[HttpDelete("{id:int}")] // working
public string User_DeleteUser(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
try {
// attempt to remove all data and update changes
_context.Accounts.RemoveRange(_context.Accounts.Where(a => a.UserID == id));
_context.RefreshTokens.RemoveRange(_context.RefreshTokens.Where(a => a.UserID == id));
_context.Users.Remove(_context.Users.Single(a => a.ID == id));
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
ErrorMessage error = new ErrorMessage("Failed to delete user.", "ID: " + id.ToString(), ex.Message);
return(JObject.FromObject(error).ToString());
}
JObject message = JObject.Parse(SuccessMessage._result);
return(message.ToString());
}
[HttpPost("{id:int}/accounts")] // working
public IActionResult User_AddAccount(int id, [FromBody] NewAccount accToAdd)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// if this user does not own the folder we are adding to, then error
if (accToAdd.FolderID != null && !_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == accToAdd.FolderID))
{
ErrorMessage error = new ErrorMessage("Failed to create new account", "User does not have a folder matching that ID.");
return(new BadRequestObjectResult(error));
}
// create new account and save it
Account new_account = new Account(accToAdd, id);
_context.Accounts.Add(new_account);
_context.SaveChanges();
return(Ok());
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error creating new account.", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_EditAccountDesc(int id, int account_id, [FromBody] string description)
{
// attempt to edit the description
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
// get account and modify
Account accToEdit = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id);
accToEdit.Description = HelperMethods.EncryptStringToBytes_Aes(description, HelperMethods.GetUserKeyAndIV(id));;
accToEdit.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id));
_context.SaveChanges();
return(Ok());
}
public IActionResult User_AddAccount(int id, [FromBody] NewAccount accToAdd)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// account limit is 50 for now
if (_context.Users.Single(a => a.ID == id).Accounts.Count >= 50)
{
ErrorMessage error = new ErrorMessage("Failed to create new account", "User cannot have more than 50 passwords saved at once.");
return(new BadRequestObjectResult(error));
}
// if this user does not own the folder we are adding to, then error
if (accToAdd.FolderID != null && !_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == accToAdd.FolderID))
{
ErrorMessage error = new ErrorMessage("Failed to create new account", "User does not have a folder matching that ID.");
return(new BadRequestObjectResult(error));
}
// create new account and save it
Account new_account = new Account(accToAdd, id);
new_account.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id));
_context.Accounts.Add(new_account);
_context.SaveChanges();
// return the new object to easily update on frontend without making another api call
return(new OkObjectResult(new ReturnableAccount(new_account)));
}
public IActionResult User_GetSingleAccount(int id, int account_id)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
return(new OkObjectResult(new ReturnableAccount(_context.Accounts.Single(a => a.ID == account_id))));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error getting account", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_GetFolders(int id)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// get and return all this user's accounts
List <ReturnableFolder> folders = new List <ReturnableFolder>();
foreach (Folder fold in _context.Users.Single(a => a.ID == id).Folders.ToArray())
{
ReturnableFolder retFold = new ReturnableFolder(fold);
folders.Add(retFold);
}
return(new OkObjectResult(folders));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error getting folders", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_EditAccountDesc(int id, int account_id, [FromBody] string description)
{
// attempt to edit the description
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).Description = description;
_context.SaveChanges();
return(new OkObjectResult(new { new_description = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).Description }));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error editing description", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_EditAccount(int id, int acc_id, [FromBody] NewAccount acc)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == acc_id))
{
ErrorMessage error = new ErrorMessage("Failed to delete account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
// get account and modify
Account accToEdit = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == acc_id);
accToEdit.Title = HelperMethods.EncryptStringToBytes_Aes(acc.Title, HelperMethods.GetUserKeyAndIV(id));
accToEdit.Login = HelperMethods.EncryptStringToBytes_Aes(acc.Login, HelperMethods.GetUserKeyAndIV(id));
accToEdit.Password = HelperMethods.EncryptStringToBytes_Aes(acc.Password, HelperMethods.GetUserKeyAndIV(id));
accToEdit.Url = HelperMethods.EncryptStringToBytes_Aes(acc.Url, HelperMethods.GetUserKeyAndIV(id));
accToEdit.Description = HelperMethods.EncryptStringToBytes_Aes(acc.Description, HelperMethods.GetUserKeyAndIV(id));
accToEdit.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id));
_context.SaveChanges();
// return the new object to easily update on frontend without making another api call
return(new OkObjectResult(new ReturnableAccount(accToEdit)));
}
[HttpPut("{id:int}/accounts/{account_id:int}/password")] // in progress
public IActionResult User_EditAccountPassword(int id, int account_id, [FromBody] string password)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).Password = HelperMethods.EncryptStringToBytes_Aes(password, HelperMethods.GetUserKeyAndIV(id));
_context.SaveChanges();
return(Ok());
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error editing password", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public string User_AccountSetFolder(int id, int account_id, [FromBody] string folder_id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
// attempt to edit the description
try {
Account acc = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id);
// left empty implies removing any associated folder
if (string.IsNullOrWhiteSpace(folder_id))
{
acc.FolderID = null;
}
else // here we have to validate that the user owns the folder
{
acc.FolderID = _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == int.Parse(folder_id)).ID; // we code it like this to make sure that whatever folder we attempt exists and is owner by this user
}
_context.Accounts.Update(acc);
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error settting folder", "Attempted folder id: " + folder_id, ex.Message)).ToString());
}
return(SuccessMessage._result);
}
[HttpDelete("{id:int}")] // working
public IActionResult User_DeleteUser(int id)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// attempt to remove all data and update changes
_context.Accounts.RemoveRange(_context.Accounts.Where(a => a.UserID == id));
_context.RefreshTokens.RemoveRange(_context.RefreshTokens.Where(a => a.UserID == id));
_context.Users.Remove(_context.Users.Single(a => a.ID == id));
_context.SaveChanges();
return(Ok());
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Failed to delete user.", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_EditPassword(int id, [FromBody] PasswordReset psw_reset)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// get user from db
User user = _context.Users.Single(a => a.ID == id);
// if password is valid then we change it and update db
if (ValidatePassword(psw_reset.Current_Password, user.Password))
{
user.Password = HelperMethods.ConcatenatedSaltAndSaltedHash(psw_reset.New_Password);
_context.Update(user);
_context.SaveChanges();
return(Ok());
}
else
{
ErrorMessage error = new ErrorMessage("Invalid Password", "Your current password does not match.");
return(new BadRequestObjectResult(error));
}
}
public IActionResult User_EditAccountIsFavorite(int id, int account_id, [FromBody] bool isFavorite)
{
// attempt to set account to be favorite or not
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
// get account and set favorite setting.. here we wont see it as the account has been modified
Account accToEdit = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id);
accToEdit.IsFavorite = isFavorite;
_context.SaveChanges();
return(Ok());
}
public IActionResult User_EditLastName(int id, [FromBody] string lastname)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
_context.Users.Where(a => a.ID == id).Single().Last_Name = HelperMethods.EncryptStringToBytes_Aes(lastname, _keyAndIV);;
_context.SaveChanges();
return(Ok());
}
public string User_GetSingleAccount(int id, int account_id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
JObject message = JObject.Parse(SuccessMessage._result);
message.Add(new JProperty("account", JObject.FromObject(new ReturnableAccount(_context.Accounts.Single(a => a.ID == account_id)))));
return(message.ToString());
}
public IActionResult User_GetUser(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// strips out private data that is never to be sent back and returns user info
ReturnableUser retUser = new ReturnableUser(_context.Users.Where(a => a.ID == id).Single(), _keyAndIV);
return(new OkObjectResult(retUser));
}
[HttpPost("{id:int}/accounts")] // working
public string User_AddAccount(int id, [FromBody] string accJson)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
JObject json = null;
// might want Json verification as own function since all will do it.. we will see
try { json = JObject.Parse(accJson); } catch (Exception ex) {
Response.StatusCode = 400;
ErrorMessage error = new ErrorMessage("Invalid Json", accJson, ex.Message);
return(JObject.FromObject(error).ToString());
}
try {
// if folder id is present, then use it, if not we use standard null for top parent
int?folder_id;
if (json["folder_id"] == null)
{
folder_id = null;
}
else
{
folder_id = _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == int.Parse(json["folder_id"].ToString())).ID; // makes sure folder exists and is owned by user
}
// use token in header to to
Account new_account = new Account {
UserID = id,
FolderID = folder_id,
Title = json["account_title"]?.ToString(),
Login = json["account_login"]?.ToString(),
Password = json["account_password"] != null?HelperMethods.EncryptStringToBytes_Aes(json["account_password"].ToString(), HelperMethods.GetUserKeyAndIV(id)) : null,
Description = json["account_description"]?.ToString()
};
_context.Accounts.Add(new_account);
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error creating new account.", accJson, ex.Message)).ToString());
}
return(SuccessMessage._result);
}
[HttpPost("{id:int}/folders")] // working
public string User_AddFolder(int id, [FromBody] string folderJson)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
JObject json = null;
// might want Json verification as own function since all will do it.. we will see
try { json = JObject.Parse(folderJson); } catch (Exception ex) {
Response.StatusCode = 400;
ErrorMessage error = new ErrorMessage("Invalid Json", folderJson, ex.Message);
return(JObject.FromObject(error).ToString());
}
try {
int?pid = json["parent_id"]?.ToObject <int?>(); // parent id
// if user doesnt own the parent or isnt currently admin, we throw error
if (pid != null && _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == pid) == null && !HelperMethods.ValidateIsAdmin(_httpContextAccessor))
{
throw new Exception("User must own the parent folder or be admin");
}
// use token in header to to
Folder new_folder = new Folder {
UserID = id, FolderName = json["folder_name"].ToString(), ParentID = pid
};
_context.Folders.Add(new_folder); // add new folder
// only update parent if needed
if (pid != null)
{
Folder parent_folder = _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == pid); // this makes sure that the parent folder is owned by our user
parent_folder.HasChild = true;
_context.Folders.Update(parent_folder); // register to parent that is now has at least 1 child
}
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error creating new folder.", folderJson, ex.Message)).ToString());
}
return(SuccessMessage._result);
}
[HttpGet("{id:int}")] // working
public string User_GetUser(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
//format response
JObject message = JObject.Parse(SuccessMessage._result);
ReturnableUser retUser = new ReturnableUser(_context.Users.Where(a => a.ID == id).Single()); // strips out private data that is never to be sent back
message.Add(new JProperty("user", JToken.FromObject(retUser)));
return(message.ToString());
}
public IActionResult User_AccountSetFolder(int id, int account_id, [FromBody] int?folder_id)
{
// attempt to edit the description
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
// use zero to mean null since body paramter must be present
if (folder_id == 0)
{
folder_id = null;
}
// if this user does not own the folder we are adding to, then error
if (folder_id != null && !_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == folder_id))
{
ErrorMessage error = new ErrorMessage("Failed to create new account", "User does not have a folder matching that ID.");
return(new BadRequestObjectResult(error));
}
else
{
_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).FolderID = folder_id;
_context.SaveChanges();
}
return(new OkObjectResult(new { new_folder = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).FolderID }));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Error settting folder", ex.Message);
return(new InternalServerErrorResult(error));
}
}
[HttpDelete("{id:int}/folders/{folder_id:int}")] // working
public string User_DeleteFolder(int id, int folder_id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
try {
Folder folderToDelete = _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == folder_id);
// if this folder has children, then we need to call DeleteFolder on all children
if (folderToDelete.HasChild)
{
List <Folder> folders = _context.Users.Single(a => a.ID == id).Folders.ToList <Folder>();
foreach (Folder folder in folders)
{
if (folder.ParentID == folderToDelete.ID)
{
User_DeleteFolder(id, folder.ID); // recursive call to go down the tree and delete children
}
}
}
// delete the accounts in the folder
List <Account> accounts = _context.Users.Single(a => a.ID == id).Accounts.ToList <Account>();
foreach (Account account in accounts)
{
if (account.FolderID == folderToDelete.ID)
{
_context.Accounts.Remove(account); // no need to call User_DeleteAccount because identity and access token have already been verifies
}
}
_context.SaveChanges(); // save the accounts being deleted
_context.Folders.Remove(folderToDelete); // remove the folder
_context.SaveChanges(); // save the folder being deleted.. must be done seperate because of foreign keys
}
catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error deleting folder.", "Folder ID: " + folder_id.ToString(), ex.Message)).ToString());
}
return(SuccessMessage._result);
}
[HttpGet("{id:int}/lastname")] // working
public IActionResult User_GetLastName(int id)
{
try
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
return(new OkObjectResult(new { lastname = _context.Users.Where(a => a.ID == id).Single().Last_Name }));
}
catch (Exception ex)
{
ErrorMessage error = new ErrorMessage("Failed to get last name.", ex.Message);
return(new InternalServerErrorResult(error));
}
}
public IActionResult User_GetAccounts(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// get and return all this user's accounts
List <ReturnableAccount> accs = new List <ReturnableAccount>();
foreach (Account acc in _context.Users.Single(a => a.ID == id).Accounts.ToArray())
{
ReturnableAccount retAcc = new ReturnableAccount(acc);
accs.Add(retAcc);
}
return(new OkObjectResult(accs));
}
[HttpDelete("{id:int}/accounts/{account_id:int}")] // working
public string User_DeleteAccount(int id, int account_id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
try {
_context.Accounts.Remove(_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id)); // fist match user id to ensure ownership
_context.SaveChanges();
}
catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error deleting account.", "Account ID: " + account_id.ToString(), ex.Message)).ToString());
}
return(SuccessMessage._result);
}
public IActionResult User_DeleteAccount(int id, int account_id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id))
{
ErrorMessage error = new ErrorMessage("Failed to delete account", "User does not have an account matching that ID.");
return(new BadRequestObjectResult(error));
}
_context.Accounts.Remove(_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id)); // fist match user id to ensure ownership
_context.SaveChanges();
return(Ok());
}
public string User_GetFolders(int id)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
// format success response.. maybe could be done better but not sure yet
JObject message = JObject.Parse(SuccessMessage._result);
JArray folders = new JArray();
foreach (Folder fold in _context.Users.Single(a => a.ID == id).Folders)
{
folders.Add(JToken.FromObject(new ReturnableFolder(fold)));
}
message.Add(new JProperty("folders", folders));
return(message.ToString());
}
public IActionResult User_SetMultipleAccountsFolder(int id, [FromBody] JObject data)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV))
{
ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information.");
return(new UnauthorizedObjectResult(error));
}
// get the accounts and the folder we want to set them to
List <int> account_ids = data["account_ids"].ToObject <List <int> >();
int? folder_id = data["folder_id"].ToObject <int>();
// use zero to mean null since body paramter must be present
if (folder_id == 0)
{
folder_id = null;
}
// if this user does not own the folder we are adding to, then error
if (folder_id != null && !_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == folder_id))
{
ErrorMessage error = new ErrorMessage("Failed to create new account", "User does not have a folder matching that ID.");
return(new BadRequestObjectResult(error));
}
foreach (int acc_id in account_ids)
{
// validate ownership of said account
if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == acc_id))
{
ErrorMessage error = new ErrorMessage("Failed to delete accounts", "User does not have an account matching ID: " + acc_id);
return(new BadRequestObjectResult(error));
}
_context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == acc_id).FolderID = folder_id;
}
_context.SaveChanges();
return(Ok());
}
public string User_EditPassword(int id, [FromBody] string passwordJson)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
JObject json = null;
// might want Json verification as own function since all will do it.. we will see
try { json = JObject.Parse(passwordJson); } catch (Exception ex) {
Response.StatusCode = 400;
ErrorMessage error = new ErrorMessage("Invalid Json", passwordJson, ex.Message);
return(JObject.FromObject(error).ToString());
}
try {
User user = _context.Users.Single(a => a.ID == id);
// if password is valid then we change it and update db
if (ValidatePassword(json["current_password"].ToString(), user.Password))
{
user.Password = HelperMethods.ConcatenatedSaltAndSaltedHash(json["new_password"].ToString());
_context.Update(user);
_context.SaveChanges();
}
else
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid Password", json["current_password"].ToString(), "n/a")).ToString());
}
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Failed to update with new password", "n/a", ex.Message)).ToString()); // don't continue to send password back and forth in messages
}
return(JObject.Parse(SuccessMessage._result).ToString());
}
[HttpPut("{id:int}/accounts/{account_id:int}/password")] // in progress
public string User_EditAccountPassword(int id, int account_id, [FromBody] string password)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
try {
Account acc = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id);
acc.Password = HelperMethods.EncryptStringToBytes_Aes(password, HelperMethods.GetUserKeyAndIV(id)); // this logic will need to be changed to use a unique key
_context.Accounts.Update(acc);
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error editing password", "n/a", ex.Message)).ToString());
}
return(SuccessMessage._result);
}
public string User_EditAccountDesc(int id, int account_id, [FromBody] string description)
{
// verify that the user is either admin or is requesting their own data
if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id))
{
Response.StatusCode = 401;
return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString());
}
// attempt to edit the description
try {
Account acc = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id);
acc.Description = description;
_context.Accounts.Update(acc);
_context.SaveChanges();
} catch (Exception ex) {
Response.StatusCode = 500;
return(JObject.FromObject(new ErrorMessage("Error editing description", "Attempted description: " + description, ex.Message)).ToString());
}
return(SuccessMessage._result);
}
