/// <summary>
/// Registers a new user. The PasswordHash property should be the actual password.
/// </summary>
/// <param name="user">A user with a raw password which is turned into a password hash as part of registration.</param>
/// <param name="duration">The amount of time that the initial session will be valid.</param>
/// <param name="ipAddress">The internet address where the user is connecting from.</param>
/// <param name="result">A ExecutionResults instance to add applicable
/// warning and error messages to.</param>
/// <returns>A boolean indicating success (true) or failure (false).</returns>
public override UserIdentity RegisterUser(User user, UserSessionDurationType duration, String ipAddress, ExecutionResults result)
{
string password = user.PasswordHash;
if (!ValidateName(user.Name, result) || !ValidatePassword(password, result))
{
return(new cs.UserIdentity());
}
var existing = GetUserByName(user.Name);
if (existing != null)
{ //seed user table with deleted users with names you don't want users to have
result.AppendError("The name you specified cannot be used.");
return(new cs.UserIdentity());
}
if (user.UserID.Equals(Guid.Empty))
{
user.UserID = Guid.NewGuid();
}
HashProvider hasher = HashManager.SelectProvider();
var salt = new UserSalt
{
PasswordSalt = hasher.GetSalt(),
UserID = user.UserID,
HashGroup = new Random(DateTime.Now.Second).Next(HashGroupMinimum, HashGroupMaximum),
HashName = hasher.Name
};
user.PasswordHash = hasher.Hash(salt.PasswordSalt, password,
salt.HashGroup + BaseHashIterations);
using (var scope = new System.Transactions.TransactionScope())
{
//starts as a lightweight transaction
SaveUser(user);
//enlists in a full distributed transaction if users and salts have different connection strings
SaveUserSalt(salt);
}
return(AuthenticateUser(name: user.Name, password: password, duration: duration,
ipAddress: ipAddress, checkHistory: false, allowUpdateHash: false, result: result));
}
public ActionResult SubmitCngPass(EmailsVM evm)
{
DataLayer dl = new DataLayer();
User oldUser = (from x in dl.users
where x.Email.ToUpper() == evm.selectedEmail.ToUpper()
select x).ToList <User>().FirstOrDefault();
Encryption encryption = new Encryption();
string hashAndSalt = encryption.CreateHash(evm.password);
string[] split = hashAndSalt.Split(':');
UserSalt us = (from u in dl.userSalt
where u.Email.ToUpper() == oldUser.Email
select u).ToList <UserSalt>().FirstOrDefault();
UserPass up = (from u in dl.userPass
where u.Email.ToUpper() == oldUser.Email
select u).ToList <UserPass>().FirstOrDefault();
dl.userSalt.Remove(us);
dl.userPass.Remove(up);
us = new UserSalt()
{
Email = oldUser.Email, Salt = split[0]
};
up = new UserPass()
{
Email = oldUser.Email, Password = split[1]
};
dl.userSalt.Add(us);
dl.userPass.Add(up);
dl.SaveChanges();
ViewData["msg"] = "User's password changed!";
evm.emails = (from u in dl.users
select u.Email).ToList <string>();
return(View("RestorePassword", evm));
}
private void SaveUserSalt(UserSalt salt)
{
using (var cn = new SqlConnection(ConnectionStringUserSalt))
{
cn.Open();
using (var cmd = new SqlCommand())
{
cmd.Connection = cn;
cmd.CommandType = System.Data.CommandType.Text;
if (salt.RecordID == 0)
{
cmd.CommandText = @"insert into Security.UserSalt
(UserID, PasswordSalt, HashGroup, HashName)
Values (@UserID, @PasswordSalt, @HashGroup, @HashName)";
cmd.Parameters.AddWithValue("UserID", salt.UserID);
cmd.Parameters.AddWithValue("PasswordSalt", salt.PasswordSalt);
cmd.Parameters.AddWithValue("HashGroup", salt.HashGroup);
cmd.Parameters.AddWithValue("HashName", salt.HashName);
}
else
{
cmd.CommandText = @"update Security.UserSalt
set PasswordSalt = @PasswordSalt,
ResetCode = @ResetCode,
ResetCodeExpiration = @ResetCodeExpiration,
HashGroup = @HashGroup,
HashName = @HashName
where UserID = @UserID";
cmd.Parameters.AddWithValue("PasswordSalt", salt.PasswordSalt);
cmd.Parameters.AddWithValue("ResetCode", salt.ResetCode);
cmd.Parameters.AddWithValue("ResetCodeExpiration", salt.ResetCodeExpiration);
cmd.Parameters.AddWithValue("HashGroup", salt.HashGroup);
cmd.Parameters.AddWithValue("HashName", salt.HashName);
cmd.Parameters.AddWithValue("UserID", salt.UserID);
}
cmd.ExecuteNonQuery();
}
}
}
public ActionResult SubmitDeleteUser(EmailsVM evm)
{
DataLayer dl = new DataLayer();
List <string> email = (from u in dl.users
where u.Email.ToUpper() == evm.selectedEmail.ToUpper()
select u.Email).ToList <string>();
List <string> emails = (from u in dl.users
select u.Email).ToList <string>();
evm.emails = emails;
if (email.Count == 1)
{
string eml = email.FirstOrDefault().ToUpper();
User usr = (from u in dl.users
where u.Email.ToUpper() == eml
select u).ToList <User>().FirstOrDefault();
UserSalt us = (from u in dl.userSalt
where u.Email.ToUpper() == eml
select u).ToList <UserSalt>().FirstOrDefault();
UserPass up = (from u in dl.userPass
where u.Email.ToUpper() == eml
select u).ToList <UserPass>().FirstOrDefault();
dl.userSalt.Remove(us);
dl.userPass.Remove(up);
dl.users.Remove(usr);
dl.SaveChanges();
ViewData["msg"] = "User deleted!";
return(View("DeleteUser", evm));
}
ViewData["msg"] = "User does not exist!";
return(View("DeleteUser", evm));
}
public ActionResult SubmitUser(User user)
{
if (ModelState.IsValid)
{
DataLayer dl = new DataLayer();
List <User> userToCheck = (from u in dl.users
where u.Email.ToUpper() == user.Email.ToUpper()
select u).ToList <User>();
if (userToCheck.Count >= 1)
{
ViewData["msg"] = "Username already exists!";
return(View("AddUser", user));
}
Encryption encryption = new Encryption();
string hashAndSalt = encryption.CreateHash(user.Pass);
string[] split = hashAndSalt.Split(':');
UserSalt us = new UserSalt()
{
Email = user.Email, Salt = split[0]
};
UserPass up = new UserPass()
{
Email = user.Email, Password = split[1]
};
dl.users.Add(user);
dl.userPass.Add(up);
dl.userSalt.Add(us);
dl.SaveChanges();
ViewData["msgsc"] = "User added!";
return(View("AddUser", new User()));
}
return(View("AddUser", user));
}
private cs.UserIdentity AuthenticateUser(string name, string password,
UserSessionDurationType duration, string ipAddress, bool checkHistory,
bool allowUpdateHash, ExecutionResults result)
{
if (checkHistory)
{
var recentFailures = GetRecentFailedUserNameAuthenticationCount(name);
if (recentFailures > AllowedFailuresPerPeriod)
{
return(FailAuthenticateUser(name, ipAddress, result));
}
}
User user = GetUserByName(name);
if (user == null)
{
return(FailAuthenticateUser(name, ipAddress, result));
}
UserSalt salt = GetUserSalt(user.UserID);
if (salt == null)
{
return(FailAuthenticateUser(name, ipAddress, result));
}
//this should get a named hashProvider used to originally hash the password...
// fallback to 'default' provider in legacy case when we didn't store the name.
HashProvider hasher = !string.IsNullOrEmpty(salt.HashName) ? HashManager.Providers[salt.HashName] : HashManager.DefaultProvider;
var passwordHash = hasher.Hash(salt.PasswordSalt, password, salt.HashGroup + BaseHashIterations);
if (user.PasswordHash != passwordHash)
{
return(FailAuthenticateUser(name, ipAddress, result));
}
var session = new UserSession
{
CreatedDate = DateTime.UtcNow,
ExpirationDate = DateTime.UtcNow.AddMinutes(duration == UserSessionDurationType.PublicComputer ? PublicSessionDuration : ExtendedSessionDuration),
UserID = user.UserID,
RenewalToken = Guid.NewGuid()
};
var history = new AuthenticationHistory
{
IPAddress = ipAddress,
IsAuthenticated = true,
UserName = name,
UserSession = session
};
using (var scope = new System.Transactions.TransactionScope())
{
if (allowUpdateHash && (hasher.IsObsolete || user.PasswordHashUpdatedDate < DateTime.UtcNow.AddMonths(-1)))
{
//update hashes on regular basis, keeps the iterations in latest range for current users, and with a 'current' hash provider.
hasher = HashManager.SelectProvider();
salt.PasswordSalt = hasher.GetSalt();
salt.HashGroup = new Random(DateTime.Now.Second).Next(HashGroupMinimum, HashGroupMaximum);
salt.HashName = hasher.Name;
user.PasswordHash = hasher.Hash(salt.PasswordSalt, password, salt.HashGroup + BaseHashIterations);
user.PasswordHashUpdatedDate = DateTime.UtcNow;
//starts as a lightweight transaction
SaveUser(user);
//enlists in a full distributed transaction if users and salts have different connection strings
SaveUserSalt(salt);
}
//either continues distributed transaction if applicable,
// or creates a new lightweight transaction for these two commands
SaveUserSession(session);
InsertUserHistory(history);
}
return(new cs.UserIdentity(history, this.Name));
}
/// <summary>
/// Saves a user salt, insert or update.
/// </summary>
/// <param name="salt"></param>
protected override void SaveUserSalt(UserSalt salt)
{
TableProxyUserSalt.InsertOrUpdate(salt);
}
/// <summary>
/// Saves a user salt, insert or update.
/// </summary>
/// <param name="salt"></param>
protected override void SaveUserSalt(UserSalt salt)
{
TableProxyUserSalt.InsertOrUpdate(salt);
}
protected override void SaveUserSalt(UserSalt salt)
{
throw new NotImplementedException();
}
