public void Different_salt_produces_different_hash()
{
var salt1 = PasswordHasher.GenerateSalt();
var salt2 = PasswordHasher.GenerateSalt();
using (var sha256 = new SHA256CryptoServiceProvider())
{
var passwordHasher = new PasswordHasher(sha256);
string hash1 = passwordHasher.ComputeHash("foobar", salt1);
string hash2 = passwordHasher.ComputeHash("foobar", salt2);
Assert.AreNotEqual(hash1, hash2);
}
}
public IActionResult Register([FromBody] RegisterViewModel model)
{
if (model == null)
{
return(BadRequest("No parameters given."));
}
if (userService.GetByEmail(model.Email) != null)
{
return(BadRequest("Email already exists."));
}
var role = roleService.GetByName("ROLE_USER");
var user = mapper.Map(model, new User());
user.RoleId = role.Id;
user.Password = PasswordHasher.ComputeHash(model.Password, null);
if (!userService.Create(user))
{
return(Conflict("An error has occured! Could not register the user!"));
}
return(Ok());
}
public bool UpdatePassword(string username, string oldPassword, string newPassword)
{
var users = Repo.GetAll();
var userToChange = users.FirstOrDefault(x => x.UserName == username);
if (userToChange == null)
{
return(false);
}
var passwordMatch = PasswordHasher.VerifyPassword(oldPassword, userToChange.Salt, userToChange.Hash);
if (!passwordMatch)
{
throw new SecurityException("Incorrect password.");
}
var newSalt = PasswordHasher.GenerateSalt();
var newHash = PasswordHasher.ComputeHash(newPassword, newSalt);
userToChange.Hash = newHash;
userToChange.Salt = newSalt;
return(Repo.Update(userToChange));
}
public User AddUser(string username, string password)
{
IPasswordHasher passwordHasher = new PasswordHasher();
PasswordHash hash = passwordHasher.ComputeHash(password);
try
{
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
SqlCommand cmd = new SqlCommand("INSERT INTO users (username, password_hash, salt) VALUES (@username, @password_hash, @salt)", conn);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password_hash", hash.Password);
cmd.Parameters.AddWithValue("@salt", hash.Salt);
cmd.ExecuteNonQuery();
cmd = new SqlCommand("SELECT @@IDENTITY", conn);
int userId = Convert.ToInt32(cmd.ExecuteScalar());
cmd = new SqlCommand("INSERT INTO accounts (user_id, balance) VALUES (@userid, @startBalance)", conn);
cmd.Parameters.AddWithValue("@userid", userId);
cmd.Parameters.AddWithValue("@startBalance", startingBalance);
cmd.ExecuteNonQuery();
}
}
catch (SqlException)
{
throw;
}
return(GetUser(username));
}
private void SeedEmployees(SoftCinemaContext context)
{
User employee1 = new User()
{
Username = "******",
PasswordHash = PasswordHasher.ComputeHash("123", PasswordHasher.Supported_HA.SHA512, null),
Email = "*****@*****.**",
Role = Role.Employee
};
User employee2 = new User()
{
Username = "******",
PasswordHash = PasswordHasher.ComputeHash("123", PasswordHasher.Supported_HA.SHA512, null),
Email = "*****@*****.**",
Role = Role.Employee
};
User employee3 = new User()
{
Username = "******",
PasswordHash = PasswordHasher.ComputeHash("123", PasswordHasher.Supported_HA.SHA512, null),
Email = "*****@*****.**",
Role = Role.Employee
};
context.Users.AddOrUpdate(u => u.Username, employee1, employee2, employee3);
context.SaveChanges();
}
public static bool UpdatePassword(string username, string oldPassword, string newPassword)
{
var repo = new UserRepository <UsersModel>(Db);
var users = repo.GetAll();
var userToChange = users.FirstOrDefault(x => x.UserName == username);
if (userToChange == null)
{
return(false);
}
var passwordMatch = PasswordHasher.VerifyPassword(oldPassword, userToChange.Salt, userToChange.Hash);
if (!passwordMatch)
{
throw new SecurityException("Password does not match");
}
var newSalt = PasswordHasher.GenerateSalt();
var newHash = PasswordHasher.ComputeHash(newPassword, newSalt);
userToChange.Hash = newHash;
userToChange.Salt = newSalt;
return(repo.Update(userToChange));
}
/// <summary>
/// Добавить пользователя.
/// </summary>
/// <param name="userModel">Данные о пользователе</param>
/// <returns>Идентификатор пользователя или -100, если пользователь уже существует</returns>
public long InsertUser(UserModel userModel)
{
// Преобразуем адрес электронной почты к строчным буквам
userModel.Email = userModel.Email.ToLower();
// Получаем данные о пользователе по адресу электронной почты
var user = GetUserByEmail(userModel.Email);
if (user != null) // Если пользователь найден
{
return(-100); // Возвращаем код -100
}
var now = DateTime.Now; // Берём текущуие дату и время
var salt = PasswordHasher.GenerateSalt(); // Генерируем модификатор пароля
// Вычисляем хэш-код пароля
var pwdHash = Convert.ToBase64String(PasswordHasher.ComputeHash(userModel.Password, salt));
userModel.CreationDate = now; // Задаём дату и время создания
userModel.ModificationDate = now; // Задаём дату и время изменения
// генерируем жетон проверки пользователя
userModel.ValidationToken = Guid.NewGuid().ToString();
// Преобразуем модификатор пароля в текстовый вид
userModel.PasswordSalt = Convert.ToBase64String(salt);
// Устанавливаем хэш пароля
userModel.Password = pwdHash;
// Добавляем пользователя в хранилище пользователей
var modelId = usersRepository.Insert(userModel);
// Подтверждаем Единицу работы
UnitOfWork.Commit();
// Возвращаем идентификатор созданного пользователя
return(modelId);
}
public User AddUser(string username, string password, string role)
{
IPasswordHasher passwordHasher = new PasswordHasher();
PasswordHash hash = passwordHasher.ComputeHash(password);
try
{
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
SqlCommand cmd = new SqlCommand("INSERT INTO users (username, password_hash, salt, user_role) VALUES (@username, @password_hash, @salt, @user_role)", conn);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password_hash", hash.Password);
cmd.Parameters.AddWithValue("@salt", hash.Salt);
cmd.Parameters.AddWithValue("@user_role", role);
cmd.ExecuteNonQuery();
}
}
catch (SqlException)
{
throw;
}
return(GetUser(username));
}
public User AddUser(RegisterUser user)
{
IPasswordHasher passwordHasher = new PasswordHasher();
PasswordHash hash = passwordHasher.ComputeHash(user.Password);
try
{
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
SqlCommand cmd = new SqlCommand("INSERT INTO users (username, name, address, phone_number, contact_times, password_hash, salt, user_role) VALUES (@username, @name, @address, @phone_number, @contact_times, @password_hash, @salt, @user_role)", conn);
cmd.Parameters.AddWithValue("@username", user.Username);
cmd.Parameters.AddWithValue("@name", user.Name);
cmd.Parameters.AddWithValue("@address", user.Address);
cmd.Parameters.AddWithValue("@phone_number", user.Phone_Number);
cmd.Parameters.AddWithValue("@contact_times", user.Contact_Times);
cmd.Parameters.AddWithValue("@password_hash", hash.Password);
cmd.Parameters.AddWithValue("@salt", hash.Salt);
cmd.Parameters.AddWithValue("@user_role", user.Role);
cmd.ExecuteNonQuery();
}
}
catch (SqlException)
{
throw;
}
return(GetUser(user.Username));
}
public async Task <IActionResult> UpdateProfile(int id, [FromBody] UpdateUserProfileModel model)
{
if (id <= 0 || model is null)
{
return(BadRequest(new { Message = "Invalid client request" }));
}
if (!ModelState.IsValid)
{
return(BadRequest(new { Message = ModelState.Values.SelectMany(x => x.Errors) }));
}
try
{
var user = await this._userService.Get(id);
if (user == null)
{
return(NotFound(new { Message = "User not found" }));
}
user.Culture = model.Culture;
user.Firstname = model.Firstname;
user.Surname = model.Surname;
user.Timezone = model.Timezone;
if (!string.IsNullOrEmpty(model.Password) & !string.IsNullOrEmpty(model.NewPassword))
{
if (!PasswordHasher.VerifyHash(model.Password, user.Salt, user.PasswordHash))
{
return(BadRequest(new { Message = "Wrong current password" }));
}
var hash = PasswordHasher.ComputeHash(model.NewPassword);
user.PasswordHash = hash.Hash;
user.Salt = hash.Salt;
await _userService.Update(user);
return(Ok(new { Message = "User was updated" }));
}
await _userService.Update(user);
var links = HypermediaHelper.PutUserHypermediaLinks(this, id);
return(Ok(new
{
Message = "User updated",
Links = links
}));
}
catch (UserException exception)
{
return(BadRequest(new { exception.Message }));
}
catch (Exception)
{
return(StatusCode(500));
}
}
public User AddUser(string username, string password)
{
IPasswordHasher passwordHasher = new PasswordHasher();
PasswordHash hash = passwordHasher.ComputeHash(password);
try
{
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
SqlCommand cmd = new SqlCommand(sql_addUser, conn);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password_hash", hash.Password);
cmd.Parameters.AddWithValue("@salt", hash.Salt);
cmd.ExecuteNonQuery();
}
}
catch (SqlException ex)
{
throw;
}
return(GetUser(username));
}
public long InsertUser(UserModel userModel)
{
userModel.Email = userModel.Email.ToLower();
var user = GetUserByEmail(userModel.Email);
if (user != null)
{
return(-100);
}
var now = DateTime.Now;
var salt = PasswordHasher.GenerateSalt();
var pwdHash = Convert.ToBase64String(PasswordHasher.ComputeHash(userModel.Password, salt));
userModel.CreationDate = now;
userModel.ModificationDate = now;
userModel.ValidationToken = Guid.NewGuid().ToString();
userModel.PasswordSalt = Convert.ToBase64String(salt);
userModel.Password = pwdHash;
var modelId = usersRepository.Insert(userModel);
UnitOfWork.Commit();
return(modelId);
}
public void HashProvider_ReturnsHashedPassword()
{
PasswordHasher hashProvider = new PasswordHasher();
var hashedPassword = hashProvider.ComputeHash("password123");
Assert.IsNotNull(hashedPassword.Salt);
Assert.AreNotEqual(hashedPassword.Password, "password123");
}
public static AccountModel ToAccountModel(this RegisterFormViewModel ViewModel)
{
AccountModel Model = new AccountModel();
Model = Mapper.Map <RegisterFormViewModel, AccountModel>(ViewModel);
Model.Salt = PasswordHasher.GenerateSalt();
Model.Password = PasswordHasher.ComputeHash(ViewModel.Password, Model.Salt);
return(Model);
}
public void ComputeHash_ShouldThrowWhenInvalidPassword(string password)
{
// Arrange
var sut = new PasswordHasher();
// Act
Func <string> act = () => sut.ComputeHash(password);
// Assert
act.Should().Throw <ArgumentException>();
}
private async void RegisterMethod()
{
string errors = null;
if (IsValid(ValidatesProperties, out errors))
{
Errors = errors;
var salt = PasswordHasher.GenerateSalt();
var hashedPassword = PasswordHasher.ComputeHash(Password, salt);
if (Password != ConfirmPassword)
{
Errors += "Password and Confirm password fields must match.\r\n";
return;
}
if (!_database.Users.Any(u => u.Login == Login))
{
var user = _database.Users.Add(new User
{
Login = Login,
Password = Convert.ToBase64String(hashedPassword),
Salt = Convert.ToBase64String(salt),
Name = FirstName,
Surname = LastName,
Birthday = DateTime.Parse(Birthday),
PositionId = Position.Id,
IsActive = true
});
await _database.SaveChangesAsync();
user.UserRoles.Add(new UserRole
{
RoleId = Constants.UserRole,
UserId = user.Id
});
await _database.SaveChangesAsync();
GoToLoginPageMethod();
}
else
{
Errors += "User with same login is already exists.\r\n";
}
}
else
{
Errors = errors;
}
Errors = Errors?.Trim();
}
/// <summary>
/// Saves the entity.
/// </summary>
/// <param name="entity">The entity.</param>
public override void SaveEntity(User entity)
{
if (entity.IsNew || string.IsNullOrEmpty(entity.Password) || !entity.Password.IsBase64())
{
AssertSpecification(entity, new UserHasValidPasswordSpec());
entity.Salt = PasswordHasher.GenerateSalt();
entity.Password = PasswordHasher.ComputeHash(entity.Password, entity.Salt);
}
base.SaveEntity(entity);
}
public void ComputeHash_ShouldComputeHash()
{
// Arrange
var sut = new PasswordHasher();
// Act
string hash = sut.ComputeHash("12345");
// Assert
hash.Should().NotBeNullOrEmpty();
}
public void TestHash()
{
var password = "******";
var salt = PasswordHasher.GenerateSalt();
var hash = PasswordHasher.ComputeHash(password, salt);
Assert.That(hash, Is.Not.EqualTo(password));
var match = PasswordHasher.VerifyPassword(password, salt, hash);
Assert.That(match, Is.True);
}
public HttpResponseMessage RegisterUser(AppUser user)
{
if (user == null)
{
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
user.HashedPassword = PasswordHasher.ComputeHash(user.password);
_appUserService.Create(user);
return(new HttpResponseMessage {
Content = new StringContent("User registered success"), StatusCode = HttpStatusCode.OK
});
}
private async void RegisterMethod()
{
string errors = null;
if (IsValid(ValidatesProperties, out errors))
{
Errors = errors;
var salt = PasswordHasher.GenerateSalt();
var password = RandomStringGenerator.GenerateRandomString(20, false);
var hashedPassword = PasswordHasher.ComputeHash(password, salt);
if (!_database.Users.Any(u => u.Login == Login))
{
var user = _database.Users.Add(new User
{
Login = Login,
Password = Convert.ToBase64String(hashedPassword),
Salt = Convert.ToBase64String(salt),
Name = FirstName,
Surname = LastName,
Birthday = DateTime.Parse(Birthday),
PositionId = Position.Id,
IsInitial = true,
DefaultPassword = password,
IsActive = true
});
await _database.SaveChangesAsync();
user.UserRoles.Add(new UserRole
{
RoleId = Role.Id,
UserId = user.Id
});
await _database.SaveChangesAsync();
}
else
{
Errors = "User with same login is already exists.\r\n";
}
await GetUsersMethod();
_eventAggregator.GetEvent <UpdateUserEvent>().Publish();
}
else
{
Errors = errors;
}
Errors = Errors?.Trim();
}
private async void ChangePasswordMethod()
{
if (IsValid(ValidatesProperties, out var errors))
{
if (NewPassword == ConfirmNewPassword)
{
Errors = string.Empty;
using (var _database = new ITManagerEntities())
{
var user = ShellViewModel.CurrentUser;
if (user != null)
{
var _user = _database.Users.Where(u => u.Id == user.Id).FirstOrDefault();
if (_user != null)
{
var salt = Convert.FromBase64String(user.Salt);
_user.Salt = Convert.ToBase64String(salt);
_user.IsInitial = false;
_user.Password = Convert.ToBase64String(PasswordHasher.ComputeHash(NewPassword, salt));
_user.DefaultPassword = null;
await _database.SaveChangesAsync();
if (user.UserRoles.Any(r => r.RoleId == Constants.AdministratorRole))
{
_navigationService.NavigateTo(Constants.RolesManagementView);
}
else if (user.UserRoles.Any(r => r.RoleId == Constants.ManagerRole))
{
_navigationService.NavigateTo(Constants.SearchView);
}
else if (user.UserRoles.Any(r => r.RoleId == Constants.UserRole))
{
_navigationService.NavigateTo(Constants.MyPersonalPageView);
}
_eventAggregator.GetEvent <CloseMenuEvent>().Publish(false);
}
}
}
}
else
{
Errors = "Passwords must match.";
}
}
else
{
Errors = errors;
}
Errors = Errors.Trim();
}
public void Register(AppUser user)
{
bool isLoginAvailable = Repository.Any(x => x.AppUsername.Equals(user.AppUsername)) == false;
if (isLoginAvailable == false)
{
throw new InvalidDataException("Cannot register user, the username already exists");
}
user.Password = PasswordHasher.ComputeHash(user.Password);
Repository.Add(user);
_unitOfWork.Commit();
}
public void Verify_ShouldNotVerifyInvalidPassword()
{
// Arrange
var sut = new PasswordHasher();
// Act
string hash = sut.ComputeHash("12345");
bool verified = sut.Verify(hash, "54321");
// Assert
verified.Should().BeFalse();
}
private void SeedAdmin(SoftCinemaContext context)
{
User admin = new User()
{
Username = "******",
PasswordHash = PasswordHasher.ComputeHash("Admin13", PasswordHasher.Supported_HA.SHA512, null),
Email = "*****@*****.**",
Role = Role.Admin,
PhoneNumber = "0878000000"
};
context.Users.AddOrUpdate(u => u.Username, admin);
context.SaveChanges();
}
public void Verify_ShouldVerifyComputedHash()
{
// Arrange
string password = "******";
var sut = new PasswordHasher();
// Act
string hash = sut.ComputeHash(password);
bool verified = sut.Verify(hash, password);
// Assert
verified.Should().BeTrue();
}
public void ComputerHash_produces_expected_hash()
{
var salt = new byte[1] {
1
};
using (var sha256 = new SHA256CryptoServiceProvider())
{
var passwordHasher = new PasswordHasher(sha256);
string hash = passwordHasher.ComputeHash("foobar", salt);
Assert.AreEqual("F0-39-42-EC-A4-82-7C-93-93-1F-EE-97-F1-17-47-9E-F4-74-C9-AA-A4-49-65-5D-DF-FB-48-88-6B-DE-58-AD", hash);
}
}
public bool IsUsernameAndPasswordValid(string userName, string password)
{
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
SqlCommand command = connection.CreateCommand();
command.CommandText = sql_IsUsernameAndPasswordValid;
command.Parameters.AddWithValue("@username", userName);
SqlDataReader reader = command.ExecuteReader();
if (reader.Read())
{
string storedPassword = (string)reader["password"];
string storedSalt = (string)reader["salt"];
string computedHash = passwordHasher.ComputeHash(password, Convert.FromBase64String(storedSalt));
return(computedHash.Equals(storedPassword));
}
return(false);
}
}
public static UserDto CreateUpdateUserModelToUserDto(CreateUpdateUserModel from)
{
var hashed = PasswordHasher.ComputeHash(from.Password);
return(new UserDto
{
Email = from.Email,
Surname = from.Surname,
Culture = from.Culture,
Firstname = from.Firstname,
Timezone = from.Timezone,
PasswordHash = hashed?.Hash,
UserName = from.UserName,
Salt = hashed?.Salt
});
}
public static Encrypted For(string PlainText)
{
var encrypted = new Encrypted();
try
{
encrypted.Salt = PasswordHasher.GenerateSalt();
encrypted.Hash = PasswordHasher.ComputeHash(PlainText, encrypted.Salt);
}
catch (Exception ex)
{
throw new EncryptedInvalidException(PlainText, ex);
}
return(encrypted);
}
