public virtual bool ValidateToken(string challenge, string response, string url, IChapServerLogger logger, params SignatureFactor[] additionalFactors)
{
if (!_challengeStore.ConsumeChallenge(challenge))
{
logger?.RejectedDueToInvalidChallenge(challenge, url);
return(false); // invalid or expired challenge
}
// we now know the challenge was valid. But what about the response?
var localMacOfRequest = _responseService.CreateSignature(challenge, url, additionalFactors);
if (localMacOfRequest.SignatureHash.Equals(response))
{
return(true);
}
logger?.RejectedDueToInvalidSignature(challenge, response, localMacOfRequest);
return(false);
}
public virtual bool ValidateToken(string challenge, string response, string url, IChapServerLogger logger, params SignatureFactor[] additionalFactors)
{
// Check signature first, to avoid any DDoS vulnerabilities in challenge tracking
var localMacOfRequest = _responseService.CreateSignature(challenge, url, additionalFactors);
if (!localMacOfRequest.SignatureHash.Equals(response))
{
logger?.RejectedDueToInvalidSignature(challenge, response, localMacOfRequest);
return(false);
}
// if the HMAC matches, then we check that the challenge value
// (which in this case is random generated by the client)
// has not been used recently
if (!_challengeStore.ConsumeChallenge(challenge))
{
logger?.RejectedDueToInvalidChallenge(challenge, url);
return(false); // invalid or expired challenge
}
return(true);
}