// obviously when displaying the result to the user you should not differentiate
// between wrong username and wrong password!!!
public LoginResult Login(string username, string password, int limitSeconds = 0, int limit = 0)
{
username = username.ToLower();
if (limitSeconds > 0)
{
_rateMeasureService.Increment(username);
if (!_rateMeasureService.InsideLimit(username, limitSeconds, limit))
{
return(LoginResult.ReachedRateLimit);
}
}
var credential = _credentialRepository.GetStoredCredential(username);
if (credential == null)
{
return(LoginResult.UserDoesNotExist);
}
var hashedPassword = Hasher.Sha256(password);
if (!credential.HashedPassword.Equals(hashedPassword))
{
return(LoginResult.WrongPassword);
}
return(LoginResult.Success);
}
