Authentication For web api

Question

0.00/5 (No votes)

See more:

Partially its work whenever i give required credential(Email and password) it works fine.if i give wrong email its show 404 error means its fine.if i give wrong password also its accepting means it not show any error.

My code is given below please help me:-

using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Entity;
using System.Data.Entity.Infrastructure;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Description;
using WebApplication5.Models;
using System.Security.Cryptography;
using System.Text;

namespace WebApplication5.Controllers
{
public class UsersController : ApiController
{
private ChatDatabaseEntities1 db = new ChatDatabaseEntities1();

// GET: api/Users
public IQueryable<user> GetUsers()
{
return db.Users;
}
SymmetricAlgorithm desobj = Rijndael.Create();
string key;

// GET: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult GetUser(string Email, string password)
{
User user = db.Users.Find(Email);
if (user == null)
{
return NotFound();
}
string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
// return Ok(user.Email);
}

return Ok(user.Email);
}

// PUT: api/Users/5
[ResponseType(typeof(void))]
public IHttpActionResult PutUser(string id, User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}

if (id != user.Email)
{
return BadRequest();
}

db.Entry(user).State = EntityState.Modified;

try
{
db.SaveChanges();
}
catch (DbUpdateConcurrencyException)
{
if (!UserExists(id))
{
return NotFound();
}
else
{
throw;
}
}

return StatusCode(HttpStatusCode.NoContent);
}

// POST: api/Users
[ResponseType(typeof(User))]
public IHttpActionResult PostUser(User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
string temp_password = Encrypt("text", Key());
user.Password = temp_password;
user.PasswordSalt = Key();
user.UserType = "user";

db.Users.Add(user);

try
{
db.SaveChanges();
}
catch (DbUpdateException)
{
if (UserExists(user.Email))
{
return Conflict();
}
else
{
throw;
}
}

return CreatedAtRoute("DefaultApi", new { id = user.Email }, user);
}

// DELETE: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult DeleteUser(string id)
{
User user = db.Users.Find(id);
if (user == null)
{
return NotFound();
}

db.Users.Remove(user);
db.SaveChanges();

return Ok(user);
}

protected override void Dispose(bool disposing)
{
if (disposing)
{
db.Dispose();
}
base.Dispose(disposing);
}

private bool UserExists(string id)
{
return db.Users.Count(e => e.Email == id) > 0;
}

public static string Encrypt(string strToEncrypt, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = ASCIIEncoding.ASCII.GetBytes(strToEncrypt);
return Convert.ToBase64String(objDESCrypto.CreateEncryptor().
TransformFinalBlock(byteBuff, 0, byteBuff.Length));
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}

private string Key()
{
{
Random random = new Random();
key = "" + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9);

return key;
}
}
public static string Decrypt(string strEncrypted, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = Convert.FromBase64String(strEncrypted);
string strDecrypted = ASCIIEncoding.ASCII.GetString
(objDESCrypto.CreateDecryptor().TransformFinalBlock
(byteBuff, 0, byteBuff.Length));
objDESCrypto = null;
return strDecrypted;
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}
}
}

Posted 26-Oct-15 8:59am

Member 11651335

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2015-10-26T09:47:00

The first and most obvious problem is that you're ignoring the password test:

C#

string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
    // return Ok(user.Email);
}

return Ok(user.Email);

Whether or not the password matches, you return Ok. Try changing it to:

C#

string temp = Decrypt(user.Password, user.PasswordSalt);
if (password != temp)
{
    return NotFound();
}

return Ok(user.Email);

Now, the more interesting problem: you appear to be storing the passwords using reversible encryption. That is a very bad idea. You should only ever store a salted hash of the user's password, using a unique salt per record, and using multiple rounds of a secure hashing algorithm.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]