// POST api/CustomLogin
public HttpResponseMessage Post(LoginRequest loginRequest)
{
Guid shardKey;
// SEND A QUERY TO ALL SHARD TO DETECT OUR SHARD!!!!
// SAVE companiesId to shardKey!
using (MultiShardConnection conn = new MultiShardConnection(WebApiConfig.ShardingObj.ShardMap.GetShards(), WebApiConfig.ShardingObj.connstring))
{
using (MultiShardCommand cmd = conn.CreateCommand())
{
// CHECK SCHEMA
// SQL INJECTION SECURITY ISSUE
cmd.CommandText = "SELECT CompaniesID FROM [mpbdm].[Accounts] JOIN [mpbdm].[Users] ON [mpbdm].[Users].Id = [mpbdm].[Accounts].User_Id WHERE email='" + loginRequest.email + "'";
cmd.CommandType = CommandType.Text;
cmd.ExecutionOptions = MultiShardExecutionOptions.IncludeShardNameColumn;
cmd.ExecutionPolicy = MultiShardExecutionPolicy.PartialResults;
// Async
using (MultiShardDataReader sdr = cmd.ExecuteReader())
{
bool res = sdr.Read();
if (res != false)
{
shardKey = new Guid(sdr.GetString(0));
}
else
{
return(this.Request.CreateResponse(HttpStatusCode.Unauthorized, "Account doesn't exist!"));
}
}
}
}
// Connect with entity framework to the specific shard
mpbdmContext <Guid> context = new mpbdmContext <Guid>(WebApiConfig.ShardingObj.ShardMap, shardKey, WebApiConfig.ShardingObj.connstring);
Account account = context.Accounts.Include("User").Where(a => a.User.Email == loginRequest.email).SingleOrDefault();
if (account != null)
{
byte[] incoming = CustomLoginProviderUtils.hash(loginRequest.password, account.Salt);
if (CustomLoginProviderUtils.slowEquals(incoming, account.SaltedAndHashedPassword))
{
ClaimsIdentity claimsIdentity = new ClaimsIdentity();
claimsIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, account.User.Email));
// Custom Claim must be added to CustomLoginProvider too !!
claimsIdentity.AddClaim(new Claim("shardKey", account.User.CompaniesID));
var customLoginProvider = new CustomLoginProvider(handler);
LoginResult loginResult = customLoginProvider.CreateLoginResult(claimsIdentity, Services.Settings.MasterKey);
MobileLoginResult res = new MobileLoginResult(account, loginResult);
return(this.Request.CreateResponse(HttpStatusCode.OK, res));
}
}
return(this.Request.CreateResponse(HttpStatusCode.Unauthorized, "Invalid username or password"));
}
public static ErrorCode MobileLogin(string loginID, string password, string clientIP, out long nexonSN, out string nexonID, out ushort age, out bool newMembership, out byte mainAuthLevel, out byte subAuthLevel, out string errorMessage)
{
nexonSN = 0L;
nexonID = string.Empty;
age = 0;
newMembership = false;
mainAuthLevel = 0;
subAuthLevel = 0;
if (loginID == null || password == null)
{
errorMessage = "'id' or 'pwd' are null.";
return(ErrorCode.InvalidArgument);
}
if (clientIP == null)
{
try
{
clientIP = HttpContext.Current.Request.UserHostAddress;
}
catch (Exception)
{
errorMessage = "Getting user ip address from HttpContext failed.";
return(ErrorCode.InvalidArgument);
}
}
Default @default;
try
{
@default = Authenticator.CreateClientFromID(loginID);
}
catch (Exception ex)
{
errorMessage = "A unknown exception occured while creating a soap client." + Environment.NewLine + ex.ToString();
ErrorLogger.WriteLog(ErrorCode.Unknown, errorMessage, ex.StackTrace, loginID, string.Empty);
return(ErrorCode.Unknown);
}
for (int i = 0; i <= Config.Authenticator.Soap.RetryCount; i++)
{
try
{
MobileLoginResult mobileLoginResult = @default.MobileLogin(loginID, password, clientIP);
nexonSN = mobileLoginResult.nNexonSN;
nexonID = mobileLoginResult.strNexonID;
age = mobileLoginResult.uAge;
newMembership = mobileLoginResult.bNewMembership;
mainAuthLevel = mobileLoginResult.nMainAuthLevel;
subAuthLevel = mobileLoginResult.nSubAuthLevel;
errorMessage = mobileLoginResult.strErrorMessage;
return((ErrorCode)mobileLoginResult.nErrorCode);
}
catch (Exception ex2)
{
if (i == Config.Authenticator.Soap.RetryCount || !(ex2 is WebException))
{
errorMessage = "A unknown exception occured while calling a soap method." + Environment.NewLine + ex2.ToString();
ErrorLogger.WriteLog(ErrorCode.SoapCallFailed, errorMessage, ex2.StackTrace, loginID, string.Empty);
return(ErrorCode.SoapCallFailed);
}
}
if (i == Config.Authenticator.Soap.RetryCount - 1)
{
@default.Timeout = Config.Authenticator.Soap.LongTimeout;
}
}
errorMessage = string.Empty;
return(ErrorCode.Unknown);
}
