From a572436c8a2e19a68d347a57528c4646d2070916 Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Fri, 19 Feb 2021 16:20:03 +0100
Subject: [PATCH 1/6] properly mask the ServerAPIToken in the web interface

---
 Core/Main/PTMagicConfiguration.cs    | 19 +++++++++++++++++++
 Monitor/Pages/SettingsGeneral.cshtml |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/Core/Main/PTMagicConfiguration.cs b/Core/Main/PTMagicConfiguration.cs
index 7d29d14..64eda87 100644
--- a/Core/Main/PTMagicConfiguration.cs
+++ b/Core/Main/PTMagicConfiguration.cs
@@ -83,6 +83,25 @@ namespace Core.Main
       return result;
     }
 
+    public string GetProfitTrailerServerAPITokenMasked()
+    {
+      string result = "";
+
+      if (!this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Equals(""))
+      {
+        result = this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Substring(0, 4);
+
+        for (int i = 1; i < this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Length - 8; i++)
+        {
+          result += "*";
+        }
+
+        result += this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Substring(this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Length - 4);
+      }
+
+      return result;
+    }
+
     public GeneralSettings GeneralSettings
     {
       get
diff --git a/Monitor/Pages/SettingsGeneral.cshtml b/Monitor/Pages/SettingsGeneral.cshtml
index 64c3783..c128641 100644
--- a/Monitor/Pages/SettingsGeneral.cshtml
+++ b/Monitor/Pages/SettingsGeneral.cshtml
@@ -92,7 +92,7 @@
               <div class="form-group row">
                 <label class="col-md-4 col-form-label">Profit Trailer Server API Token <i class="fa fa-info-circle text-muted" data-toggle="tooltip" data-placement="top" title="The API token needed to communicate with Profit Trailer - set in Profit Trailer Server Settings"></i></label>
                 <div class="col-md-8">
-                  <input type="text" class="form-control" name="Application_ProfitTrailerServerAPIToken" value="@Model.PTMagicConfiguration.GeneralSettings.Application.ProfitTrailerServerAPIToken">
+                  @Model.PTMagicConfiguration.GetProfitTrailerServerAPITokenMasked()
                 </div>
               </div>
 

From 91e8fecb2882eee2a4350ccb825f32d500fd9096 Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Fri, 19 Feb 2021 18:32:36 +0100
Subject: [PATCH 2/6] fix check if password and confirm are identical

---
 Monitor/Pages/SetupPassword.cshtml.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Monitor/Pages/SetupPassword.cshtml.cs b/Monitor/Pages/SetupPassword.cshtml.cs
index eb53c5f..f8d6bb8 100644
--- a/Monitor/Pages/SetupPassword.cshtml.cs
+++ b/Monitor/Pages/SetupPassword.cshtml.cs
@@ -20,10 +20,10 @@ namespace Monitor.Pages
     {
       if (!password.Equals(passwordConfirm))
       {
-        ValidationMessage = "Password does not match the confirmation!";
+        base.PreInit();
+        Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
       }
-
-      if (ModelState.IsValid)
+      else if (ModelState.IsValid)
       {
         base.PreInit();
         PTMagicConfiguration.WriteSecureSettings(password);

From b9082c788932f0e00d1108a80abc1fe1e3aa4dfd Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Fri, 19 Feb 2021 22:14:01 +0100
Subject: [PATCH 3/6] make password change secure

---
 Monitor/Pages/SetupPassword.cshtml    | 21 +++++++-------
 Monitor/Pages/SetupPassword.cshtml.cs | 41 ++++++++++++++++++++-------
 2 files changed, 40 insertions(+), 22 deletions(-)

diff --git a/Monitor/Pages/SetupPassword.cshtml b/Monitor/Pages/SetupPassword.cshtml
index 7c2f9d0..600a91b 100644
--- a/Monitor/Pages/SetupPassword.cshtml
+++ b/Monitor/Pages/SetupPassword.cshtml
@@ -14,9 +14,18 @@
     <h3 class="text-center"> <strong class="text-custom">PT Magic</strong> </h3>
     <p class="text-center">Setup your password.</p>
   </div>
-
   <div class="p-20">
     <form class="form-horizontal m-t-20" method="post">
+
+      @if (System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
+      {
+        <div class="form-group">
+          <div class="col-12">
+            <input name="OldPassword" class="form-control" type="password" required="" placeholder="Old Password">
+          </div>
+        </div>
+      }
+
       <div class="form-group">
         <div class="col-12">
           <input name="Password" class="form-control" type="password" required="" placeholder="Password">
@@ -29,14 +38,6 @@
         </div>
       </div>
 
-      @if (!Model.ValidationMessage.Equals("")) {
-      <div class="form-group">
-        <div class="text-danger m-l-10">
-          @Model.ValidationMessage
-        </div>
-      </div>
-      }
-
       <div class="form-group text-center m-t-40">
         <div class="col-12">
           <button class="btn btn-ptmagic btn-block text-uppercase waves-effect waves-light" type="submit">
@@ -44,9 +45,7 @@
           </button>
         </div>
       </div>
-
     </form>
-
   </div>
 </div>
 
diff --git a/Monitor/Pages/SetupPassword.cshtml.cs b/Monitor/Pages/SetupPassword.cshtml.cs
index f8d6bb8..0d93fd6 100644
--- a/Monitor/Pages/SetupPassword.cshtml.cs
+++ b/Monitor/Pages/SetupPassword.cshtml.cs
@@ -4,6 +4,7 @@ using Microsoft.AspNetCore.Http;
 using System.Threading.Tasks;
 using Newtonsoft.Json;
 using Core.Main;
+using Core.Helper;
 
 namespace Monitor.Pages
 {
@@ -16,19 +17,37 @@ namespace Monitor.Pages
       base.PreInit();
     }
 
-    public void OnPost(string password, string passwordConfirm)
+    public void OnPost(string OldPassword, string Password, string PasswordConfirm)
     {
-      if (!password.Equals(passwordConfirm))
-      {
-        base.PreInit();
-        Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
-      }
-      else if (ModelState.IsValid)
-      {
-        base.PreInit();
-        PTMagicConfiguration.WriteSecureSettings(password);
+      base.PreInit();
 
-        Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+      string encryptedOldPassword = null;
+
+      if (OldPassword != null)
+      {
+          encryptedOldPassword = EncryptionHelper.Encrypt(OldPassword);
+
+          if (!Password.Equals(PasswordConfirm) || !encryptedOldPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword) && System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
+          {
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
+          }
+          else if (ModelState.IsValid)
+          {
+            PTMagicConfiguration.WriteSecureSettings(Password);
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+          }
+      }
+      else
+      {
+          if (!Password.Equals(PasswordConfirm) && !System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
+          {
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
+          }
+          else if (ModelState.IsValid)
+          {
+            PTMagicConfiguration.WriteSecureSettings(Password);
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+          }
       }
     }
 

From 1e230cbb4258975bbbccc3325c2b3252080d9f9a Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Sat, 20 Feb 2021 20:11:31 +0100
Subject: [PATCH 4/6] make serverApiToken editable again

---
 Monitor/Pages/SettingsGeneral.cshtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Monitor/Pages/SettingsGeneral.cshtml b/Monitor/Pages/SettingsGeneral.cshtml
index c128641..bc00c54 100644
--- a/Monitor/Pages/SettingsGeneral.cshtml
+++ b/Monitor/Pages/SettingsGeneral.cshtml
@@ -92,7 +92,7 @@
               <div class="form-group row">
                 <label class="col-md-4 col-form-label">Profit Trailer Server API Token <i class="fa fa-info-circle text-muted" data-toggle="tooltip" data-placement="top" title="The API token needed to communicate with Profit Trailer - set in Profit Trailer Server Settings"></i></label>
                 <div class="col-md-8">
-                  @Model.PTMagicConfiguration.GetProfitTrailerServerAPITokenMasked()
+                  <input type="text" class="form-control" name="Application_ProfitTrailerServerAPIToken" value="@Model.PTMagicConfiguration.GetProfitTrailerServerAPITokenMasked()">
                 </div>
               </div>
 

From b9a625ee1a001db91d5a450b9faa6102d986adba Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Sat, 20 Feb 2021 20:13:08 +0100
Subject: [PATCH 5/6] more descriptive placeholders

---
 Monitor/Pages/SetupPassword.cshtml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Monitor/Pages/SetupPassword.cshtml b/Monitor/Pages/SetupPassword.cshtml
index 600a91b..643f1b7 100644
--- a/Monitor/Pages/SetupPassword.cshtml
+++ b/Monitor/Pages/SetupPassword.cshtml
@@ -28,13 +28,13 @@
 
       <div class="form-group">
         <div class="col-12">
-          <input name="Password" class="form-control" type="password" required="" placeholder="Password">
+          <input name="Password" class="form-control" type="password" required="" placeholder="New Password">
         </div>
       </div>
 
       <div class="form-group">
         <div class="col-12">
-          <input name="PasswordConfirm" class="form-control" type="password" required="" compare="Password" placeholder="Confirm Password">
+          <input name="PasswordConfirm" class="form-control" type="password" required="" compare="Password" placeholder="Confirm New Password">
         </div>
       </div>
 

From 24a50dd24444d64fd01eee6bf5f4133b9e7614f8 Mon Sep 17 00:00:00 2001
From: JackTerok <martinreiter93@googlemail.com>
Date: Sat, 20 Feb 2021 20:26:22 +0100
Subject: [PATCH 6/6] implement proper messages on error

---
 Monitor/Pages/SetupPassword.cshtml    | 5 +++++
 Monitor/Pages/SetupPassword.cshtml.cs | 8 +++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Monitor/Pages/SetupPassword.cshtml b/Monitor/Pages/SetupPassword.cshtml
index 643f1b7..e99989b 100644
--- a/Monitor/Pages/SetupPassword.cshtml
+++ b/Monitor/Pages/SetupPassword.cshtml
@@ -45,6 +45,11 @@
           </button>
         </div>
       </div>
+      <div class="form-group">
+        <div class="text-danger m-l-10">
+          @Model.ValidationMessage
+        </div>
+      </div>
     </form>
   </div>
 </div>
diff --git a/Monitor/Pages/SetupPassword.cshtml.cs b/Monitor/Pages/SetupPassword.cshtml.cs
index 0d93fd6..54e75c9 100644
--- a/Monitor/Pages/SetupPassword.cshtml.cs
+++ b/Monitor/Pages/SetupPassword.cshtml.cs
@@ -20,7 +20,7 @@ namespace Monitor.Pages
     public void OnPost(string OldPassword, string Password, string PasswordConfirm)
     {
       base.PreInit();
-
+      ValidationMessage = "Test";
       string encryptedOldPassword = null;
 
       if (OldPassword != null)
@@ -29,11 +29,12 @@ namespace Monitor.Pages
 
           if (!Password.Equals(PasswordConfirm) || !encryptedOldPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword) && System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
           {
-            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
+            ValidationMessage = "Old Password wrong or new Password does not match with confirmation";
           }
           else if (ModelState.IsValid)
           {
             PTMagicConfiguration.WriteSecureSettings(Password);
+            ValidationMessage = "";
             Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
           }
       }
@@ -41,11 +42,12 @@ namespace Monitor.Pages
       {
           if (!Password.Equals(PasswordConfirm) && !System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
           {
-            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "SetupPassword");
+            ValidationMessage = "New Password does not match with confirmation";
           }
           else if (ModelState.IsValid)
           {
             PTMagicConfiguration.WriteSecureSettings(Password);
+            ValidationMessage = "";
             Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
           }
       }