Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Freshdesk c# sso /w timestamp
public ActionResult HelpLogin()
{
const string key = "abcdefghijklmnopqrtuvwxyz";
const string pathTemplate = "http://demo.freshdesk.com/login/sso?name={0}&email={1}&timestamp={2}&hash={3}";
var username = UserHelper.CurrentUser.UserName;
var email = UserHelper.CurrentUser.Email;
string timems = (DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds.ToString();
var hash = GetHash(key, username, email, timems);
var path = String.Format(pathTemplate, Server.UrlEncode(username), Server.UrlEncode(email), timems, hash);
return Redirect(path);
}
private static string GetHash(string secret, string name, string email, string timems)
{
string input = name + email + timems;
var keybytes = Encoding.Default.GetBytes(secret);
var inputBytes = Encoding.Default.GetBytes(input);
var crypto = new HMACMD5(keybytes);
byte[] hash = crypto.ComputeHash(inputBytes);
StringBuilder sb = new StringBuilder();
foreach (byte b in hash)
{
string hexValue = b.ToString("X").ToLower(); // Lowercase for compatibility on case-sensitive systems
sb.Append((hexValue.Length == 1 ? "0" : "") + hexValue);
}
return sb.ToString();
}
@ninjacarr

This comment has been minimized.

Copy link

ninjacarr commented Feb 24, 2016

The GetHash function should use Encoding.UTF8 instead of Encoding.Default. This will prevent hash mismatches when dealing with special characters in usernames or email addresses.

@SandeshSarfare

This comment has been minimized.

Copy link

SandeshSarfare commented Mar 1, 2016

How do I set remote login url dynamically through code....for example if its abc.com then abc.support.com

@kirandarisi

This comment has been minimized.

Copy link

kirandarisi commented Apr 26, 2016

You should be using string input = name + secret + email + timems for the security fix specified.

@42degrees

This comment has been minimized.

Copy link

42degrees commented Apr 28, 2016

@kirandarisi That's how I read it as well. Freshdesk also has another example which has yet another order to the parameters in the package. And there are similar comments on that one as well as well as people complaining that the new format has issues with the timestamps. It's going to be an interesting couple of days as this all breaks.

Edit: The question about timestamp is answered by this gist, but the point of the issue, that the timestamp epoch requirement is not well defined, is still relevant.

@42degrees

This comment has been minimized.

Copy link

42degrees commented Apr 28, 2016

Some other comments on the code.

You are using the "X" as a format string for ToString() and then you are calling ToLower() when you could have just used "x" to get the lower-case hexadecimal value.

You are also then creating a leading zero in the loop, when you could have just used a format string "x2" (hexadecimal padded with leading zeroes to a minimum length of 2).

Here is some updated code (also adding the new hash requirement):

    private static string GetHash(string secret, string name, string email, string timems)
    {
        var input = name + secret + email + timems;
        var keybytes = Encoding.Default.GetBytes(secret);
        var inputBytes = Encoding.Default.GetBytes(input);

        var crypto = new HMACMD5(keybytes);
        var hash = crypto.ComputeHash(inputBytes);

        return hash.Select(b => b.ToString("x2"))
                   .Aggregate(new StringBuilder(), 
                              (current, next) => current.Append(next),
                              current => current.ToString());
    }
@kirandarisi

This comment has been minimized.

Copy link

kirandarisi commented May 4, 2016

@42degrees Code looks good. Can you please update the code. I work @ Freshdesk couple of our KB articles are referring to this gist. It would be great if you can change them.

@42degrees

This comment has been minimized.

Copy link

42degrees commented May 4, 2016

@kirandarisi, I wish there was a way for me to change this gist but gist.github doesn't allow pull requests, the only choice is to fork it, which @darkpssngr has already done (using my code sample and others).

darkpssngr's fork: https://gist.github.com/darkpssngr/726162ed0bd67ffdd616370c65a17e68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.