public void Login(string username, byte[] hashedPassword, LoginAttempt loginMethod)
{
byte[] password = new byte[32];
string commandText = $"SELECT {COL_PASSWORD} FROM {LOGIN_TABLE_NAME} WHERE {COL_USERNAME} = @username";
_command.CommandText = commandText;
_command.Parameters.Add(new SqliteParameter("@username", username));
_connection.Open();
try
{
using (_reader = _command.ExecuteReader())
{
_reader.Read();
password = GetBytes();
}
if (password.SequenceEqual(hashedPassword))
{
loginMethod?.Invoke(username);
}
}
catch (Exception e)
{
Debug.Log("Error logging in: " + e.Message);
}
_connection.Close();
}
public void UpdateUsernameAttempt(LoginAttempt old, LoginAttempt updated)
{
old.Username = updated.Username;
old.Time = updated.Time;
old.Blocked = updated.Blocked;
Entity.SaveChanges();
}
/// <summary>
/// Update the login attempt tracking information based upon the last login status
/// </summary>
/// <param name="didLoginSucceed">Did the last login attempt succeed</param>
public UserStatus AddLoginAttempt(bool didLoginSucceed, string source, string userName, AMFUserLogin relatedUser)
{
if (source == null)
{
source = string.Empty;
}
LoginAttempt newLoginAttempt = LoginAttemptFactory.Create(didLoginSucceed, source, userName);
this.LoginAttemptRepository.Save(newLoginAttempt);
UserStatus retVal = UserStatus.Active;
if (didLoginSucceed == true)
{
retVal = UserStatus.Active;
}
else
{
int failureCount = this.GetLoginFailureCount(userName, AMFUserLogin.MaxAllowedLoginFailures);
if (failureCount == AMFUserLogin.MaxAllowedLoginFailures)
{
retVal = UserStatus.Locked;
}
}
if (relatedUser != null)
{
relatedUser.UserStatus = retVal;
relatedUser = this.UserRepository.Save(relatedUser);
}
return(retVal);
}
private SessionVM GetNewToken(LoginAttempt login)
{
SessionVM sessionVM = null;
Session session = null;
if (login.UserName != null && login.UserName != "")
{
var user = this.mainContext.Users.Where(u => u.UserName == login.UserName).FirstOrDefault();
LogService.Write("NewToken Attempt", String.Format("User:{0}", login.UserName));
if (user != null)
{
string hash = Crypto.Hash(login.Password, user.Salt);
var dbLogin = this.mainContext.Logins.Where(l => l.PasswordHash == hash && l.UserId == user.Id).FirstOrDefault();
if (dbLogin != null)
{
session = CreateNewSession(user);
}
}
if (session != null)
{
sessionVM = new SessionVM(session);
}
}
return(sessionVM);
}
private void Button_Click(object sender, RoutedEventArgs e)
{
ErrorsStackPanel.Children.Clear();
Login = LoginTextBox.Text;
Password = PasswordBox.SecurePassword;
LoginAttempt?.Invoke(this, new LoginEventArgs(Login, Password));
}
private async Task AddLoginAttemptAsync(string emailAddress)
{
#if DEBUG
// don't add login when debugging, we may be logging in as another user
return;
#endif
string ipAddress = ControllerContext.HttpContext.GetIpAddress();
string userAgent = ControllerContext.HttpContext.Request.UserAgent();
userAgent = userAgent.Clip(250);
try
{
User user = await Database.GetUserByEmailAsync(emailAddress, CancellationToken.None);
LoginAttempt login = new LoginAttempt()
{
UserId = user.Id,
IpAddress = ipAddress,
UserAgent = userAgent,
};
await Database.AddLoginAttmptAsync(login, CancellationToken.None);
}
catch (Exception ex)
{
ex.Data.Add("userAgent", userAgent);
ex.Data.Add("ip", ipAddress);
logger.LogError(ex, "AddLoginAttemptAsync error");
}
}
public IHttpActionResult Login([FromBody] LoginAttempt model)
{
var userManager = HttpContext.Current.GetOwinContext().GetUserManager <UserManager <AppUser> >();
var authManager = HttpContext.Current.GetOwinContext().Authentication;
// attempt to load the user with this password
AppUser user = userManager.Find(model.UserName, model.Password);
// user will be null if the password or user name is bad
if (user == null)
{
return(BadRequest("Invalid username or password"));
}
else if (userManager.IsInRole(user.Id, "Disabled"))
{
return(BadRequest("User is disabled"));
}
else
{
var identity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
authManager.SignIn(new AuthenticationProperties {
IsPersistent = true
}, identity);
return(Ok());
}
}
///<summary>Inserts one LoginAttempt into the database. Provides option to use the existing priKey. Doesn't use the cache.</summary>
public static long InsertNoCache(LoginAttempt loginAttempt, bool useExistingPK)
{
bool isRandomKeys = Prefs.GetBoolNoCache(PrefName.RandomPrimaryKeys);
string command = "INSERT INTO loginattempt (";
if (!useExistingPK && isRandomKeys)
{
loginAttempt.LoginAttemptNum = ReplicationServers.GetKeyNoCache("loginattempt", "LoginAttemptNum");
}
if (isRandomKeys || useExistingPK)
{
command += "LoginAttemptNum,";
}
command += "UserName,LoginType,DateTFail) VALUES(";
if (isRandomKeys || useExistingPK)
{
command += POut.Long(loginAttempt.LoginAttemptNum) + ",";
}
command +=
"'" + POut.String(loginAttempt.UserName) + "',"
+ POut.Int((int)loginAttempt.LoginType) + ","
+ DbHelper.Now() + ")";
if (useExistingPK || isRandomKeys)
{
Db.NonQ(command);
}
else
{
loginAttempt.LoginAttemptNum = Db.NonQ(command, true, "LoginAttemptNum", "loginAttempt");
}
return(loginAttempt.LoginAttemptNum);
}
public async void AuthenticatorLoginShouldNotLoginWhenServiceReturnsNull()
{
User user = null;
LoginAttempt attempt = new LoginAttempt(user);
LoginModel model = new LoginModel();
model.Login = "******";
model.Password = "******";
ILoginService service = MockRepository.GenerateStub <ILoginService>();
ISessionHelper session = MockRepository.GenerateStub <ISessionHelper>();
IFormsAuthentication forms = MockRepository.GenerateStub <IFormsAuthentication>();
service.Stub(s => s.Login(model.Login, model.Password)).Return(Task <LoginAttempt> .FromResult(attempt));
Authenticator authenticator = new Authenticator(service, session, forms);
bool result = await authenticator.Login(model);
Assert.IsFalse(result);
service.AssertWasCalled(s => s.Login(model.Login, model.Password));
session.AssertWasNotCalled(s => s.User.Id);
forms.AssertWasNotCalled(f => f.SetAuthCookie(Arg <string> .Is.Anything, Arg <bool> .Is.Anything));
}
///<summary>Updates one LoginAttempt in the database. Uses an old object to compare to, and only alters changed fields. This prevents collisions and concurrency problems in heavily used tables. Returns true if an update occurred.</summary>
public static bool Update(LoginAttempt loginAttempt, LoginAttempt oldLoginAttempt)
{
string command = "";
if (loginAttempt.UserName != oldLoginAttempt.UserName)
{
if (command != "")
{
command += ",";
}
command += "UserName = '******'";
}
if (loginAttempt.LoginType != oldLoginAttempt.LoginType)
{
if (command != "")
{
command += ",";
}
command += "LoginType = " + POut.Int((int)loginAttempt.LoginType) + "";
}
//DateTFail not allowed to change
if (command == "")
{
return(false);
}
command = "UPDATE loginattempt SET " + command
+ " WHERE LoginAttemptNum = " + POut.Long(loginAttempt.LoginAttemptNum);
Db.NonQ(command);
return(true);
}
public async void AuthenticatorLoginShouldLoginWhenServiceReturnsUser()
{
User user = new User();
user.Id = 1;
user.Name = "a";
LoginAttempt attempt = new LoginAttempt(user);
LoginModel model = new LoginModel();
model.Login = "******";
model.Password = "******";
ILoginService service = MockRepository.GenerateStub <ILoginService>();
ISessionHelper session = MockRepository.GenerateStub <ISessionHelper>();
IFormsAuthentication forms = MockRepository.GenerateStub <IFormsAuthentication>();
service.Stub(s => s.Login(model.Login, model.Password)).Return(Task <LoginAttempt> .FromResult(attempt));
Authenticator authenticator = new Authenticator(service, session, forms);
bool result = await authenticator.Login(model);
Assert.IsTrue(result);
service.AssertWasCalled(s => s.Login(model.Login, model.Password));
Assert.AreEqual(session.User.Id, user.Id);
forms.AssertWasCalled(f => f.SetAuthCookie(model.Login, true));
}
public Response <RegistrationResponse> Delete([FromBody] LoginAttempt login)
{
var response = new RegistrationResponse()
{
Successful = false
};
var service = new Tete.Api.Services.Authentication.LoginService(this.context);
var token = HttpContext.Request.Cookies[Constants.SessionTokenName];
var user = service.GetUserVMFromToken(token);
var session = service.Login(login);
var user2 = service.GetUserVMFromToken(session.Token);
if (user != null && session != null && user2 != null && user.UserId == user2.UserId)
{
try
{
service.DeleteAccount(user.UserId, user);
response.Successful = true;
}
catch { }
}
if (!response.Successful)
{
response.Messages.Add("Unable to delete account due to login issues.");
}
return(new Response <RegistrationResponse>(response));
}
public async Task Log(TRequest request, TResponse response, CancellationToken cancellationToken)
{
var ipAddress = _context.GetRequestIpAsString();
LoginLocation location = null;
if (!string.IsNullOrEmpty(ipAddress))
{
try
{
location = _mapper.Map <LoginLocation>(await _client.GetLocationAsync(ipAddress, cancellationToken));
location = await _repository.FindLoginLocationByCoordinates(location.Latitude, location.Longitude) ?? location;
}
catch
{
location = null;
}
}
var clientInformation = Parser.GetDefault().Parse(_context.GetUserAgentAsString());
var loginAttempt = new LoginAttempt
{
Username = string.IsNullOrEmpty(request.Credentials.Email) ? request.Credentials.Username : request.Credentials.Email,
Device = clientInformation.Device.Family,
Os = clientInformation.OS.Family,
Browser = clientInformation.UA.Family,
PublicIp = ipAddress,
DateAndTime = DateTime.Now,
Location = location,
Status = string.IsNullOrEmpty(response.ErrorMessage) ? LoginStatus.Success : LoginStatus.Failed
};
_repository.Insert(loginAttempt);
}
public async Task LoginWithIpWithMixedReputationAsync()
{
TestConfiguration configuration = InitTest();
string[] usernames = CreateUserAccounts(configuration, 500);
CreateTestAccount(configuration, Username1, Password1);
// Have one attacker make the password popular by attempting to login to every account with it.
foreach (string username in usernames.Skip(100))
{
await AuthenticateAsync(configuration, username, PopularPassword, clientAddress : AttackersIp);
}
// Now have our client get the correct password half the time, and the popular incorrect password half the time.
bool shouldGuessPopular = true;
foreach (string username in usernames.Take(50))
{
await AuthenticateAsync(configuration, username, shouldGuessPopular?PopularPassword : "******" + username, ClientsIp);
shouldGuessPopular = !shouldGuessPopular;
}
LoginAttempt anotherAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AnotherAttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValid, anotherAttackersAttempt.Outcome);
}
public async Task LoginWithIpWithBadReputationAsync()
{
//BlockingAlgorithmOptions Options = new BlockingAlgorithmOptions();
//Options.BlockThresholdMultiplierForUnpopularPasswords = 1d;
//TestConfiguration configuration = InitTest(Options);
TestConfiguration configuration = InitTest();
string[] usernames = CreateUserAccounts(configuration, 200);
CreateTestAccount(configuration, Username1, Password1);
// Have one attacker make the password popular by attempting to login to every account with it.
foreach (string username in usernames.Skip(10))
{
await AuthenticateAsync(configuration, username, Password1, clientAddress : AttackersIp);
}
LoginAttempt firstAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, firstAttackersAttempt.Outcome);
// Now the second attacker should be flagged after using that password 10 times on different accounts.
foreach (string username in usernames.Skip(1).Take(9))
{
await AuthenticateAsync(configuration, username, Password1, AnotherAttackersIp);
}
await AuthenticateAsync(configuration, usernames[0], Password1, AnotherAttackersIp);
LoginAttempt anotherAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AnotherAttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, anotherAttackersAttempt.Outcome);
}
public async Task ScaleTest()
{
int UserScale = 1000000;
TestConfiguration configuration = InitTest();
//((MemoryOnlyStableStore) configuration.StableStore).Accounts = null;
string[] usernames = CreateUserAccounts(configuration, UserScale);
CreateTestAccount(configuration, Username1, Password1);
// Have one attacker make the password popular by attempting to login to every account with it.
Parallel.ForEach(usernames.Skip(20), async(username) =>
await AuthenticateAsync(configuration, username, PopularPassword, clientAddress: AttackersIp));
Thread.Sleep(2000);
LoginAttempt firstAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, firstAttackersAttempt.Outcome);
// Now the second attacker should be flagged after using that password 10 times on different accounts.
foreach (string username in usernames.Skip(1).Take(19))
{
await AuthenticateAsync(configuration, username, PopularPassword, AnotherAttackersIp);
}
await AuthenticateAsync(configuration, usernames[0], PopularPassword, AnotherAttackersIp);
LoginAttempt anotherAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AnotherAttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, anotherAttackersAttempt.Outcome);
}
public async Task LoginWithIpWithBadReputationParallelLoadAsync()
{
TestConfiguration configuration = InitTest();
string[] usernames = CreateUserAccounts(configuration, 250);
CreateTestAccount(configuration, Username1, Password1);
await TaskParalllel.ForEachWithWorkers(usernames.Skip(20), async (username, itemNumber, cancelToken) =>
await AuthenticateAsync(configuration, username, Password1, clientAddress: AttackersIp, cancellationToken: cancelToken));
Thread.Sleep(2000);
LoginAttempt firstAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, firstAttackersAttempt.Outcome);
foreach (string username in usernames.Skip(1).Take(19))
{
await AuthenticateAsync(configuration, username, Password1, AnotherAttackersIp);
}
await AuthenticateAsync(configuration, usernames[0], Password1, AnotherAttackersIp);
LoginAttempt anotherAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AnotherAttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValidButBlocked, anotherAttackersAttempt.Outcome);
}
public async Task LoginWithIpWithMixedReputationAsync()
{
TestConfiguration configuration = InitTest();
string[] usernames = CreateUserAccounts(configuration, 500);
CreateTestAccount(configuration, Username1, Password1);
foreach (string username in usernames.Skip(100))
{
await AuthenticateAsync(configuration, username, PopularPassword, clientAddress : AttackersIp);
}
bool shouldGuessPopular = true;
foreach (string username in usernames.Take(50))
{
await AuthenticateAsync(configuration, username, shouldGuessPopular?PopularPassword : "******" + username, ClientsIp);
shouldGuessPopular = !shouldGuessPopular;
}
LoginAttempt anotherAttackersAttempt = await AuthenticateAsync(configuration, Username1, Password1, clientAddress : AnotherAttackersIp);
Assert.Equal(AuthenticationOutcome.CredentialsValid, anotherAttackersAttempt.Outcome);
}
public ActionResult Login([FromForm] LoginAttempt loginAttempt)
{
//if already logged in, redirect to log out screen instead.
if (LoggedInUser(out _))
{
RedirectToAction("Logout");
}
//attempt to get the login details and pass them to the account service
//if the credentials are valid and the account exists, store the account identifier in session
//not a secure practice.
if (loginAttempt.AttemptAccount(accountService, hasher, out UserAccount loginAccount))
{
SetLoggedInUser(loginAccount);
changeService.AddChange(loginAccount, "Logged in", string.Empty, DateTime.Now.ToString());
changeService.StoreChanges();
}
else
{
ViewData["info"] = "Incorrect email or password";
ViewData["textClass"] = "text-danger";
return(View());
}
return(Redirect("/Home/Index"));
}
public async Task <LoginAttempt> PutAsync(LoginAttempt loginAttempt,
string passwordProvidedByClient = null,
List <RemoteHost> serversResponsibleForCachingThisLoginAttempt = null,
TimeSpan?timeout = null,
CancellationToken cancellationToken = default(CancellationToken))
{
if (serversResponsibleForCachingThisLoginAttempt == null)
{
serversResponsibleForCachingThisLoginAttempt = GetServersResponsibleForCachingALoginAttempt(loginAttempt);
}
return(await RestClientHelper.TryServersUntilOneRespondsWithResult(
serversResponsibleForCachingThisLoginAttempt,
timeout ?? DefaultTimeout,
async (server, localTimeout) =>
await RestClientHelper.PutAsync <LoginAttempt>(server.Uri,
"/api/LoginAttempt/" + Uri.EscapeUriString(loginAttempt.UniqueKey), new Object[]
{
new KeyValuePair <string, LoginAttempt>("loginAttempt", loginAttempt),
new KeyValuePair <string, string>("passwordProvidedByClient", passwordProvidedByClient),
new KeyValuePair <string, List <RemoteHost> >("serversResponsibleForCachingThisLoginAttempt",
serversResponsibleForCachingThisLoginAttempt)
},
localTimeout,
cancellationToken),
cancellationToken));
}
public Response <RegistrationResponse> RegisterNewLogin([FromBody] LoginAttempt login)
{
var token = HttpContext.Request.Cookies[Constants.SessionTokenName];
var service = new Tete.Api.Services.Authentication.LoginService(this.context);
return(new Response <RegistrationResponse>(service.RegisterNewLogin(token, login)));
}
public User Login(string username, string password)
{
User user = _context.Users.Where(x => x.UserName.ToLower().Equals(username.ToLower())).FirstOrDefault();
if (user != null)
{
bool correctPassword = user.PasswordHash.Equals(password);
LoginAttempt attempt = new LoginAttempt()
{
AttemptTimeUtc = DateTime.UtcNow,
Successful = correctPassword,
UserId = user.UserId,
};
_context.LoginAttempts.Add(attempt);
_context.SaveChanges();
if (!correctPassword)
{
user = null;
}
}
return(user);
}
public Response <RegistrationResponse> Login([FromBody] LoginAttempt login)
{
var service = new Tete.Api.Services.Authentication.LoginService(this.context);
var token = HttpContext.Request.Cookies[Constants.SessionTokenName];
var user = service.GetUserVMFromToken(token);
var response = new RegistrationResponse();
if (user == null || (user != null && user.Roles.Contains("Guest")))
{
var session = service.Login(login);
if (session != null)
{
if (user != null)
{
service.DeleteAccount(user.UserId, user);
}
SetTokenCookie(session.Token);
response.Successful = true;
}
else
{
response.Messages.Add("Invalid Login");
response.Successful = false;
}
}
else
{
response.Messages.Add("You're already logged in!");
response.Successful = false;
}
return(new Response <RegistrationResponse>(response));
}
public RegistrationResponse RegisterNewLogin(string token, LoginAttempt login)
{
var rtnResponse = ValidatePassword(login.Password);
rtnResponse.Combine(ValidateUserName(login.UserName));
if (rtnResponse.Successful)
{
var user = GetUserFromToken(token);
if (user != null)
{
var dbUser = this.mainContext.Users.Where(u => u.Id == user.Id).FirstOrDefault();
if (dbUser != null)
{
UpdatePassword(user.Id, login.Password, user.Salt);
dbUser.UserName = login.UserName;
this.mainContext.Users.Update(dbUser);
this.mainContext.SaveChanges();
new UserService(this.mainContext, new UserVM(user)).RemoveGuestRole(user.Id);
}
}
}
return(rtnResponse);
}
public async Task <LoginAttempt> AuthenticateAsync(TestConfiguration configuration, string username, string password,
IPAddress clientAddress = null,
IPAddress serverAddress = null,
string api = "web",
string cookieProvidedByBrowser = null,
DateTime?eventTimeUtc = null,
CancellationToken cancellationToken = default(CancellationToken)
)
{
clientAddress = clientAddress ?? new IPAddress(new byte[] { 42, 42, 42, 42 });
serverAddress = serverAddress ?? new IPAddress(new byte[] { 127, 1, 1, 1 });
LoginAttempt attempt = new LoginAttempt
{
UsernameOrAccountId = username,
AddressOfClientInitiatingRequest = clientAddress,
AddressOfServerThatInitiallyReceivedLoginAttempt = serverAddress,
TimeOfAttemptUtc = eventTimeUtc ?? DateTime.UtcNow,
Api = api,
CookieProvidedByClient = cookieProvidedByBrowser
};
return(await configuration.MyLoginAttemptClient.PutAsync(attempt, password,
cancellationToken : cancellationToken));
}
private void LoginBt_Click(object sender, EventArgs e)
{
string login = authorizationWindow.LoginTB.Text.ToLower().Trim();
string password = authorizationWindow.PasswordTB.Password.Trim();
LoginAttempt.Invoke(this, new LoginEventArgs(new Credentials(login, password)));
}
public ActionResult DeleteConfirmed(int id)
{
LoginAttempt loginAttempt = db.LoginAttempts.Find(id);
db.LoginAttempts.Remove(loginAttempt);
db.SaveChanges();
return(RedirectToAction("Index"));
}
public void ItExists()
{
var repository = new FakeRepository <UserLogonDto>();
var service = new LogonService(repository);
var attempt = new LoginAttempt();
service.IsLogonValid(attempt);
}
public void ItAcceptsRepository()
{
var repository = new FakeRepository <UserLogonDto>();
var service = new LogonService(repository);
var attempt = new LoginAttempt();
service.IsLoginSuccessful(attempt);
}
public bool IsLoginSuccessful(LoginAttempt loginAttempt)
{
if (loginAttempt?.Username == "*****@*****.**" && loginAttempt.Password == "ValidPassword")
{
return(true);
}
return(false);
}
