void AccountSecurity_Save(object sender, EventArgs e) { AuthoriseRequestSid(); bool fail = false; if (core.Http.Form["mode"] == "enable" && (!LoggedInMember.UserInfo.TwoFactorAuthVerified)) { Authenticator authenticator = new Authenticator(); if (authenticator.CheckCode(LoggedInMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"])) { LoggedInMember.UserInfo.TwoFactorAuthVerified = true; } else { LoggedInMember.UserInfo.TwoFactorAuthKey = string.Empty; fail = true; } LoggedInMember.UserInfo.Update(); // Temporary, this should be done on an elevated session which is higher than two factor UpdateQuery uQuery = new UpdateQuery(typeof(Session)); uQuery.AddField("session_signed_in", (byte)SessionSignInState.TwoFactorValidated); uQuery.AddCondition("session_id", core.Session.SessionId); core.Db.Query(uQuery); } if (LoggedInMember.UserInfo.TwoFactorAuthVerified) { core.Display.ShowMessage("Two Factor Authentication Enabled", "Two factor authentication has been enabled for this account."); } else if (fail) { core.Display.ShowMessage("Two Factor Authentication Failed", "Two factor authentication has not been enabled for this account. Check you entered the code correctly."); } else { core.Display.ShowMessage("Two Factor Authentication Disabled", "Two factor authentication has been disabled for this account."); } SetRedirectUri(BuildUri()); }
protected void Page_Load(object sender, EventArgs e) { string redirect = (Request.Form["redirect"] != null) ? Request.Form["redirect"] : Request.QueryString["redirect"]; string domain = (Request.Form["domain"] != null) ? Request.Form["domain"] : Request.QueryString["domain"]; DnsRecord record = null; template.Parse("IS_CONTENT", "FALSE"); template.Parse("S_POST", core.Hyperlink.AppendSid("/sign-in/", true)); if (!string.IsNullOrEmpty(domain)) { try { if (domain != Hyperlink.Domain) { record = new DnsRecord(core, domain); } if (core.Http["mode"] == "sign-out") { if (record != null) { session.SessionEnd(Request.QueryString["sid"], loggedInMember.UserId, record); } else { session.SessionEnd(Request.QueryString["sid"], loggedInMember.UserId); } if (!string.IsNullOrEmpty(redirect)) { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true)); } else { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true)); } } else if (core.LoggedInMemberId > 0) { string sessionId = Request.QueryString["sid"]; if (!string.IsNullOrEmpty(sessionId)) { core.Session.SessionEnd(sessionId, 0, record); } sessionId = core.Session.SessionBegin(core.LoggedInMemberId, false, false, false, record, null); Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true)); } } catch (InvalidDnsRecordException) { core.Display.ShowMessage("Error", "Error starting remote session"); return; } } if (core.Http["mode"] == "sign-out") { string sessionId = Request.QueryString["sid"]; if (!string.IsNullOrEmpty(sessionId)) { core.Session.SessionEnd(sessionId, loggedInMember.UserId); } if (!string.IsNullOrEmpty(redirect)) { Response.Redirect(redirect, true); } else { Response.Redirect("/", true); } return; } if (Request.Form["submit"] != null) { if (core.Http["mode"] == "reset-password") { string email = Request.Form["email"]; if (string.IsNullOrEmpty(email)) { core.Display.ShowMessage("Error", "An error occured"); return; } else { try { UserEmail userEmail = new UserEmail(core, email); if (userEmail.IsActivated) { string newPassword = BoxSocial.Internals.User.GenerateRandomPassword(); string activateCode = BoxSocial.Internals.User.GenerateActivationSecurityToken(); db.UpdateQuery(string.Format("UPDATE user_info SET user_new_password = '******', user_activate_code = '{1}' WHERE user_id = {2}", Mysql.Escape(newPassword), Mysql.Escape(activateCode), userEmail.Owner.Id)); string activateUri = string.Format(core.Hyperlink.Uri + "register/?mode=activate-password&id={0}&key={1}", userEmail.Owner.Id, activateCode); // send the e-mail Template emailTemplate = new Template(core.Http.TemplateEmailPath, "new_password.html"); emailTemplate.Parse("SITE_TITLE", core.Settings.SiteTitle); emailTemplate.Parse("U_SITE", core.Hyperlink.StripSid(core.Hyperlink.AppendAbsoluteSid(core.Hyperlink.BuildHomeUri()))); emailTemplate.Parse("TO_NAME", userEmail.Owner.DisplayName); emailTemplate.Parse("U_ACTIVATE", activateUri); emailTemplate.Parse("USERNAME", userEmail.Owner.UserName); // TODO: do not send a new password in plain text emailTemplate.Parse("PASSWORD", newPassword); core.Email.SendEmail(userEmail.Email, core.Settings.SiteTitle + " Password Reset", emailTemplate); core.Display.ShowMessage("Password reset", "You have been sent an e-mail to the address you entered with your new password. You will need to click the confirmation link before you can sign in"); return; } else { core.Display.ShowMessage("E-mail not verified", "The e-mail you have entered has not been verified, you need to enter an e-mail address you have verified to reset your password."); return; } } catch (InvalidUserEmailException) { core.Display.ShowMessage("No e-mail registered", "The e-mail you have entered is not associated with a user account."); return; } } } else if (core.Http.Form["mode"] == "verify") { Authenticator authenticator = new Authenticator(); if (authenticator.CheckCode(core.Session.CandidateMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"])) { if (Request.Form["remember"] == "true") { session.SessionBegin(core.Session.CandidateMember.UserId, false, true, true); } else { session.SessionBegin(core.Session.CandidateMember.UserId, false, false, true); } if ((!string.IsNullOrEmpty(domain)) && (record != null)) { string sessionId = core.Session.SessionBegin(core.Session.CandidateMember.UserId, false, false, true, record, null); core.Hyperlink.Sid = sessionId; if (!string.IsNullOrEmpty(redirect)) { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true)); } else { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true)); } return; } if (!string.IsNullOrEmpty(redirect)) { if (redirect.StartsWith("/account", StringComparison.Ordinal)) { redirect = core.Hyperlink.AppendSid(core.Hyperlink.StripSid(redirect), true); } else { redirect = core.Hyperlink.AppendSid(redirect); } Response.Redirect(redirect, true); } else { Response.Redirect(core.Hyperlink.AppendSid("/"), true); } return; /* stop processing the display of this page */ } else { core.Session.SessionEnd(core.Session.SessionId, core.Session.CandidateMember.UserId); template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again."); } } else { string userName = Request.Form["username"]; string password = BoxSocial.Internals.User.HashPassword(Request.Form["password"]); DataTable userTable = db.Query(string.Format("SELECT uk.user_name, uk.user_id, ui.user_password, ui.user_two_factor_auth_key, ui.user_two_factor_auth_verified FROM user_keys uk INNER JOIN user_info ui ON uk.user_id = ui.user_id WHERE uk.user_name = '{0}';", userName)); if (userTable.Rows.Count == 1) { DataRow userRow = userTable.Rows[0]; bool authenticated = false; string dbPassword = (string)userRow["user_password"]; // old phpBB passwords if (dbPassword.Length == 32) { // phpBB2 passwords if (SessionState.SessionMd5(Request.Form["password"]) == dbPassword.ToLower()) { authenticated = true; } } else if (dbPassword.Length == 34) { // phpBB3 passwords string itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; if (SessionState.phpBB3Hash(Request.Form["password"], dbPassword, ref itoa64) == dbPassword) { authenticated = true; } } else { if (dbPassword == password) { authenticated = true; } } if (authenticated) { if ((byte)userRow["user_two_factor_auth_verified"] > 0) { template.SetTemplate("login_two_factor_verify.html"); HiddenField rememberHiddenField = new HiddenField("remember"); rememberHiddenField.Value = core.Http.Form["remember"]; TextBox verifyTextBox = new Forms.TextBox("verify"); template.Parse("S_REMEMBER", rememberHiddenField); template.Parse("S_VERIFY", verifyTextBox); if (Request.Form["remember"] == "true") { session.SessionBegin((long)userRow["user_id"], false, true, false); } else { session.SessionBegin((long)userRow["user_id"], false, false, false); } } else { if (Request.Form["remember"] == "true") { session.SessionBegin((long)userRow["user_id"], false, true); } else { session.SessionBegin((long)userRow["user_id"], false, false); } if ((!string.IsNullOrEmpty(domain)) && (record != null)) { string sessionId = core.Session.SessionBegin((long)userRow["user_id"], false, false, false, record, null); core.Hyperlink.Sid = sessionId; if (!string.IsNullOrEmpty(redirect)) { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/" + redirect.TrimStart(new char[] { '/' }), true)); } else { Response.Redirect(core.Hyperlink.AppendSid("http://" + record.Domain + "/", true)); } return; } if (!string.IsNullOrEmpty(redirect)) { if (redirect.StartsWith("/account", StringComparison.Ordinal)) { redirect = core.Hyperlink.AppendSid(core.Hyperlink.StripSid(redirect), true); } else { redirect = core.Hyperlink.AppendSid(redirect); } Response.Redirect(redirect, true); } else { Response.Redirect(core.Hyperlink.AppendSid("/"), true); } return; /* stop processing the display of this page */ } } else { template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again."); } } else { template.Parse("ERROR", "Bad log in credentials were given, you could not be logged in. Try again."); } } } if (core.Http["mode"] == "reset-password") { template.Parse("S_POST", core.Hyperlink.AppendSid("/sign-in/?mode=reset-password", true)); template.SetTemplate("password_reset.html"); EndResponse(); return; } else { template.Parse("U_FORGOT_PASSWORD", core.Hyperlink.AppendSid("/sign-in/?mode=reset-password")); } template.Parse("DOMAIN", domain); template.Parse("REDIRECT", redirect); EndResponse(); }
private void OAuthApprove() { string oauthToken = core.Http.Form["oauth_token"]; bool success = false; try { OAuthToken token = new OAuthToken(core, oauthToken); ApplicationEntry ae = token.Application; OAuthApplication oae = new OAuthApplication(core, ae); if (core.Http.Form["mode"] == "verify") { Authenticator authenticator = new Authenticator(); if (authenticator.CheckCode(core.Session.CandidateMember.UserInfo.TwoFactorAuthKey, core.Http.Form["verify"])) { success = true; } else { showVerificationForm(ae, oauthToken, core.Session.SessionId); return; } } else { bool authenticated = false; string userName = Request.Form["username"]; string password = BoxSocial.Internals.User.HashPassword(Request.Form["password"]); DataTable userTable = db.Query(string.Format("SELECT uk.user_name, uk.user_id, ui.user_password, ui.user_two_factor_auth_key, ui.user_two_factor_auth_verified FROM user_keys uk INNER JOIN user_info ui ON uk.user_id = ui.user_id WHERE uk.user_name = '{0}';", userName)); if (userTable.Rows.Count == 1) { DataRow userRow = userTable.Rows[0]; string dbPassword = (string)userRow["user_password"]; if (dbPassword == password) { authenticated = true; } if (authenticated) { if ((byte)userRow["user_two_factor_auth_verified"] > 0) { string sessionId = session.SessionBegin((long)userRow["user_id"], false, false, false); showVerificationForm(ae, oauthToken, sessionId); return; } else { string sessionId = session.SessionBegin((long)userRow["user_id"], false, false); success = true; } } else { OAuthAuthorize(true); return; } } } if (success) { OAuthVerifier verifier = OAuthVerifier.Create(core, token, core.Session.CandidateMember); token.UseToken(); db.CommitTransaction(); if (!string.IsNullOrEmpty(oae.CallbackUrl)) { Response.Redirect(string.Format("{0}?oauth_token={1}&oauth_verifier={2}", oae.CallbackUrl, Uri.EscapeDataString(token.Token), Uri.EscapeDataString(verifier.Verifier))); } else { core.Response.SendRawText("", string.Format("oauth_token={0}&oauth_verifier={1}", Uri.EscapeDataString(token.Token), Uri.EscapeDataString(verifier.Verifier))); } } else { // Incorrect password OAuthAuthorize(true); return; } } catch (InvalidOAuthTokenException) { core.Functions.Generate403(); } EndResponse(); }