd = m_activeNonces[nonce].Item2;
// Remove the nonce
m_activeNonces.TryRemove(nonce, out tmpTuple);
if (pwd != input["password"].Value)
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddHours(1);
m_prng.GetBytes(buf);
var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
while (token.Length > 0 && token.EndsWith("=", StringComparison.Ordinal))
{
token = token.Substring(0, token.Length - 1);
}
m_activeTokens.AddOrUpdate(token, key => expires, (key, existingValue) =>
{
// Simulate the original behavior => if the token, against all odds, is already used
// we throw an ArgumentException
throw new ArgumentException("An element with the same key already exists in the dictionary.");
});
response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));
using (var bw = new BodyWriter(response, request))
bw.OutputOK();
return(true);
}
}
}
var limitedAccess =
request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.OrdinalIgnoreCase)
;
// Override to allow the CAPTCHA call to go through
if (request.Uri.AbsolutePath.StartsWith(CAPTCHA_IMAGE_URI, StringComparison.OrdinalIgnoreCase) && request.Method == "GET")
{
limitedAccess = false;
}
if (limitedAccess)
{
if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token))
{
var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES);
m_activexsrf[xsrf_token] = expires;
response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires));
}
else
{
response.Status = System.Net.HttpStatusCode.BadRequest;
response.Reason = "Missing XSRF Token. Please reload the page";
return(true);
}
}
if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
{
return(false);
}
foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key))
{
m_activeTokens.TryRemove(k, out tmpDateTime);
}
// If we have a valid token, proceed
if (!string.IsNullOrWhiteSpace(auth_token))
{
DateTime expires;
var found = m_activeTokens.TryGetValue(auth_token, out expires);
if (!found)
{
auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
found = m_activeTokens.TryGetValue(auth_token, out expires);
}
if (found && DateTime.UtcNow < expires)
{
expires = DateTime.UtcNow.AddHours(1);
m_activeTokens[auth_token] = expires;
response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
return(false);
}
}
if ("/".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase))
{
response.Redirect("/login.html");
return(true);
}
if (limitedAccess)
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Not logged in";
response.AddHeader("Location", "login.html");
return(true);
}
return(false);
}
internal void SetForm(HttpInput form)
{
_form = form;
}
internal void SetQueryString(HttpInput query)
{
_query = query;
}
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
{
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
var authcookie = request.Cookies[AUTH_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(AUTH_COOKIE_NAME)];
var authinput = input["auth-token"] ?? input[Library.Utility.Uri.UrlEncode("auth-token")];
var auth_token = authcookie == null || string.IsNullOrWhiteSpace(authcookie.Value) ? null : authcookie.Value;
if (authinput != null && !string.IsNullOrWhiteSpace(authinput.Value))
{
auth_token = input["auth-token"].Value;
}
if (request.Uri.AbsolutePath == "/logout.cgi")
{
if (!string.IsNullOrWhiteSpace(auth_token))
{
if (m_activeTokens.ContainsKey(auth_token))
{
m_activeTokens.Remove(auth_token);
}
}
response.Status = System.Net.HttpStatusCode.NoContent;
response.Reason = "OK";
return(true);
}
else if (request.Uri.AbsolutePath == "/login.cgi")
{
foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList())
{
m_activeNonces.Remove(k);
}
if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
{
if (m_activeNonces.Count > 50)
{
response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
response.Reason = "Too many active login attempts";
return(true);
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddMinutes(10);
m_prng.GetBytes(buf);
var nonce = Convert.ToBase64String(buf);
var sha256 = System.Security.Cryptography.SHA256.Create();
sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword);
sha256.TransformFinalBlock(buf, 0, buf.Length);
var pwd = Convert.ToBase64String(sha256.Hash);
m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd));
response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
using (var bw = new BodyWriter(response))
{
bw.OutputOK(new {
Status = "OK",
Nonce = nonce,
Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
});
}
return(true);
}
else
{
if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
{
var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
if (m_activeNonces.ContainsKey(urldecoded))
{
nonce = urldecoded;
}
if (!m_activeNonces.ContainsKey(nonce))
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var pwd = m_activeNonces[nonce].Item2;
m_activeNonces.Remove(nonce);
if (pwd != input["password"].Value)
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddHours(1);
m_prng.GetBytes(buf);
var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
while (token.Length > 0 && token.EndsWith("="))
{
token = token.Substring(0, token.Length - 1);
}
m_activeTokens.Add(token, expires);
response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));
using (var bw = new BodyWriter(response))
bw.OutputOK();
return(true);
}
}
}
if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
{
return(false);
}
foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList())
{
m_activeTokens.Remove(k);
}
// If we have a valid token, proceeed
if (!string.IsNullOrWhiteSpace(auth_token))
{
DateTime expires;
var found = m_activeTokens.TryGetValue(auth_token, out expires);
if (!found)
{
auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
found = m_activeTokens.TryGetValue(auth_token, out expires);
}
if (found && DateTime.UtcNow < expires)
{
expires = DateTime.UtcNow.AddHours(1);
m_activeTokens[auth_token] = expires;
response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
return(false);
}
}
if (request.Uri.AbsolutePath == "/" || request.Uri.AbsolutePath == "/index.html")
{
response.Redirect("/login.html");
return(true);
}
if (request.Uri.AbsolutePath == "/control.cgi")
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Not logged in";
response.AddHeader("Location", "login.html");
return(true);
}
return(false);
}
/// <summary>
/// Makes a deep copy of the input
/// </summary>
/// <param name="input">The input to copy</param>
public HttpForm(HttpInput input) : base(input)
{
}
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
{
//We use the fake entry point /control.cgi to listen for requests
//This ensures that the rest of the webserver can just serve plain files
if (!request.Uri.AbsolutePath.Equals(CONTROL_HANDLER_URI, StringComparison.InvariantCultureIgnoreCase))
{
return(false);
}
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
string action = input["action"].Value ?? "";
//Lookup the actual handler method
ProcessSub method;
SUPPORTED_METHODS.TryGetValue(action, out method);
if (method == null)
{
response.Status = System.Net.HttpStatusCode.NotImplemented;
response.Reason = "Unsupported action: " + (action == null ? "<null>" : "");
response.Send();
}
else
{
//Default setup
response.Status = System.Net.HttpStatusCode.OK;
response.Reason = "OK";
#if DEBUG
response.ContentType = "text/plain";
#else
response.ContentType = "text/json";
#endif
using (BodyWriter bw = new BodyWriter(response, request))
{
try
{
method(request, response, session, bw);
}
catch (Exception ex)
{
Program.DataConnection.LogError("", string.Format("Request for {0} gave error", action), ex);
Console.WriteLine(ex.ToString());
try
{
if (!response.HeadersSent)
{
response.Status = System.Net.HttpStatusCode.InternalServerError;
response.Reason = "Error";
response.ContentType = "text/plain";
bw.WriteJsonObject(new
{
Message = ex.Message,
Type = ex.GetType().Name,
#if DEBUG
Stacktrace = ex.ToString()
#endif
});
bw.Flush();
}
}
catch (Exception flex)
{
Program.DataConnection.LogError("", "Reporting error gave error", flex);
}
}
}
}
return(true);
}
private void SendCommand(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session, BodyWriter bw)
{
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
string command = input["command"].Value ?? "";
switch (command.ToLowerInvariant())
{
case "check-update":
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "check");
return;
case "install-update":
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "install");
return;
case "activate-update":
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Updates).Name.ToLowerInvariant(), "activate");
return;
case "pause":
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.ServerState).Name.ToLowerInvariant(), "pause");
return;
case "resume":
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.ServerState).Name.ToLowerInvariant(), "resume");
return;
case "stop":
case "abort":
{
var key = string.Format("{0}/{1}", input["taskid"].Value, command);
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Task).Name.ToLowerInvariant(), key);
}
return;
case "is-backup-active":
{
var key = string.Format("{0}/isactive", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "GET", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
case "run":
case "run-backup":
{
var key = string.Format("{0}/start", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
case "run-verify":
{
var key = string.Format("{0}/verify", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
case "run-repair-update":
{
var key = string.Format("{0}/repairupdate", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
case "run-repair":
{
var key = string.Format("{0}/repair", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
case "create-report":
{
var key = string.Format("{0}/createreport", Library.Utility.Uri.UrlPathEncode(input["id"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.Backup).Name.ToLowerInvariant(), key);
}
return;
default:
{
var key = string.Format("{0}", Library.Utility.Uri.UrlPathEncode(input["command"].Value));
RESTHandler.DoProcess(request, response, session, "POST", typeof(RESTMethods.WebModule).Name.ToLowerInvariant(), key);
return;
}
}
}
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session)
{
HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString;
var auth_token = FindAuthCookie(request);
var xsrf_token = FindXSRFToken(request);
if (!HasXSRFCookie(request))
{
var cookieAdded = AddXSRFTokenToRespone(response);
if (!cookieAdded)
{
response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
response.Reason = "Too Many Concurrent Request, try again later";
return(true);
}
}
if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
{
if (!string.IsNullOrWhiteSpace(auth_token))
{
if (m_activeTokens.ContainsKey(auth_token))
{
m_activeTokens.Remove(auth_token);
}
}
response.Status = System.Net.HttpStatusCode.NoContent;
response.Reason = "OK";
return(true);
}
else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
{
foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList())
{
m_activeNonces.Remove(k);
}
if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value))
{
if (m_activeNonces.Count > 50)
{
response.Status = System.Net.HttpStatusCode.ServiceUnavailable;
response.Reason = "Too many active login attempts";
return(true);
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES);
m_prng.GetBytes(buf);
var nonce = Convert.ToBase64String(buf);
var sha256 = System.Security.Cryptography.SHA256.Create();
sha256.TransformBlock(buf, 0, buf.Length, buf, 0);
buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword);
sha256.TransformFinalBlock(buf, 0, buf.Length);
var pwd = Convert.ToBase64String(sha256.Hash);
m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd));
response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires));
using (var bw = new BodyWriter(response, request))
{
bw.OutputOK(new {
Status = "OK",
Nonce = nonce,
Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt
});
}
return(true);
}
else
{
if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value))
{
var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)];
var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value;
var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce);
if (m_activeNonces.ContainsKey(urldecoded))
{
nonce = urldecoded;
}
if (!m_activeNonces.ContainsKey(nonce))
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var pwd = m_activeNonces[nonce].Item2;
m_activeNonces.Remove(nonce);
if (pwd != input["password"].Value)
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Unauthorized";
response.ContentType = "application/json";
return(true);
}
var buf = new byte[32];
var expires = DateTime.UtcNow.AddHours(1);
m_prng.GetBytes(buf);
var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf);
while (token.Length > 0 && token.EndsWith("="))
{
token = token.Substring(0, token.Length - 1);
}
m_activeTokens.Add(token, expires);
response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires));
using (var bw = new BodyWriter(response, request))
bw.OutputOK();
return(true);
}
}
}
var limitedAccess =
ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)
||
request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.InvariantCultureIgnoreCase)
;
if (limitedAccess)
{
if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token))
{
var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES);
m_activexsrf[xsrf_token] = expires;
response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires));
}
else
{
response.Status = System.Net.HttpStatusCode.BadRequest;
response.Reason = "Missing XSRF Token";
return(true);
}
}
if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword))
{
return(false);
}
foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList())
{
m_activeTokens.Remove(k);
}
// If we have a valid token, proceeed
if (!string.IsNullOrWhiteSpace(auth_token))
{
DateTime expires;
var found = m_activeTokens.TryGetValue(auth_token, out expires);
if (!found)
{
auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token);
found = m_activeTokens.TryGetValue(auth_token, out expires);
}
if (found && DateTime.UtcNow < expires)
{
expires = DateTime.UtcNow.AddHours(1);
m_activeTokens[auth_token] = expires;
response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires));
return(false);
}
}
if ("/".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
{
response.Redirect("/login.html");
return(true);
}
if (ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase))
{
response.Status = System.Net.HttpStatusCode.Unauthorized;
response.Reason = "Not logged in";
response.AddHeader("Location", "login.html");
return(true);
}
return(false);
}
