/// <summary> /// Mets à jour un utilisateur avec un nouveau mot de passe. /// </summary> /// <param name="id">L'id de l'utilisateur à mettre à jour.</param> /// <param name="clearPassword">Le mot de passe en clair, avant encryption.</param> /// <returns>Le résultat de la mise à jour.</returns> public ReplaceOneResult UpdatePassword(Guid id, string clearPassword) { User user = this.Get(id); string hashedPassword = CryptographicHelper.GetHash(clearPassword, this.appSettings.Security.HashSalt); user.Password = hashedPassword; return(this.Update(user)); }
/// <summary> /// Crée un <see cref="UserPasswordResetToken"/>, avec gestion du hashage en base. /// </summary> /// <param name="elm">Le <see cref="UserPasswordResetToken"/> à créer.</param> /// <returns>L'élément créé.</returns> public override UserPasswordResetToken Create(UserPasswordResetToken elm) { // We are using a hash function for storing reset password token for security reasons. // Basically it makes it more difficult for an attacker with a read access to the database to gain access to the user account. // See https://security.stackexchange.com/questions/86913/should-password-reset-tokens-be-hashed-when-stored-in-a-database for more info. string hash = CryptographicHelper.GetHash(elm?.Token); elm.Token = hash; return(base.Create(elm)); }
/// <summary> /// Crée un <see cref="User"/>. /// </summary> /// <param name="elm">Les données de le <see cref="User"/> a créé.</param> /// <returns>L'utilisateur créé.</returns> public override User Create(User elm) { if (elm == null) { throw new ArgumentNullException(nameof(elm)); } string hashedPassword = CryptographicHelper.GetHash(elm.Password, this.appSettings.Security.HashSalt); elm.Password = hashedPassword; return(base.Create(elm)); }
/// <summary> /// Obtient un <see cref="UserPasswordResetToken"/>, basé sur la valeur du token. /// Notez que le token est hashé avant d'être comparé en base. /// </summary> /// <param name="token">La valeur du token à rechercher.</param> /// <returns>Le <see cref="UserPasswordResetToken"/>, si trouvé.</returns> public UserPasswordResetToken GetByToken(string token) { if (string.IsNullOrEmpty(token)) { throw new ArgumentNullException(nameof(token)); } // We are using a hash function for storing reset password token for security reasons. // Basically it makes it more difficult for an attacker with a read access to the database to gain access to the user account. // See https://security.stackexchange.com/questions/86913/should-password-reset-tokens-be-hashed-when-stored-in-a-database for more info. string hash = CryptographicHelper.GetHash(token); return(this.Entities.Find(elm => elm.Token == hash).FirstOrDefault()); }
/// <summary> /// Authentifie un <see cref="User"/>, basé sur le <see cref="UserAuthenticateModel"/> fourni. /// </summary> /// <param name="model">Le <see cref="UserAuthenticateModel"/> à utiliser pour authentifier l'<see cref="Utilisateur"/>.</param> /// <returns>L'<see cref="User">Utilisateur</see> authentifié.</returns> public User Authenticate(UserAuthenticateModel model) { if (model == null) { throw new ArgumentNullException(nameof(model)); } string hashedPassword = CryptographicHelper.GetHash(model.Password, this.appSettings.Security.HashSalt); User user = this.Entities.Find(x => x.Username == model.Username && x.Password == hashedPassword).FirstOrDefault(); if (user == null) { return(null); } else { if (user.Active == false) { // Account is not active. return(null); } // Generation du token JWT. var tokenHandler = new JwtSecurityTokenHandler(); var key = Encoding.ASCII.GetBytes(this.appSettings.Security.JWT.Secret); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Name, user.Id.ToString()), new Claim(ClaimTypes.Email, user.Email.ToString(CultureInfo.InvariantCulture)), }), Expires = DateTime.UtcNow.AddDays(this.appSettings.Security.JWT.DurationInDays), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature), }; SecurityToken token = tokenHandler.CreateToken(tokenDescriptor); user.Token = tokenHandler.WriteToken(token); return(user.WithoutPassword()); } }