public IActionResult User_AddAccount(int id, [FromBody] NewAccount accToAdd) { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } // account limit is 50 for now if (_context.Users.Single(a => a.ID == id).Accounts.Count >= 50) { ErrorMessage error = new ErrorMessage("Failed to create new account", "User cannot have more than 50 passwords saved at once."); return(new BadRequestObjectResult(error)); } // if this user does not own the folder we are adding to, then error if (accToAdd.FolderID != null && !_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == accToAdd.FolderID)) { ErrorMessage error = new ErrorMessage("Failed to create new account", "User does not have a folder matching that ID."); return(new BadRequestObjectResult(error)); } // create new account and save it Account new_account = new Account(accToAdd, id); new_account.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id)); _context.Accounts.Add(new_account); _context.SaveChanges(); // return the new object to easily update on frontend without making another api call return(new OkObjectResult(new ReturnableAccount(new_account))); }
public IActionResult User_EditAccountDesc(int id, int account_id, [FromBody] string description) { // attempt to edit the description // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } // validate ownership of said account if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id)) { ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID."); return(new BadRequestObjectResult(error)); } // get account and modify Account accToEdit = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id); accToEdit.Description = HelperMethods.EncryptStringToBytes_Aes(description, HelperMethods.GetUserKeyAndIV(id));; accToEdit.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id)); _context.SaveChanges(); return(Ok()); }
public IActionResult User_EditAccount(int id, int acc_id, [FromBody] NewAccount acc) { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } // validate ownership of said account if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == acc_id)) { ErrorMessage error = new ErrorMessage("Failed to delete account", "User does not have an account matching that ID."); return(new BadRequestObjectResult(error)); } // get account and modify Account accToEdit = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == acc_id); accToEdit.Title = HelperMethods.EncryptStringToBytes_Aes(acc.Title, HelperMethods.GetUserKeyAndIV(id)); accToEdit.Login = HelperMethods.EncryptStringToBytes_Aes(acc.Login, HelperMethods.GetUserKeyAndIV(id)); accToEdit.Password = HelperMethods.EncryptStringToBytes_Aes(acc.Password, HelperMethods.GetUserKeyAndIV(id)); accToEdit.Url = HelperMethods.EncryptStringToBytes_Aes(acc.Url, HelperMethods.GetUserKeyAndIV(id)); accToEdit.Description = HelperMethods.EncryptStringToBytes_Aes(acc.Description, HelperMethods.GetUserKeyAndIV(id)); accToEdit.LastModified = HelperMethods.EncryptStringToBytes_Aes(DateTime.Now.ToString(), HelperMethods.GetUserKeyAndIV(id)); _context.SaveChanges(); // return the new object to easily update on frontend without making another api call return(new OkObjectResult(new ReturnableAccount(accToEdit))); }
public ActionResult User_Login([FromBody] Login login) { // get users saved password hash and salt User user = _context.Users.Single(a => a.Email.SequenceEqual(HelperMethods.EncryptStringToBytes_Aes(login.Email, _keyAndIV))); // check if the user has a verified email or not if (!user.EmailVerified) { ErrorMessage error = new ErrorMessage("Email unconfirmed.", "Please confirm email first."); return(new UnauthorizedObjectResult(error)); } // successful login.. compare user hash to the hash generated from the inputted password and salt if (ValidatePassword(login.Password, user.Password)) { string tokenString = HelperMethods.GenerateJWTAccessToken(user.ID, _configuration.GetValue <string>("UserJwtTokenKey")); RefreshToken refToken = HelperMethods.GenerateRefreshToken(user, _context); LoginResponse rtrn = new LoginResponse { ID = user.ID, AccessToken = tokenString, RefreshToken = new ReturnableRefreshToken(refToken) }; _context.SaveChanges(); // always last on db to make sure nothing breaks and db has new info // append cookies to response after login HelperMethods.SetCookies(Response, tokenString, refToken); return(new OkObjectResult(rtrn)); } else { ErrorMessage error = new ErrorMessage("Invalid Credentials.", "Email or Password does not match."); return(new UnauthorizedObjectResult(error)); } }
public ActionResult User_ConfirmEmail(string token, string email) { byte[] encryptedEmail = HelperMethods.EncryptStringToBytes_Aes(email, _keyAndIV); User userToConfirm = _context.Users.Single(a => a.Email.SequenceEqual(encryptedEmail)); // check if email is already verified if (userToConfirm.EmailVerified) { ErrorMessage error = new ErrorMessage("Failed to confirm email", "Email address is already confirmed."); return(new BadRequestObjectResult(error)); } // verify that the email provided matches the email in the token. if (!encryptedEmail.SequenceEqual(HelperMethods.GetUserFromAccessToken(token, _context, _configuration.GetValue <string>("EmailConfirmationTokenKey")).Email)) { ErrorMessage error = new ErrorMessage("Failed to confirm email", "Token is invalid."); return(new BadRequestObjectResult(error)); } // ok now we save the users email as verified userToConfirm.EmailVerified = true; _context.Users.Update(userToConfirm); _context.SaveChanges(); return(Ok()); }
public IActionResult User_AddUser([FromBody] NewUser newUser) { newUser.Email = newUser.Email.ToLower(); // make all emails lowercase // attempt to create new user and add to the database. // if there is a user with this email already then we throw bad request error if (_context.Users.SingleOrDefault(a => a.Email.SequenceEqual(HelperMethods.EncryptStringToBytes_Aes(newUser.Email, _keyAndIV))) != null) { ErrorMessage error = new ErrorMessage("Failed to create new user", "Email already in use."); return(new BadRequestObjectResult(error)); } User userToRegister = new User(newUser, _keyAndIV); // new user with no accounts and registered as user _context.Users.Add(userToRegister); _context.SaveChanges(); try { // send the confirmation email SendConfirmationEmail(userToRegister); } catch (Exception ex) { // remove the user if we failed to send a confirmation email // this way they can retry signing up with the same email _context.Users.Remove(_context.Users.Single(a => a.ID == userToRegister.ID)); _context.SaveChanges(); throw; } return(Ok()); }
public IActionResult User_EditLastName(int id, [FromBody] string lastname) { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } _context.Users.Where(a => a.ID == id).Single().Last_Name = HelperMethods.EncryptStringToBytes_Aes(lastname, _keyAndIV);; _context.SaveChanges(); return(Ok()); }
[HttpPost("{id:int}/accounts")] // working public string User_AddAccount(int id, [FromBody] string accJson) { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id)) { Response.StatusCode = 401; return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString()); } JObject json = null; // might want Json verification as own function since all will do it.. we will see try { json = JObject.Parse(accJson); } catch (Exception ex) { Response.StatusCode = 400; ErrorMessage error = new ErrorMessage("Invalid Json", accJson, ex.Message); return(JObject.FromObject(error).ToString()); } try { // if folder id is present, then use it, if not we use standard null for top parent int?folder_id; if (json["folder_id"] == null) { folder_id = null; } else { folder_id = _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == int.Parse(json["folder_id"].ToString())).ID; // makes sure folder exists and is owned by user } // use token in header to to Account new_account = new Account { UserID = id, FolderID = folder_id, Title = json["account_title"]?.ToString(), Login = json["account_login"]?.ToString(), Password = json["account_password"] != null?HelperMethods.EncryptStringToBytes_Aes(json["account_password"].ToString(), HelperMethods.GetUserKeyAndIV(id)) : null, Description = json["account_description"]?.ToString() }; _context.Accounts.Add(new_account); _context.SaveChanges(); } catch (Exception ex) { Response.StatusCode = 500; return(JObject.FromObject(new ErrorMessage("Error creating new account.", accJson, ex.Message)).ToString()); } return(SuccessMessage._result); }
public IActionResult User_AddUser([FromBody] NewUser newUser) { // attempt to create new user and add to the database. // if there is a user with this email already then we throw bad request error if (_context.Users.SingleOrDefault(a => a.Email.SequenceEqual(HelperMethods.EncryptStringToBytes_Aes(newUser.Email, _keyAndIV))) != null) { ErrorMessage error = new ErrorMessage("Failed to create new user", "Email already in use."); return(new BadRequestObjectResult(error)); } User userToRegister = new User(newUser, _keyAndIV); // new user with no accounts and registered as user _context.Users.Add(userToRegister); _context.SaveChanges(); // after we save changes, we need to create unique key and iv, then send the confirmation email HelperMethods.CreateUserKeyandIV(userToRegister.ID); SendConfirmationEmail(userToRegister); return(Ok()); }
[HttpPut("{id:int}/accounts/{account_id:int}/password")] // in progress public string User_EditAccountPassword(int id, int account_id, [FromBody] string password) { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id)) { Response.StatusCode = 401; return(JObject.FromObject(new ErrorMessage("Invalid User", "id accessed: " + id.ToString(), "Caller can only access their information.")).ToString()); } try { Account acc = _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id); acc.Password = HelperMethods.EncryptStringToBytes_Aes(password, HelperMethods.GetUserKeyAndIV(id)); // this logic will need to be changed to use a unique key _context.Accounts.Update(acc); _context.SaveChanges(); } catch (Exception ex) { Response.StatusCode = 500; return(JObject.FromObject(new ErrorMessage("Error editing password", "n/a", ex.Message)).ToString()); } return(SuccessMessage._result); }
public IActionResult User_EditFolderName(int id, int folder_id, [FromBody] string name) { // attempt to edit the title // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id, _keyAndIV)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } // validate ownership of said folder if (!_context.Users.Single(a => a.ID == id).Folders.Exists(b => b.ID == folder_id)) { ErrorMessage error = new ErrorMessage("Invalid Folder", "User does not have a folder matching that ID."); return(new BadRequestObjectResult(error)); } // modify _context.Users.Single(a => a.ID == id).Folders.Single(b => b.ID == folder_id).FolderName = HelperMethods.EncryptStringToBytes_Aes(name, HelperMethods.GetUserKeyAndIV(id)); _context.SaveChanges(); return(Ok()); }
[HttpPut("{id:int}/accounts/{account_id:int}/password")] // in progress public IActionResult User_EditAccountPassword(int id, int account_id, [FromBody] string password) { try { // verify that the user is either admin or is requesting their own data if (!HelperMethods.ValidateIsUserOrAdmin(_httpContextAccessor, _context, id)) { ErrorMessage error = new ErrorMessage("Invalid User", "Caller can only access their information."); return(new UnauthorizedObjectResult(error)); } // validate ownership of said account if (!_context.Users.Single(a => a.ID == id).Accounts.Exists(b => b.ID == account_id)) { ErrorMessage error = new ErrorMessage("Invalid account", "User does not have an account matching that ID."); return(new BadRequestObjectResult(error)); } _context.Users.Single(a => a.ID == id).Accounts.Single(b => b.ID == account_id).Password = HelperMethods.EncryptStringToBytes_Aes(password, HelperMethods.GetUserKeyAndIV(id)); _context.SaveChanges(); return(Ok()); } catch (Exception ex) { ErrorMessage error = new ErrorMessage("Error editing password", ex.Message); return(new InternalServerErrorResult(error)); } }