Fixes to security

Monitor/Pages/_get/DownloadFile.cshtml.cs

@@ -1,11 +1,6 @@
-using System;
-using System.Collections;
-using System.Collections.Generic;
-using System.Linq;
+using System.Collections;
 using Core.Main;
 using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
 
 namespace Monitor.Pages {
   public class DownloadFileModel : _Internal.BasePageModelSecure {
@@ -14,8 +9,12 @@ namespace Monitor.Pages {
       // Initialize Config
       base.Init();
       
+      // Check we have a log in
+      if (base.IsLoggedIn(this.HttpContext))
+      {
         InitializeDownload();
       }
+    }
 
     private void InitializeDownload() {
       string fileName = GetStringParameter("f", "");

Monitor/_Internal/BasePageModelSecure.cs

@@ -7,13 +7,48 @@ namespace Monitor._Internal
 {
   public class BasePageModelSecure : BasePageModel
   {
+    // The string to redirect to if it fails security
+    protected string _redirectUrl;
+
+    public BasePageModelSecure(string redirect = null)
+    {
+      // Configure redirect URL
+      _redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
+    }
+
+    /// <summary>
+    /// Must be called from inheritting pages to check security
+    /// </summary>
     public void Init()
     {
+      // Initialise base class
       base.PreInit();
 
-      if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+      // Security check
+      if (!IsLoggedIn(this.HttpContext))
       {
-        bool redirectToLogin = true;
+        HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
+      }
+    }
+
+    /// <summary>
+    /// Check to see a user if logged in interactively
+    /// </summary>
+    /// <returns>Boolean - User logged in or not</returns>
+    protected Boolean IsLoggedIn(HttpContext context)
+    {
+      bool isLoggedIn = false;
+
+      if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+      {
+        // Do we have a session active?
+        if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
+        {
+          isLoggedIn = true;
+        }
+        else
+        {
+          // Do we have a auto login cookie?
           if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
           {
             string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
@@ -22,17 +57,22 @@ namespace Monitor._Internal
               string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
               if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
               {
-              HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
-              redirectToLogin = false;
+                context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
+                isLoggedIn = true;
               }
             }
           }
+        }
+      }
+      else
+      {
+        // No password required
+        isLoggedIn = true;
+      }
 
-        if (redirectToLogin)
-        {
-          HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
-        }
-      }
+      return isLoggedIn;
     }
+
   }
+
 }

Monitor/_Internal/BasePageModelSecureAJAX.cs

@@ -1,49 +1,12 @@
-using System;
-using System.IO;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
-using Newtonsoft.Json;
-using Core.Main;
-using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
-using Core.ProfitTrailer;
-using Microsoft.Extensions.Primitives;
-
-namespace Monitor._Internal
+namespace Monitor._Internal
 {
 
-  public class BasePageModelSecureAJAX : BasePageModel
+  public class BasePageModelSecureAJAX : BasePageModelSecure
   {
-    public void Init()
-    {
-      base.PreInit();
-
-      if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
-      {
-        bool redirectToLogin = true;
-        if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
-        {
-          string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
-          if (!rememberMeKey.Equals(""))
-          {
-            string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
-            if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
-            {
-              HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
-              redirectToLogin = false;
-            }
-          }
+    public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
+      // Logic in base class
     }
 
-        if (redirectToLogin)
-        {
-          HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
-        }
-      }
-    }
   }
+
 }