Freshdesk c# sso /w timestamp

gistfile1.cs

public ActionResult HelpLogin()
{
	const string key = "abcdefghijklmnopqrtuvwxyz";
	const string pathTemplate = "http://demo.freshdesk.com/login/sso?name={0}&email={1}&timestamp={2}&hash={3}";

	var username = UserHelper.CurrentUser.UserName;
	var email = UserHelper.CurrentUser.Email;
	
	string timems = (DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds.ToString();
	var hash = GetHash(key, username, email, timems);
	var path = String.Format(pathTemplate, Server.UrlEncode(username), Server.UrlEncode(email), timems, hash);

	return Redirect(path);
}

private static string GetHash(string secret, string name, string email, string timems)
{
	string input = name + email + timems;
	var keybytes = Encoding.Default.GetBytes(secret);
	var inputBytes = Encoding.Default.GetBytes(input);

	var crypto = new HMACMD5(keybytes);
	byte[] hash = crypto.ComputeHash(inputBytes);

	StringBuilder sb = new StringBuilder();
	foreach (byte b in hash)
	{
		string hexValue = b.ToString("X").ToLower(); // Lowercase for compatibility on case-sensitive systems
		sb.Append((hexValue.Length == 1 ? "0" : "") + hexValue);
	}
	return sb.ToString();
}

The GetHash function should use Encoding.UTF8 instead of Encoding.Default. This will prevent hash mismatches when dealing with special characters in usernames or email addresses.

How do I set remote login url dynamically through code....for example if its abc.com then abc.support.com

You should be using string input = name + secret + email + timems for the security fix specified.

@kirandarisi That's how I read it as well. Freshdesk also has another example which has yet another order to the parameters in the package. And there are similar comments on that one as well as well as people complaining that the new format has issues with the timestamps. It's going to be an interesting couple of days as this all breaks.

Edit: The question about timestamp is answered by this gist, but the point of the issue, that the timestamp epoch requirement is not well defined, is still relevant.

Some other comments on the code.

You are using the "X" as a format string for ToString() and then you are calling ToLower() when you could have just used "x" to get the lower-case hexadecimal value.

You are also then creating a leading zero in the loop, when you could have just used a format string "x2" (hexadecimal padded with leading zeroes to a minimum length of 2).

Here is some updated code (also adding the new hash requirement):

    private static string GetHash(string secret, string name, string email, string timems)
    {
        var input = name + secret + email + timems;
        var keybytes = Encoding.Default.GetBytes(secret);
        var inputBytes = Encoding.Default.GetBytes(input);

        var crypto = new HMACMD5(keybytes);
        var hash = crypto.ComputeHash(inputBytes);

        return hash.Select(b => b.ToString("x2"))
                   .Aggregate(new StringBuilder(), 
                              (current, next) => current.Append(next),
                              current => current.ToString());
    }

@42degrees Code looks good. Can you please update the code. I work @ Freshdesk couple of our KB articles are referring to this gist. It would be great if you can change them.

@kirandarisi, I wish there was a way for me to change this gist but gist.github doesn't allow pull requests, the only choice is to fork it, which @darkpssngr has already done (using my code sample and others).

darkpssngr's fork: https://gist.github.com/darkpssngr/726162ed0bd67ffdd616370c65a17e68