// POST api/CustomLogin public HttpResponseMessage Post(LoginRequest loginRequest) { Guid shardKey; // SEND A QUERY TO ALL SHARD TO DETECT OUR SHARD!!!! // SAVE companiesId to shardKey! using (MultiShardConnection conn = new MultiShardConnection(WebApiConfig.ShardingObj.ShardMap.GetShards(), WebApiConfig.ShardingObj.connstring)) { using (MultiShardCommand cmd = conn.CreateCommand()) { // CHECK SCHEMA // SQL INJECTION SECURITY ISSUE cmd.CommandText = "SELECT CompaniesID FROM [mpbdm].[Accounts] JOIN [mpbdm].[Users] ON [mpbdm].[Users].Id = [mpbdm].[Accounts].User_Id WHERE email='" + loginRequest.email + "'"; cmd.CommandType = CommandType.Text; cmd.ExecutionOptions = MultiShardExecutionOptions.IncludeShardNameColumn; cmd.ExecutionPolicy = MultiShardExecutionPolicy.PartialResults; // Async using (MultiShardDataReader sdr = cmd.ExecuteReader()) { bool res = sdr.Read(); if (res != false) { shardKey = new Guid(sdr.GetString(0)); } else { return(this.Request.CreateResponse(HttpStatusCode.Unauthorized, "Account doesn't exist!")); } } } } // Connect with entity framework to the specific shard mpbdmContext <Guid> context = new mpbdmContext <Guid>(WebApiConfig.ShardingObj.ShardMap, shardKey, WebApiConfig.ShardingObj.connstring); Account account = context.Accounts.Include("User").Where(a => a.User.Email == loginRequest.email).SingleOrDefault(); if (account != null) { byte[] incoming = CustomLoginProviderUtils.hash(loginRequest.password, account.Salt); if (CustomLoginProviderUtils.slowEquals(incoming, account.SaltedAndHashedPassword)) { ClaimsIdentity claimsIdentity = new ClaimsIdentity(); claimsIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, account.User.Email)); // Custom Claim must be added to CustomLoginProvider too !! claimsIdentity.AddClaim(new Claim("shardKey", account.User.CompaniesID)); var customLoginProvider = new CustomLoginProvider(handler); LoginResult loginResult = customLoginProvider.CreateLoginResult(claimsIdentity, Services.Settings.MasterKey); MobileLoginResult res = new MobileLoginResult(account, loginResult); return(this.Request.CreateResponse(HttpStatusCode.OK, res)); } } return(this.Request.CreateResponse(HttpStatusCode.Unauthorized, "Invalid username or password")); }
public static ErrorCode MobileLogin(string loginID, string password, string clientIP, out long nexonSN, out string nexonID, out ushort age, out bool newMembership, out byte mainAuthLevel, out byte subAuthLevel, out string errorMessage) { nexonSN = 0L; nexonID = string.Empty; age = 0; newMembership = false; mainAuthLevel = 0; subAuthLevel = 0; if (loginID == null || password == null) { errorMessage = "'id' or 'pwd' are null."; return(ErrorCode.InvalidArgument); } if (clientIP == null) { try { clientIP = HttpContext.Current.Request.UserHostAddress; } catch (Exception) { errorMessage = "Getting user ip address from HttpContext failed."; return(ErrorCode.InvalidArgument); } } Default @default; try { @default = Authenticator.CreateClientFromID(loginID); } catch (Exception ex) { errorMessage = "A unknown exception occured while creating a soap client." + Environment.NewLine + ex.ToString(); ErrorLogger.WriteLog(ErrorCode.Unknown, errorMessage, ex.StackTrace, loginID, string.Empty); return(ErrorCode.Unknown); } for (int i = 0; i <= Config.Authenticator.Soap.RetryCount; i++) { try { MobileLoginResult mobileLoginResult = @default.MobileLogin(loginID, password, clientIP); nexonSN = mobileLoginResult.nNexonSN; nexonID = mobileLoginResult.strNexonID; age = mobileLoginResult.uAge; newMembership = mobileLoginResult.bNewMembership; mainAuthLevel = mobileLoginResult.nMainAuthLevel; subAuthLevel = mobileLoginResult.nSubAuthLevel; errorMessage = mobileLoginResult.strErrorMessage; return((ErrorCode)mobileLoginResult.nErrorCode); } catch (Exception ex2) { if (i == Config.Authenticator.Soap.RetryCount || !(ex2 is WebException)) { errorMessage = "A unknown exception occured while calling a soap method." + Environment.NewLine + ex2.ToString(); ErrorLogger.WriteLog(ErrorCode.SoapCallFailed, errorMessage, ex2.StackTrace, loginID, string.Empty); return(ErrorCode.SoapCallFailed); } } if (i == Config.Authenticator.Soap.RetryCount - 1) { @default.Timeout = Config.Authenticator.Soap.LongTimeout; } } errorMessage = string.Empty; return(ErrorCode.Unknown); }