ajax-login-system 学习笔记

AuthenticationService.cs

  1//------------------------------------
  2// Implementation of:
  3//  - Snip.Authentication service
  4//      - Login methods
  5//      - Registration methods
  6//
  7// BSD License: http://www.opensource.org/licenses/bsd-license.php
  8//Copyright (c) 2007, Kyle Beyer (http://daptivate.com)
  9//All rights reserved.
 10//
 11//Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 12//
 13//Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 
 14//Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 
 15//Neither the name of the organization nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 
 16//THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 17//------------------------------------
 18
 19using System;
 20using System.Data.SqlClient;
 21using System.Text;
 22using System.Web;
 23using System.Web.Security;
 24using System.Configuration;
 25using System.Collections.Generic;
 26using System.Web.Services;
 27using System.Web.Services.Protocols;
 28using System.Security.Cryptography;
 29using System.Net.Mail;
 30using System.Web.Profile;
 31using System.Web.Script.Services;
 32
 33namespace snip
 34{
 35
 36    public class CheckRegistrationRequest
 37    {
 38        public string email;
 39        public string username;
 40    }
 41
 42    public class CheckRegistrationResponse
 43    {
 44        public string salt;
 45        public bool email_available;
 46        public bool username_available;
 47    }
 48
 49    public class RegistrationRequest
 50    {
 51        public string username;
 52        public string email;
 53        public string pwd;
 54        public string salt;
 55        public bool createCookie;
 56    }
 57
 58    public class RegistrationResponse
 59    {
 60        public bool success;
 61        public string message;
 62        public bool email_sent;
 63    }
 64
 65
 66    public class SaltRequest
 67    {
 68        public string username;
 69    }
 70
 71    public class SaltResponse
 72    {
 73        public string salt;
 74        public string challenge;
 75        public bool success;
 76    }
 77
 78    public class LoginRequest
 79    {
 80        public string username;
 81        public string passwordHMAC;
 82        public bool createCookie;
 83    }
 84
 85    public enum UserStatus
 86    {
 87        LoggedOut = 0,
 88        LoggedIn = 1,
 89        Locked = 2
 90    }
 91    public class LoginResponse
 92    {
 93        public UserStatus status;
 94        public string username;
 95    }
 96
 97    /**//// <summary>
 98    /// Summary description for AuthenticationWebService
 99    /// </summary>
100    [ScriptService]
101    public class AuthenticationService : System.Web.Services.WebService
102    {
103        static SHA1CryptoServiceProvider shaProvider = new SHA1CryptoServiceProvider();
104
105        public AuthenticationService()
106        {
107            //Uncomment the following line if using designed components 
108            //InitializeComponent(); 
109        }
110
111        Registration methods#region Registration methods
112
113        [WebMethod]
114        public CheckRegistrationResponse CheckRegistration(CheckRegistrationRequest request)
115        {
116            CheckRegistrationResponse response = new CheckRegistrationResponse();
117            response.email_available = false;
118            response.username_available = false;
119
120            int totalRecords;
121            // check username
122            if (Membership.Provider.FindUsersByName(request.username, 0, 1, out totalRecords).Count == 0)
123            {
124                response.username_available = true;
125            }
126            // check email
127            if (Membership.Provider.FindUsersByEmail(request.email, 0, 1, out totalRecords).Count == 0)
128            {
129                response.email_available = true;
130            }
131
132            // generate salt
133            if (response.email_available && response.username_available)
134            {
135                response.salt = GenerateSalt();
136            }
137
138            return response;
139        }
140
141        [WebMethod]
142        public RegistrationResponse RegisterUser(RegistrationRequest request)
143        {
144            RegistrationResponse response = new RegistrationResponse();
145            response.success = false;
146
147            MembershipCreateStatus status;
148            // create user and auto-approve
149            // NOTE: optionally require e-mail account validation
150            // to activate / approve user
151            MembershipUser user = Membership.Provider.CreateUser(
152                request.username, request.pwd, request.email, 
153                null, null, true, null, out status);
154            if (status == MembershipCreateStatus.Success)
155            {
156                response.success = true;
157
158                // validate / login users
159                if (Membership.ValidateUser(request.username, request.pwd))
160                {
161                    // set authentication cookie
162                    FormsAuthentication.SetAuthCookie(request.username, request.createCookie);
163
164                    // Create an empty Profile for the newly created user
165                    ProfileCommon p = (ProfileCommon)ProfileCommon.Create(request.username, true);
166                    // store salt
167                    p.Salt = request.salt;
168                    p.Save();
169
170                    try
171                    {
172                        // send email
173                        SendRegistrationMail(request.email, request.username);
174                        response.email_sent = true;
175                    }
176                    catch (Exception e)
177                    {
178                        response.email_sent = false;
179                    }
180                }
181            }
182            response.message = status.ToString();
183            return response;
184        }
185
186        #endregion
187
188
189        Login methods#region Login methods
190        [WebMethod]
191        public SaltResponse VerifyUserLogin(SaltRequest request)
192        {
193            SaltResponse response = new SaltResponse();
194            response.success = false;
195
196            // look up real username by email
197            string userName = GetUsername(request.username);
198            
199
200            ProfileCommon p = ProfileBase.Create(userName) as ProfileCommon;
201            if (p != null)
202            {
203                response.salt = p.Salt;
204            }
205
206            if (!String.IsNullOrEmpty(response.salt))
207            {
208                response.success = true;
209                response.challenge = GetUserChallenge(request.username);
210            }
211            return response;
212        }
213
214
215        [WebMethod]
216        public LoginResponse Login(LoginRequest request)
217        {
218            LoginResponse response = new LoginResponse();
219
220            // look up real username by email
221            string userName = GetUsername(request.username);
222
223            // get users client-hashed password (b64 HMAC of salt and real password)
224            string raw_pwd = GetPassword(userName);
225
226            // HMAC user challenge w/ hashed password (have to do a str2bin on keys to match javascipt impl)
227            HMACSHA1 shaHMAC = new HMACSHA1();
228            string userChallenge = GetUserChallenge(request.username);
229            if (!String.IsNullOrEmpty(userChallenge))
230            {
231                shaHMAC.Key = Encoding.BigEndianUnicode.GetBytes(userChallenge);
232                byte[] chalPassHMAC = shaHMAC.ComputeHash(Encoding.BigEndianUnicode.GetBytes(raw_pwd));
233
234
235                // check against value passed in
236                bool passedChallenge = Convert.ToBase64String(chalPassHMAC).Equals(request.passwordHMAC);
237
238                // first make sure challenge was passed
239                if (passedChallenge)
240                {
241                    // user membership validate function
242                    if (Membership.Provider.ValidateUser(userName, raw_pwd))
243                    {
244                        //FormsAuthentication.SetAuthCookie(userName, request.createCookie);
245
246                        // create forms auth ticket with e-mail as userdata
247                        // NOTE: this enables e-mail to be discovered by other apps with
248                        // the same forms auth keys
249                        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
250                          userName,
251                          DateTime.Now,
252                          DateTime.Now.AddMinutes(30),
253                          request.createCookie,
254                          request.username,
255                          FormsAuthentication.FormsCookiePath);
256                        // Encrypt the ticket.
257                        string encTicket = FormsAuthentication.Encrypt(ticket);
258                        // Create the cookie.
259                        Context.Response.Cookies.Add(
260                            new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
261
262                        response.status = UserStatus.LoggedIn;
263                        response.username = userName;
264                    }
265                    else
266                    {
267                        response.status = UserStatus.LoggedOut;
268                    }
269                }
270                else
271                {
272                    // TODO: increment failed challenge count
273                    // then lockout for specified period to prevent brute force attack
274                    response.status = UserStatus.LoggedOut;
275                }
276            }
277            else
278            {
279                // TODO: log invalid challenge
280                response.status = UserStatus.LoggedOut;
281            }
282
283            return response;
284        }
285
286        [WebMethod]
287        public LoginResponse Logout()
288        {
289            LoginResponse response = new LoginResponse();
290            FormsAuthentication.SignOut();
291            response.status = UserStatus.LoggedOut;
292            return response;
293        }
294
295        #endregion
296
297        helper methods#region helper methods
298
299        /**//// <summary>
300        /// Gets the username associated with a given email
301        /// </summary>
302        /// <param name="email">the e-mail</param>
303        /// <returns>the username</returns>
304        protected string GetUsername(string email)
305        {
306            int totalRecords = 0;
307            string userName = string.Empty;
308            MembershipUserCollection users = Membership.Provider.FindUsersByEmail(email, 0, 1, out totalRecords);
309            if (totalRecords == 1)
310            {
311                foreach (MembershipUser user in users)
312                {
313                    userName = user.UserName;
314                    break;
315                }
316            }
317            return userName;
318        }
319
320        protected string GetPassword(string username)
321        {
322            string rtn = string.Empty;
323            using (System.Data.SqlClient.SqlConnection conn = new SqlConnection(
324                    ConfigurationManager.ConnectionStrings["SnipEngineConnection"].ConnectionString))
325            {
326                SqlCommand cmd = new SqlCommand("aspnet_Membership_GetPassword", conn);
327                cmd.CommandType = System.Data.CommandType.StoredProcedure;
328                cmd.Parameters.Add("@ApplicationName", System.Data.SqlDbType.NVarChar).Value = Membership.Provider.ApplicationName;
329                cmd.Parameters.Add("@UserName", System.Data.SqlDbType.NVarChar).Value = username;
330                cmd.Parameters.Add("@MaxInvalidPasswordAttempts", System.Data.SqlDbType.Int).Value = Membership.Provider.MaxInvalidPasswordAttempts;
331                cmd.Parameters.Add("@PasswordAttemptWindow", System.Data.SqlDbType.Int).Value = Membership.Provider.PasswordAttemptWindow;
332                cmd.Parameters.Add("@CurrentTimeUtc", System.Data.SqlDbType.DateTime).Value = DateTime.UtcNow;
333
334                SqlParameter output = new SqlParameter("@ReturnValue", System.Data.SqlDbType.Int);
335                output.Direction = System.Data.ParameterDirection.ReturnValue;
336
337                cmd.Parameters.Add(output);
338                conn.Open();
339                using (SqlDataReader reader = cmd.ExecuteReader(System.Data.CommandBehavior.SingleRow))
340                {
341                    if (reader.Read())
342                    {
343                        rtn = reader.GetString(0);
344                    }
345
346                    reader.Close();
347                }
348                conn.Close();
349            }
350            return rtn;
351        }
352
353        protected string GenerateSalt()
354        {
355            byte[] salt = new byte[0x10];
356            new RNGCryptoServiceProvider().GetBytes(salt);
357            return Convert.ToBase64String(salt);
358        }
359
360        protected string GetUserChallenge(string username)
361        {
362            string key = string.Format("UserChallenge:{0}", username);
363            string sChallenge = Context.Cache[key] as string;
364            if (string.IsNullOrEmpty(sChallenge))
365            {
366                byte[] challenge = new byte[0x10];
367                new RNGCryptoServiceProvider().GetBytes(challenge);
368                sChallenge = Convert.ToBase64String(challenge);
369
370                // add to cache for 2 minutes  if response isn't recieved by then  user needs to try again
371                Context.Cache.Insert(key, sChallenge, null, DateTime.Now.AddMinutes(2), System.Web.Caching.Cache.NoSlidingExpiration);
372            }
373
374            return sChallenge;
375        }
376
377
378        protected void SendRegistrationMail(string email, string userName)
379        {
380            MailAddress emailAddress = new MailAddress(email);
381
382            using (MailMessage message1 = new MailMessage("support@snipgen.com", email ))
383            {
384                StringBuilder bodyBuilder = new StringBuilder();
385                bodyBuilder.AppendLine("*** NOTE: This e-mail is for demonstration only.  You recieved it because you created an account using the SnipGen AjaxLogin demo.  Your account will be deleted within 30 days. ***");
386                bodyBuilder.AppendLine("Thanks for registering with Snipgen.com!");
387                bodyBuilder.AppendLine(string.Format("The Screen Name you selected is {0}.", userName));
388                bodyBuilder.AppendLine("If you need to change your password, use the change password form.");
389                bodyBuilder.AppendLine("If you forget your password, you will have to reset it because you are the only person who knows your password.  It was encrypted prior to being stored and cannot be decrypted.");
390                bodyBuilder.AppendLine("\nIf you have any questions, e-mail support@snipgen.com.");
391                bodyBuilder.AppendLine("Regards,\nThe SnipGen Team.");
392
393                message1.Body = bodyBuilder.ToString();
394                message1.Subject = string.Format("{0} : Your new Snipgen account", userName);
395
396                // TODO: look up mail server info from instance settings
397                //Snip.Engine.Settings.Instances[1].AppSettings["smtpServer"];
398                //Snip.Engine.Settings.Instances[1].AppSettings["smtpPort"];
399                //Snip.Engine.Settings.Instances[1].AppSettings["smtpUser"];
400                //Snip.Engine.Settings.Instances[1].AppSettings["smtpPassword"];
401
402                SmtpClient client = new SmtpClient("localhost", 25);
403                client.Credentials = new System.Net.NetworkCredential("no-reply@yourdomain.com", "a-good-password");
404                client.Send(message1);
405
406            }
407        }
408 
409
410
411        #endregion
412    }
413
414}
415
416