public static string[] Encrypter(string textToEncrypt, PathProvider p)
{
WebBase64 sessionMaterial;
WebBase64 cipherText;
string[] data;
string path = p.GetPublicPath();
using (var encrypter = new Encrypter(path))
using (var sessionCrypter = new SessionCrypter(encrypter))
{
sessionMaterial = sessionCrypter.SessionMaterial;
cipherText = sessionCrypter.Encrypt(textToEncrypt);
data = new string[] { sessionMaterial.ToString(), cipherText.ToString() };
//data.Add("sessionmaterial", sessionMaterial);
//data.Add("data", cipherText);
}
return data;
}
public static string Decrypt(string[] data, PathProvider p)
{
WebBase64 sessionMaterial = (WebBase64)data[0];
WebBase64 cipherText = (WebBase64)data[1];
string output;
//PathProvider pathProvider = new PathProvider();
string path1 = p.GetPrivatePath();
//string path1 = HostingEnvironment.ApplicationPhysicalPath + "encryption";
using (var crypter = new Crypter(path1))
using (var sessionCrypter = new SessionCrypter(crypter, sessionMaterial))
{
output = sessionCrypter.Decrypt(cipherText);
}
return output;
}
public virtual User Get(string sessionRequest, string sessionMaterial)
{
//decrypt the session request
//request should be in the form of uid:emailaddress -- the UID is from facebook. If the user exists, the UID will be stored on their account. can compare the UID and Email to get a valid user
// then generate a access token based upon the user's UID, email and the LAST timestamp for when the user logged on (update from this method.
// they will be requred to pass this access token with every request. We can then compare it to the three values stored in the db (UID, email, lastaccessed) to determine if this is a valid user.
PathProvider p = new PathProvider();
string request = Crypto.Decrypt(new string[] { sessionMaterial, sessionRequest }, p);
string[] parts = request.Split(new char[] { Char.Parse("#") });
UserData checkUser = _repository.Get(parts[0], parts[1]);
if (checkUser == null)
{
throw new HttpResponseException(HttpStatusCode.NotFound);
}
//we have a valid user.
//update the lastLogin to NOW
DateTime dt = DateTime.UtcNow;
int hoursToExpire = int.Parse(System.Configuration.ConfigurationManager.AppSettings["SessionExpireHours"]);
DateTime expiration = dt.AddHours(hoursToExpire);
//now encrypt the three pieces (UID:email:lastLogin:timestamp)
string toEncrypt = checkUser.oauthId + "#" + checkUser.emailAddress + "#" + checkUser.id + "#" + dt.ToString();
string[] output = Crypto.Encrypter(toEncrypt, p);
//now store the sessionMaterial and the lastlogin
checkUser.lastLogin = dt;
checkUser.sessionMaterial = output[0];
checkUser.sessionToken = output[1];
checkUser.expires = expiration;
checkUser = _repository.Update(checkUser);
//now map to UI model...
User retx = AutoMapper.Mapper.Map<UserData, User>(checkUser);
//populate the sessionToken and expiration and return;
retx.sessionToken = output[1];
//retx.expires = expiration;
return retx;
}
private bool IsUserValidToUpdateUser(User userObj)
{
//get the session and id from the headers
string[] auths = (string[])Request.Headers.GetValues("Session");
if (auths.Length == 0)
return false;
string[] total = auths[0].Split(new char[1] { Char.Parse(":") });
Guid userId = Guid.Parse(total[0]);
string sessionToken = total[1];
UserData testUser = _repository.GetByUserId(userId);
if (testUser == null)
return false;
string[] vectors = new string[] { testUser.sessionMaterial, sessionToken };
PathProvider p = new PathProvider();
sessionToken = Crypto.Decrypt(vectors,p);
int hoursToExpire = int.Parse(System.Configuration.ConfigurationManager.AppSettings["SessionExpireHours"]);
//oauthId:emailAddress:uid:timestamp
string[] parts = sessionToken.Split(new char[] { Char.Parse("#") });
DateTime checkDate = DateTime.Parse(parts[3]);
if (!checkDate.ToString().Equals(testUser.lastLogin.ToString())) //login timestamps don't match...
return false;
if (checkDate.AddHours(hoursToExpire) <= DateTime.UtcNow) //session has expired
return false;
if (!userObj.id.Equals(testUser.id)) // the user is trying to update a user object other than their own...
return false;
if (!parts[0].Equals(testUser.oauthId))
return false;
if (!parts[1].Equals(testUser.emailAddress))
return false;
if (!Guid.Parse(parts[2]).Equals(testUser.id))
return false;
return true;
}
public HttpResponseMessage PostUser(User user)
{
if (user == null)
{
throw new HttpResponseException(HttpStatusCode.MethodNotAllowed);
}
UserData check = _repository.Get(user.emailAddress);
if (check != null)
{
throw new HttpResponseException(HttpStatusCode.MethodNotAllowed);
}
DateTime dt = DateTime.UtcNow;
//now encrypt the three pieces (UID:email:lastLogin)
string toEncrypt = user.oauthId + "#" + user.emailAddress + "#" + user.id + "#" + dt.ToString();
PathProvider p = new PathProvider();
string[] output = Crypto.Encrypter(toEncrypt, p);
//now store the sessionMaterial and the lastlogin
user.lastLogin = dt;
user.sessionToken = output[1];
UserData ret = AutoMapper.Mapper.Map<User, UserData>(user);
int hoursToExpire = int.Parse(System.Configuration.ConfigurationManager.AppSettings["SessionExpireHours"]);
DateTime expiration = dt.AddHours(hoursToExpire);
ret.expires = expiration;
ret.sessionMaterial = output[0];
ret = _repository.Add(ret);
User retx = AutoMapper.Mapper.Map<UserData, User>(ret);
var response = Request.CreateResponse<User>(HttpStatusCode.Created, retx);
string uri = Url.Link("DefaultApi", new { id = user.id });
response.Headers.Location = new Uri(uri);
return response;
}
