Merge pull request #273 from JackTerok/develop

Some more Security Improvements

Core/Main/PTMagicConfiguration.cs

@@ -83,6 +83,25 @@ namespace Core.Main
       return result;
     }
 
+    public string GetProfitTrailerServerAPITokenMasked()
+    {
+      string result = "";
+
+      if (!this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Equals(""))
+      {
+        result = this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Substring(0, 4);
+
+        for (int i = 1; i < this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Length - 8; i++)
+        {
+          result += "*";
+        }
+
+        result += this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Substring(this.GeneralSettings.Application.ProfitTrailerServerAPIToken.Length - 4);
+      }
+
+      return result;
+    }
+
     public GeneralSettings GeneralSettings
     {
       get

Monitor/Pages/SettingsGeneral.cshtml

@@ -92,7 +92,7 @@
               <div class="form-group row">
                 <label class="col-md-4 col-form-label">Profit Trailer Server API Token <i class="fa fa-info-circle text-muted" data-toggle="tooltip" data-placement="top" title="The API token needed to communicate with Profit Trailer - set in Profit Trailer Server Settings"></i></label>
                 <div class="col-md-8">
-                  <input type="text" class="form-control" name="Application_ProfitTrailerServerAPIToken" value="@Model.PTMagicConfiguration.GeneralSettings.Application.ProfitTrailerServerAPIToken">
+                  <input type="text" class="form-control" name="Application_ProfitTrailerServerAPIToken" value="@Model.PTMagicConfiguration.GetProfitTrailerServerAPITokenMasked()">
                 </div>
               </div>
 

Monitor/Pages/SetupPassword.cshtml

@@ -14,29 +14,30 @@
     <h3 class="text-center"> <strong class="text-custom">PT Magic</strong> </h3>
     <p class="text-center">Setup your password.</p>
   </div>
-
   <div class="p-20">
     <form class="form-horizontal m-t-20" method="post">
-      <div class="form-group">
-        <div class="col-12">
-          <input name="Password" class="form-control" type="password" required="" placeholder="Password">
-        </div>
-      </div>
 
-      <div class="form-group">
+      @if (System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
-        <div class="col-12">
+      {
-          <input name="PasswordConfirm" class="form-control" type="password" required="" compare="Password" placeholder="Confirm Password">
+        <div class="form-group">
+          <div class="col-12">
+            <input name="OldPassword" class="form-control" type="password" required="" placeholder="Old Password">
+          </div>
         </div>
-      </div>
-
-      @if (!Model.ValidationMessage.Equals("")) {
-      <div class="form-group">
-        <div class="text-danger m-l-10">
-          @Model.ValidationMessage
-        </div>
-      </div>
       }
 
+      <div class="form-group">
+        <div class="col-12">
+          <input name="Password" class="form-control" type="password" required="" placeholder="New Password">
+        </div>
+      </div>
+
+      <div class="form-group">
+        <div class="col-12">
+          <input name="PasswordConfirm" class="form-control" type="password" required="" compare="Password" placeholder="Confirm New Password">
+        </div>
+      </div>
+
       <div class="form-group text-center m-t-40">
         <div class="col-12">
           <button class="btn btn-ptmagic btn-block text-uppercase waves-effect waves-light" type="submit">
@@ -44,9 +45,12 @@
           </button>
         </div>
       </div>
-
+      <div class="form-group">
+        <div class="text-danger m-l-10">
+          @Model.ValidationMessage
+        </div>
+      </div>
     </form>
-
   </div>
 </div>
 

Monitor/Pages/SetupPassword.cshtml.cs

@@ -4,6 +4,7 @@ using Microsoft.AspNetCore.Http;
 using System.Threading.Tasks;
 using Newtonsoft.Json;
 using Core.Main;
+using Core.Helper;
 
 namespace Monitor.Pages
 {
@@ -16,19 +17,39 @@ namespace Monitor.Pages
       base.PreInit();
     }
 
-    public void OnPost(string password, string passwordConfirm)
+    public void OnPost(string OldPassword, string Password, string PasswordConfirm)
     {
-      if (!password.Equals(passwordConfirm))
+      base.PreInit();
+      ValidationMessage = "Test";
+      string encryptedOldPassword = null;
+
+      if (OldPassword != null)
       {
-        ValidationMessage = "Password does not match the confirmation!";
+          encryptedOldPassword = EncryptionHelper.Encrypt(OldPassword);
+
+          if (!Password.Equals(PasswordConfirm) || !encryptedOldPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword) && System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
+          {
+            ValidationMessage = "Old Password wrong or new Password does not match with confirmation";
+          }
+          else if (ModelState.IsValid)
+          {
+            PTMagicConfiguration.WriteSecureSettings(Password);
+            ValidationMessage = "";
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+          }
       }
-
+      else
-      if (ModelState.IsValid)
       {
-        base.PreInit();
+          if (!Password.Equals(PasswordConfirm) && !System.IO.File.Exists(System.IO.Directory.GetCurrentDirectory().Split("Monitor")[0] + "settings.secure.json"))
-        PTMagicConfiguration.WriteSecureSettings(password);
+          {
-
+            ValidationMessage = "New Password does not match with confirmation";
-        Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+          }
+          else if (ModelState.IsValid)
+          {
+            PTMagicConfiguration.WriteSecureSettings(Password);
+            ValidationMessage = "";
+            Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
+          }
       }
     }