Fixes to security

This commit is contained in:
djbadders 2021-02-17 17:41:30 +00:00
parent d7f61da1b6
commit 8bb359abbd
3 changed files with 66 additions and 64 deletions

View File

@ -1,11 +1,6 @@
using System; using System.Collections;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using Core.Main; using Core.Main;
using Core.Helper; using Core.Helper;
using Core.Main.DataObjects.PTMagicData;
using Core.MarketAnalyzer;
namespace Monitor.Pages { namespace Monitor.Pages {
public class DownloadFileModel : _Internal.BasePageModelSecure { public class DownloadFileModel : _Internal.BasePageModelSecure {
@ -14,8 +9,12 @@ namespace Monitor.Pages {
// Initialize Config // Initialize Config
base.Init(); base.Init();
// Check we have a log in
if (base.IsLoggedIn(this.HttpContext))
{
InitializeDownload(); InitializeDownload();
} }
}
private void InitializeDownload() { private void InitializeDownload() {
string fileName = GetStringParameter("f", ""); string fileName = GetStringParameter("f", "");

View File

@ -7,13 +7,48 @@ namespace Monitor._Internal
{ {
public class BasePageModelSecure : BasePageModel public class BasePageModelSecure : BasePageModel
{ {
// The string to redirect to if it fails security
protected string _redirectUrl;
public BasePageModelSecure(string redirect = null)
{
// Configure redirect URL
_redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
}
/// <summary>
/// Must be called from inheritting pages to check security
/// </summary>
public void Init() public void Init()
{ {
// Initialise base class
base.PreInit(); base.PreInit();
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected) // Security check
if (!IsLoggedIn(this.HttpContext))
{ {
bool redirectToLogin = true; HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
}
}
/// <summary>
/// Check to see a user if logged in interactively
/// </summary>
/// <returns>Boolean - User logged in or not</returns>
protected Boolean IsLoggedIn(HttpContext context)
{
bool isLoggedIn = false;
if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
{
// Do we have a session active?
if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
{
isLoggedIn = true;
}
else
{
// Do we have a auto login cookie?
if (Request.Cookies.ContainsKey("PTMRememberMeKey")) if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
{ {
string rememberMeKey = Request.Cookies["PTMRememberMeKey"]; string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
@ -22,17 +57,22 @@ namespace Monitor._Internal
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]); string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword)) if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
{ {
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'")); context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
redirectToLogin = false; isLoggedIn = true;
} }
} }
} }
}
}
else
{
// No password required
isLoggedIn = true;
}
if (redirectToLogin) return isLoggedIn;
{
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
}
}
} }
} }
} }

View File

@ -1,49 +1,12 @@
using System; namespace Monitor._Internal
using System.IO;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Newtonsoft.Json;
using Core.Main;
using Core.Helper;
using Core.Main.DataObjects.PTMagicData;
using Core.MarketAnalyzer;
using Core.ProfitTrailer;
using Microsoft.Extensions.Primitives;
namespace Monitor._Internal
{ {
public class BasePageModelSecureAJAX : BasePageModel public class BasePageModelSecureAJAX : BasePageModelSecure
{ {
public void Init() public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
{ // Logic in base class
base.PreInit();
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
{
bool redirectToLogin = true;
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
{
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
if (!rememberMeKey.Equals(""))
{
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
{
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
redirectToLogin = false;
}
}
} }
if (redirectToLogin)
{
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
}
}
}
} }
} }