Addressed the unsecure login HTTP endpoint and user the Performers property instead of the deprecated Artists property from the TagLib library. #38

This commit is contained in:
amazing-username
2019-05-11 16:42:29 -04:00
parent c0ac3cdd30
commit 9bfb43e46a
13 changed files with 267 additions and 60 deletions
+39 -14
View File
@@ -6,6 +6,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Logging;
using Icarus.Controllers.Managers;
using Icarus.Controllers.Utilities;
@@ -20,6 +21,7 @@ namespace Icarus.Controllers
{
#region Fields
private IConfiguration _config;
private ILogger<LoginController> _logger;
#endregion
@@ -28,9 +30,10 @@ namespace Icarus.Controllers
#region Contructors
public LoginController(IConfiguration config)
public LoginController(IConfiguration config, ILogger<LoginController> logger)
{
_config = config;
_logger = logger;
}
#endregion
@@ -38,26 +41,48 @@ namespace Icarus.Controllers
#region HTTP endpoints
public IActionResult Post([FromBody] User user)
{
// TODO: Secure this HTTP endpoint. #38
// Currently there is no check done to determine whether or not the
// user's password sent with the request matches the password stored
// in the database. In fact there is not check if the user credentials
// sent with this request even exist in the database. I knowingly left
// this bug in here for the sole purpose of making it easier to test
// but it should now be addressed.
UserStoreContext context = HttpContext
.RequestServices
.GetService(typeof(UserStoreContext)) as UserStoreContext;
user = context.RetrieveUser(user);
Console.WriteLine($"Username: {user.Username}");
_logger.LogInformation("Starting process of validating credentials");
var message = "Invalid credentials";
var password = user.Password;
TokenManager tk = new TokenManager(_config);
var loginRes = new LoginResult
{
Username = user.Username
};
LoginResult loginRes = tk.RetrieveLoginResult(user);
if (context.DoesUserExist(user))
{
user = context.RetrieveUser(user);
return Ok(loginRes);
var validatePass = new PasswordEncryption();
var validated = validatePass.VerifyPassword(user, password);
if (!validated)
{
loginRes.Message = message;
_logger.LogInformation(message);
return Ok(loginRes);
}
_logger.LogInformation("Successfully validated user credentials");
TokenManager tk = new TokenManager(_config);
loginRes = tk.RetrieveLoginResult(user);
return Ok(loginRes);
}
else
{
loginRes.Message = message;
return NotFound(loginRes);
}
}
#endregion
}
+2 -1
View File
@@ -59,7 +59,8 @@ namespace Icarus.Controllers.Managers
Username = user.Username,
Token = tokenResult.AccessToken,
TokenType = tokenResult.TokenType,
Expiration = tokenResult.Expiration
Expiration = tokenResult.Expiration,
Message = "Successfully retrieved token"
};
}
+21 -5
View File
@@ -35,21 +35,37 @@ namespace Icarus.Controllers
#endregion
[HttpPost]
public void Post([FromBody] User user)
public IActionResult Post([FromBody] User user)
{
Console.WriteLine($"Username: {user.Username}");
Console.WriteLine($"Password: {user.Password}");
PasswordEncryption pe = new PasswordEncryption();
user.Password = pe.HashPassword(user);
user.EmailVerified = false;
Console.WriteLine($"Hashed Password: {user.Password}");
UserStoreContext context = HttpContext
.RequestServices
.GetService(typeof(UserStoreContext)) as UserStoreContext;
context.SaveUser(user);
var registerResult = new RegisterResult
{
Username = user.Username
};
if (context.DoesUserExist(user))
{
registerResult.Message = "Successful registration";
registerResult.SuccessfullyRegistered = true;
return Ok(registerResult);
}
else
{
registerResult.Message = "Registration failed";
registerResult.SuccessfullyRegistered = false;
return Ok(registerResult);
}
}
}
}
+2 -2
View File
@@ -51,7 +51,7 @@ namespace Icarus.Controllers.Utilities
{
TagLib.File fileTag = TagLib.File.Create(filePath);
_title = fileTag.Tag.Title;
_artist = string.Join("", fileTag.Tag.Artists);
_artist = string.Join("", fileTag.Tag.Performers);
_album = fileTag.Tag.Album;
_genre = string.Join("", fileTag.Tag.Genres);
_year = (int)fileTag.Tag.Year;
@@ -141,7 +141,7 @@ namespace Icarus.Controllers.Utilities
break;
case "artists":
_updatedSong.Artist = artist;
fileTag.Tag.Artists = new []{artist};
fileTag.Tag.Performers = new []{artist};
break;
case "album":
_updatedSong.AlbumTitle = album;
+27 -5
View File
@@ -3,6 +3,7 @@ using System.Security.Cryptography;
using BCrypt.Net;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
using NLog;
using Icarus.Models;
@@ -11,6 +12,7 @@ namespace Icarus.Controllers.Utilities
public class PasswordEncryption
{
#region Fields
private static Logger _logger = NLog.LogManager.GetCurrentClassLogger();
#endregion
@@ -23,6 +25,23 @@ namespace Icarus.Controllers.Utilities
#region Methods
public bool VerifyPassword(User user, string password)
{
try
{
var result = BCrypt.Net.BCrypt.Verify(password, user.Password);
return result;
}
catch (Exception ex)
{
var msg = ex.Message;
_logger.Error(msg, "An error occurred");
}
return false;
}
public string HashPassword(User user)
{
try
@@ -30,12 +49,15 @@ namespace Icarus.Controllers.Utilities
string hashedPassword = string.Empty;
hashedPassword = BCrypt.Net.BCrypt.HashPassword(user.Password);
_logger.Info("Successfully hashed password");
return hashedPassword;
}
catch (Exception ex)
{
var exMsg = ex.Message;
_logger.Error(exMsg, "An error occurred");
}
return null;
@@ -45,11 +67,11 @@ namespace Icarus.Controllers.Utilities
{
string hashed = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: password,
salt: salt,
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256/8));
password: password,
salt: salt,
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256/8));
return hashed;
}