Addressed the unsecure login HTTP endpoint and user the Performers property instead of the deprecated Artists property from the TagLib library. #38
This commit is contained in:
@@ -6,6 +6,7 @@ using System.Threading.Tasks;
|
||||
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
using Icarus.Controllers.Managers;
|
||||
using Icarus.Controllers.Utilities;
|
||||
@@ -20,6 +21,7 @@ namespace Icarus.Controllers
|
||||
{
|
||||
#region Fields
|
||||
private IConfiguration _config;
|
||||
private ILogger<LoginController> _logger;
|
||||
#endregion
|
||||
|
||||
|
||||
@@ -28,9 +30,10 @@ namespace Icarus.Controllers
|
||||
|
||||
|
||||
#region Contructors
|
||||
public LoginController(IConfiguration config)
|
||||
public LoginController(IConfiguration config, ILogger<LoginController> logger)
|
||||
{
|
||||
_config = config;
|
||||
_logger = logger;
|
||||
}
|
||||
#endregion
|
||||
|
||||
@@ -38,26 +41,48 @@ namespace Icarus.Controllers
|
||||
#region HTTP endpoints
|
||||
public IActionResult Post([FromBody] User user)
|
||||
{
|
||||
// TODO: Secure this HTTP endpoint. #38
|
||||
// Currently there is no check done to determine whether or not the
|
||||
// user's password sent with the request matches the password stored
|
||||
// in the database. In fact there is not check if the user credentials
|
||||
// sent with this request even exist in the database. I knowingly left
|
||||
// this bug in here for the sole purpose of making it easier to test
|
||||
// but it should now be addressed.
|
||||
|
||||
UserStoreContext context = HttpContext
|
||||
.RequestServices
|
||||
.GetService(typeof(UserStoreContext)) as UserStoreContext;
|
||||
|
||||
user = context.RetrieveUser(user);
|
||||
Console.WriteLine($"Username: {user.Username}");
|
||||
_logger.LogInformation("Starting process of validating credentials");
|
||||
|
||||
var message = "Invalid credentials";
|
||||
var password = user.Password;
|
||||
|
||||
TokenManager tk = new TokenManager(_config);
|
||||
var loginRes = new LoginResult
|
||||
{
|
||||
Username = user.Username
|
||||
};
|
||||
|
||||
LoginResult loginRes = tk.RetrieveLoginResult(user);
|
||||
if (context.DoesUserExist(user))
|
||||
{
|
||||
user = context.RetrieveUser(user);
|
||||
|
||||
return Ok(loginRes);
|
||||
var validatePass = new PasswordEncryption();
|
||||
var validated = validatePass.VerifyPassword(user, password);
|
||||
if (!validated)
|
||||
{
|
||||
loginRes.Message = message;
|
||||
_logger.LogInformation(message);
|
||||
|
||||
return Ok(loginRes);
|
||||
}
|
||||
|
||||
_logger.LogInformation("Successfully validated user credentials");
|
||||
|
||||
TokenManager tk = new TokenManager(_config);
|
||||
|
||||
loginRes = tk.RetrieveLoginResult(user);
|
||||
|
||||
return Ok(loginRes);
|
||||
}
|
||||
else
|
||||
{
|
||||
loginRes.Message = message;
|
||||
|
||||
return NotFound(loginRes);
|
||||
}
|
||||
}
|
||||
#endregion
|
||||
}
|
||||
|
||||
@@ -59,7 +59,8 @@ namespace Icarus.Controllers.Managers
|
||||
Username = user.Username,
|
||||
Token = tokenResult.AccessToken,
|
||||
TokenType = tokenResult.TokenType,
|
||||
Expiration = tokenResult.Expiration
|
||||
Expiration = tokenResult.Expiration,
|
||||
Message = "Successfully retrieved token"
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@@ -35,21 +35,37 @@ namespace Icarus.Controllers
|
||||
#endregion
|
||||
|
||||
[HttpPost]
|
||||
public void Post([FromBody] User user)
|
||||
public IActionResult Post([FromBody] User user)
|
||||
{
|
||||
Console.WriteLine($"Username: {user.Username}");
|
||||
Console.WriteLine($"Password: {user.Password}");
|
||||
|
||||
PasswordEncryption pe = new PasswordEncryption();
|
||||
user.Password = pe.HashPassword(user);
|
||||
user.EmailVerified = false;
|
||||
Console.WriteLine($"Hashed Password: {user.Password}");
|
||||
|
||||
UserStoreContext context = HttpContext
|
||||
.RequestServices
|
||||
.GetService(typeof(UserStoreContext)) as UserStoreContext;
|
||||
|
||||
context.SaveUser(user);
|
||||
|
||||
var registerResult = new RegisterResult
|
||||
{
|
||||
Username = user.Username
|
||||
};
|
||||
|
||||
if (context.DoesUserExist(user))
|
||||
{
|
||||
registerResult.Message = "Successful registration";
|
||||
registerResult.SuccessfullyRegistered = true;
|
||||
|
||||
return Ok(registerResult);
|
||||
}
|
||||
else
|
||||
{
|
||||
registerResult.Message = "Registration failed";
|
||||
registerResult.SuccessfullyRegistered = false;
|
||||
|
||||
return Ok(registerResult);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -51,7 +51,7 @@ namespace Icarus.Controllers.Utilities
|
||||
{
|
||||
TagLib.File fileTag = TagLib.File.Create(filePath);
|
||||
_title = fileTag.Tag.Title;
|
||||
_artist = string.Join("", fileTag.Tag.Artists);
|
||||
_artist = string.Join("", fileTag.Tag.Performers);
|
||||
_album = fileTag.Tag.Album;
|
||||
_genre = string.Join("", fileTag.Tag.Genres);
|
||||
_year = (int)fileTag.Tag.Year;
|
||||
@@ -141,7 +141,7 @@ namespace Icarus.Controllers.Utilities
|
||||
break;
|
||||
case "artists":
|
||||
_updatedSong.Artist = artist;
|
||||
fileTag.Tag.Artists = new []{artist};
|
||||
fileTag.Tag.Performers = new []{artist};
|
||||
break;
|
||||
case "album":
|
||||
_updatedSong.AlbumTitle = album;
|
||||
|
||||
@@ -3,6 +3,7 @@ using System.Security.Cryptography;
|
||||
|
||||
using BCrypt.Net;
|
||||
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
|
||||
using NLog;
|
||||
|
||||
using Icarus.Models;
|
||||
|
||||
@@ -11,6 +12,7 @@ namespace Icarus.Controllers.Utilities
|
||||
public class PasswordEncryption
|
||||
{
|
||||
#region Fields
|
||||
private static Logger _logger = NLog.LogManager.GetCurrentClassLogger();
|
||||
#endregion
|
||||
|
||||
|
||||
@@ -23,6 +25,23 @@ namespace Icarus.Controllers.Utilities
|
||||
|
||||
|
||||
#region Methods
|
||||
public bool VerifyPassword(User user, string password)
|
||||
{
|
||||
try
|
||||
{
|
||||
var result = BCrypt.Net.BCrypt.Verify(password, user.Password);
|
||||
|
||||
return result;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
var msg = ex.Message;
|
||||
_logger.Error(msg, "An error occurred");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public string HashPassword(User user)
|
||||
{
|
||||
try
|
||||
@@ -30,12 +49,15 @@ namespace Icarus.Controllers.Utilities
|
||||
string hashedPassword = string.Empty;
|
||||
hashedPassword = BCrypt.Net.BCrypt.HashPassword(user.Password);
|
||||
|
||||
_logger.Info("Successfully hashed password");
|
||||
|
||||
return hashedPassword;
|
||||
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
var exMsg = ex.Message;
|
||||
_logger.Error(exMsg, "An error occurred");
|
||||
}
|
||||
|
||||
return null;
|
||||
@@ -45,11 +67,11 @@ namespace Icarus.Controllers.Utilities
|
||||
{
|
||||
|
||||
string hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
|
||||
password: password,
|
||||
salt: salt,
|
||||
prf: KeyDerivationPrf.HMACSHA1,
|
||||
iterationCount: 10000,
|
||||
numBytesRequested: 256/8));
|
||||
password: password,
|
||||
salt: salt,
|
||||
prf: KeyDerivationPrf.HMACSHA1,
|
||||
iterationCount: 10000,
|
||||
numBytesRequested: 256/8));
|
||||
|
||||
return hashed;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user