public IHttpActionResult GetProjects(ProjectModel projectModel) { bool loggedIn = false; string inputRequest = projectModel.token; loggedIn = LoginUtils.ValidateToken(projectModel.token, projectModel.userId); if (loggedIn == true) { int orgId = LoginUtils.GetUserOrganization(projectModel.userId); if (orgId == -1) { return(NotFound()); // organisation not found! } else { WebApplication1Context context = new WebApplication1Context(); IQueryable <ProjectModel> projects = context.ProjectsModel.Where(a => a.ownerId == orgId); return(Ok(projects)); // Hopefully this will return a content negotiated list of projects. TODO /*foreach(ProjectModel rowData in projects) * { * * }*/ } } else { return(NotFound()); // token not found! } }
public IHttpActionResult Test() { //string timenow = DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss"); //return Ok(LoginUtils.encryptToken("% u,{G l\u0003I0 X 7:\u001f ~\u001e _B\u001eq'\u0006㑋 \f P ҁګ F \u0011\t ݾ D du \u0003 \u00051_ Z\u0002 \u0018۩ .No\u0003k \u0002? r\t ]Q o .\u001f + I67 \t, ʂ \\ \u0013Zۉt ~kI p BR A \u001ea\r x E ٓ0 h 6 {0Tt\f0f,\u000b 6 Fs | ^ ZE lJS@W d dO\u0007 qv p [ \u001f \u001d L V Ձ 5+UN Tgʩq cc Vc \u0003 ", timenow)); decryptTokenData data = LoginUtils.decryptToken("JSB1LHtHICBsA0kwICAgIFggNzofIH4eICAgICBfQh5xJwbjkYsgIAwgICB/IFAg0oHaqyAgRiARCSAgIN2+IEQgIGR1IAMgIAUxXyAgWgIgGNupICAuTm8DayACPyByCSAgXVEgIG8gLh8gKyAgSTY3IAksICDKgiAgXCATWtuJdCB+a0kgIHAgQlIgIEEgIB5hDSB4IEUg2ZMwIGggICA2IHswVHQMMGYsCyA2IEZzIHwgXiBaRSAgIGxKU0BXICBkIGRPByAgIHF2ICAgcCAgICBbICAfIB0gIEwgViDVgSA1K1VOICAgVGfKqXEgY2MgVmMgAyAyNS8wNi8yMDE1IDE1OjIzOjAz"); return(Ok(data)); }
public IHttpActionResult PostLogin(LoginModel loginModel) { WebApplication1Context context = new WebApplication1Context(); string error = "Invalid Username or Password"; if (!ModelState.IsValid) { return(BadRequest(ModelState)); } AccountsModel account = context.AccountsModel.Where(a => a.username == loginModel.username).FirstOrDefault(); if (account.username == loginModel.username) { byte[] saltInput = LoginUtils.hash(loginModel.password, account.Salt); bool slowHashCheck = LoginUtils.slowEquals(saltInput, account.SaltedAndHashedPassword); if (slowHashCheck == true) { // Success! string rawToken = LoginUtils.makeSimpleToken(); string timeStamp = DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss"); string obfuscatedToken = LoginUtils.encryptToken(rawToken, timeStamp); byte[] hashedToken = LoginUtils.hashNoSalt(rawToken); context.TokensModel.Add( new TokenModel { tokenHash = hashedToken, tokenDate = timeStamp, userid = account.primaryKey }); context.SaveChangesAsync(); //return Ok(obfuscatedToken); // return the obfuscated token! return(Ok(new { token = obfuscatedToken, userId = account.primaryKey, })); } else { //return BadRequest("i failed here!"); return(BadRequest(error)); } } else { //return BadRequest("i failed there!"); return(BadRequest(error)); } }
public IHttpActionResult PostRegister(LoginModel loginModel) { WebApplication1Context context = new WebApplication1Context(); if (!ModelState.IsValid) { return(BadRequest(ModelState)); } if (loginModel.password != loginModel.password_validator) { string error = "Uhhhhh. I can't believe you've done this."; return(BadRequest(error)); } byte[] salt = LoginUtils.generateSalt(); byte[] saltPass = LoginUtils.hash(loginModel.password, salt); // Add validations! //WebApplication1Context context = new WebApplication1Context(); context.AccountsModel.Add( new AccountsModel { username = loginModel.username, email = loginModel.email, organizationId = loginModel.organization, Salt = salt, SaltedAndHashedPassword = saltPass, }); context.SaveChangesAsync(); return(Ok()); }
public static bool ValidateToken(string tokenInput, int idInput) { decryptTokenData data = LoginUtils.decryptToken(tokenInput); WebApplication1Context context = new WebApplication1Context(); byte[] checkHash = LoginUtils.hashNoSalt(data.token); TokenModel token = context.TokensModel.Where(a => a.tokenHash == checkHash).FirstOrDefault(); if (idInput == token.userid) { bool byteCheck = LoginUtils.SafeEquals(token.tokenHash, checkHash); if (byteCheck == true) { if (data.utcDateTime == token.tokenDate) // TODO -- Add expiry system! { return(true); } else { // TODO - Log the possiblilty of tampering with the user tokens. // This would mean the token had been decrypted and then had the date stamp edited. Suspicious activity! return(false); } } else { return(false); } } else { // if the given id is not the same as the one connected to the token fail! // saves on doing a byte check too! :) return(false); } }