Fixes to security

Monitor/Pages/_get/DownloadFile.cshtml.cs

@@ -1,11 +1,6 @@
-using System;
-using System.Collections;
-using System.Collections.Generic;
-using System.Linq;
+using System.Collections;
 using Core.Main;
 using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
 
 namespace Monitor.Pages {
   public class DownloadFileModel : _Internal.BasePageModelSecure {
@@ -14,7 +9,11 @@ namespace Monitor.Pages {
       // Initialize Config
       base.Init();
       
-      InitializeDownload();
+      // Check we have a log in
+      if (base.IsLoggedIn(this.HttpContext))
+      {
+        InitializeDownload();
+      }
     }
 
     private void InitializeDownload() {

Monitor/_Internal/BasePageModelSecure.cs

@@ -7,32 +7,72 @@ namespace Monitor._Internal
 {
   public class BasePageModelSecure : BasePageModel
   {
+    // The string to redirect to if it fails security
+    protected string _redirectUrl;
+
+    public BasePageModelSecure(string redirect = null)
+    {
+      // Configure redirect URL
+      _redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
+    }
+
+    /// <summary>
+    /// Must be called from inheritting pages to check security
+    /// </summary>
     public void Init()
     {
+      // Initialise base class
       base.PreInit();
 
-      if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+      // Security check
+      if (!IsLoggedIn(this.HttpContext))
       {
-        bool redirectToLogin = true;
-        if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
+        HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
+      }
+    }
+
+    /// <summary>
+    /// Check to see a user if logged in interactively
+    /// </summary>
+    /// <returns>Boolean - User logged in or not</returns>
+    protected Boolean IsLoggedIn(HttpContext context)
+    {
+      bool isLoggedIn = false;
+
+      if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+      {
+        // Do we have a session active?
+        if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
         {
-          string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
-          if (!rememberMeKey.Equals(""))
+          isLoggedIn = true;
+        }
+        else
+        {
+          // Do we have a auto login cookie?
+          if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
           {
-            string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
-            if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
+            string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
+            if (!rememberMeKey.Equals(""))
             {
-              HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
-              redirectToLogin = false;
+              string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
+              if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
+              {
+                context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
+                isLoggedIn = true;
+              }
             }
           }
         }
-
-        if (redirectToLogin)
-        {
-          HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
-        }
       }
+      else
+      {
+        // No password required
+        isLoggedIn = true;
+      }
+
+      return isLoggedIn;
     }
+
   }
+
 }

Monitor/_Internal/BasePageModelSecureAJAX.cs

@@ -1,49 +1,12 @@
-using System;
-using System.IO;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
-using Newtonsoft.Json;
-using Core.Main;
-using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
-using Core.ProfitTrailer;
-using Microsoft.Extensions.Primitives;
-
-namespace Monitor._Internal
+namespace Monitor._Internal
 {
 
-  public class BasePageModelSecureAJAX : BasePageModel
+  public class BasePageModelSecureAJAX : BasePageModelSecure
   {
-    public void Init()
-    {
-      base.PreInit();
-
-      if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
-      {
-        bool redirectToLogin = true;
-        if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
-        {
-          string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
-          if (!rememberMeKey.Equals(""))
-          {
-            string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
-            if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
-            {
-              HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
-              redirectToLogin = false;
-            }
-          }
-        }
-
-        if (redirectToLogin)
-        {
-          HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
-        }
-      }
+    public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
+      // Logic in base class
     }
+
   }
+
 }