public IHttpActionResult GetProjects(ProjectModel projectModel)
{
bool loggedIn = false;
string inputRequest = projectModel.token;
loggedIn = LoginUtils.ValidateToken(projectModel.token, projectModel.userId);
if (loggedIn == true)
{
int orgId = LoginUtils.GetUserOrganization(projectModel.userId);
if (orgId == -1)
{
return(NotFound()); // organisation not found!
}
else
{
WebApplication1Context context = new WebApplication1Context();
IQueryable <ProjectModel> projects = context.ProjectsModel.Where(a => a.ownerId == orgId);
return(Ok(projects)); // Hopefully this will return a content negotiated list of projects. TODO
/*foreach(ProjectModel rowData in projects)
* {
*
* }*/
}
}
else
{
return(NotFound()); // token not found!
}
}
public IHttpActionResult Test()
{
//string timenow = DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss");
//return Ok(LoginUtils.encryptToken("% u,{G l\u0003I0 X 7:\u001f ~\u001e _B\u001eq'\u0006㑋 \f P ҁګ F \u0011\t ݾ D du \u0003 \u00051_ Z\u0002 \u0018۩ .No\u0003k \u0002? r\t ]Q o .\u001f + I67 \t, ʂ \\ \u0013Zۉt ~kI p BR A \u001ea\r x E ٓ0 h 6 {0Tt\f0f,\u000b 6 Fs | ^ ZE lJS@W d dO\u0007 qv p [ \u001f \u001d L V Ձ 5+UN Tgʩq cc Vc \u0003 ", timenow));
decryptTokenData data = LoginUtils.decryptToken("JSB1LHtHICBsA0kwICAgIFggNzofIH4eICAgICBfQh5xJwbjkYsgIAwgICB/IFAg0oHaqyAgRiARCSAgIN2+IEQgIGR1IAMgIAUxXyAgWgIgGNupICAuTm8DayACPyByCSAgXVEgIG8gLh8gKyAgSTY3IAksICDKgiAgXCATWtuJdCB+a0kgIHAgQlIgIEEgIB5hDSB4IEUg2ZMwIGggICA2IHswVHQMMGYsCyA2IEZzIHwgXiBaRSAgIGxKU0BXICBkIGRPByAgIHF2ICAgcCAgICBbICAfIB0gIEwgViDVgSA1K1VOICAgVGfKqXEgY2MgVmMgAyAyNS8wNi8yMDE1IDE1OjIzOjAz");
return(Ok(data));
}
public IHttpActionResult PostLogin(LoginModel loginModel)
{
WebApplication1Context context = new WebApplication1Context();
string error = "Invalid Username or Password";
if (!ModelState.IsValid)
{
return(BadRequest(ModelState));
}
AccountsModel account = context.AccountsModel.Where(a => a.username == loginModel.username).FirstOrDefault();
if (account.username == loginModel.username)
{
byte[] saltInput = LoginUtils.hash(loginModel.password, account.Salt);
bool slowHashCheck = LoginUtils.slowEquals(saltInput, account.SaltedAndHashedPassword);
if (slowHashCheck == true)
{
// Success!
string rawToken = LoginUtils.makeSimpleToken();
string timeStamp = DateTime.UtcNow.ToString("dd/MM/yyyy HH:mm:ss");
string obfuscatedToken = LoginUtils.encryptToken(rawToken, timeStamp);
byte[] hashedToken = LoginUtils.hashNoSalt(rawToken);
context.TokensModel.Add(
new TokenModel
{
tokenHash = hashedToken,
tokenDate = timeStamp,
userid = account.primaryKey
});
context.SaveChangesAsync();
//return Ok(obfuscatedToken); // return the obfuscated token!
return(Ok(new
{
token = obfuscatedToken,
userId = account.primaryKey,
}));
}
else
{
//return BadRequest("i failed here!");
return(BadRequest(error));
}
}
else
{
//return BadRequest("i failed there!");
return(BadRequest(error));
}
}
public IHttpActionResult PostRegister(LoginModel loginModel)
{
WebApplication1Context context = new WebApplication1Context();
if (!ModelState.IsValid)
{
return(BadRequest(ModelState));
}
if (loginModel.password != loginModel.password_validator)
{
string error = "Uhhhhh. I can't believe you've done this.";
return(BadRequest(error));
}
byte[] salt = LoginUtils.generateSalt();
byte[] saltPass = LoginUtils.hash(loginModel.password, salt);
// Add validations!
//WebApplication1Context context = new WebApplication1Context();
context.AccountsModel.Add(
new AccountsModel
{
username = loginModel.username,
email = loginModel.email,
organizationId = loginModel.organization,
Salt = salt,
SaltedAndHashedPassword = saltPass,
});
context.SaveChangesAsync();
return(Ok());
}
public static bool ValidateToken(string tokenInput, int idInput)
{
decryptTokenData data = LoginUtils.decryptToken(tokenInput);
WebApplication1Context context = new WebApplication1Context();
byte[] checkHash = LoginUtils.hashNoSalt(data.token);
TokenModel token = context.TokensModel.Where(a => a.tokenHash == checkHash).FirstOrDefault();
if (idInput == token.userid)
{
bool byteCheck = LoginUtils.SafeEquals(token.tokenHash, checkHash);
if (byteCheck == true)
{
if (data.utcDateTime == token.tokenDate) // TODO -- Add expiry system!
{
return(true);
}
else
{
// TODO - Log the possiblilty of tampering with the user tokens.
// This would mean the token had been decrypted and then had the date stamp edited. Suspicious activity!
return(false);
}
}
else
{
return(false);
}
}
else
{
// if the given id is not the same as the one connected to the token fail!
// saves on doing a byte check too! :)
return(false);
}
}
