public UserResult UpdatePassword(string username, string existingPassword, string newPassword)
{
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(username));
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(existingPassword));
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(newPassword));
UserResult result;
var userCredentials = GetUserCredentials(username);
if (userCredentials == null)
{
// User does not exist
result = new UserResult(false);
return(result);
}
var isPasswordMatch = IsPasswordMatch(userCredentials, existingPassword);
if (!isPasswordMatch)
{
result = new UserResult(false);
result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("ExistingPasswordIncorrect"));
}
throw new NotImplementedException();
}
public UserResult ValidatePassword(string username, string password)
{
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(username));
Contract.Requires(!string.IsNullOrWhiteSpace(password)); // Intentionally no exception
UserResult result;
if (string.IsNullOrWhiteSpace(password))
{
result = new UserResult(false);
result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));
return(result);
}
var userCredentials = GetUserCredentials(username);
if (userCredentials == null)
{
// User does not exist
result = new UserResult(false);
result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));
return(result);
}
var isPasswordMatch = IsPasswordMatch(userCredentials, password);
if (isPasswordMatch)
{
return(new UserResult(true));
}
result = new UserResult(false);
result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));
return(result);
}
public UserResult CreateUser(string userName, string displayName, string emailAddress, string password, string twitterUserName)
{
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(userName));
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(displayName));
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(emailAddress));
Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(password));
var userNameExistsCommand = new SqlCommand("security.UserNameExists")
{
CommandType = CommandType.StoredProcedure,
Connection = _securitySqlConnectionWrapper.SqlConnection
};
userNameExistsCommand.Parameters.AddWithValue("userName", userName);
var userNameExists = Convert.ToBoolean(userNameExistsCommand.ExecuteScalar());
var emailAddressExistsCommand = new SqlCommand("security.EmailAddressExists")
{
CommandType = CommandType.StoredProcedure,
Connection = _securitySqlConnectionWrapper.SqlConnection
};
emailAddressExistsCommand.Parameters.AddWithValue("emailAddress", emailAddress);
var emailExists = Convert.ToBoolean(emailAddressExistsCommand.ExecuteScalar());
if (userNameExists || emailExists)
{
var result = new UserResult(false);
if (userNameExists)
{
result.AddValidationMessage("UserName", _stringLocalizer.GetString("UsernameInUse"));
}
if (emailExists)
{
result.AddValidationMessage("EmailAddress", _stringLocalizer.GetString("EmailAddressInUse"));
// Nb - This is proof of concept code, production systems should probably include email
// validation as part of the process and email the address provided to state the address
// is already in use to prevent enumeration attacks.
}
return(result);
}
var defaultIdentityVersionCommand = new SqlCommand("security.GetDefaultIdentityVersion")
{
CommandType = CommandType.StoredProcedure,
Connection = _securitySqlConnectionWrapper.SqlConnection
};
var identityId = 1;
var hashIterations = 2500;
using (var defaultIdentityVersion = defaultIdentityVersionCommand.ExecuteReader())
{
if (defaultIdentityVersion.Read())
{
var identityVersionIndex = defaultIdentityVersion.GetOrdinal("IdentityVersion");
identityId = defaultIdentityVersion.GetInt32(identityVersionIndex);
var hashIterationsIndex = defaultIdentityVersion.GetOrdinal("HashIterations");
hashIterations = defaultIdentityVersion.GetInt32(hashIterationsIndex);
}
}
var salt = UserExtensions.GenerateSalt();
var passwordHash = UserExtensions.HashPassword(Encoding.UTF8.GetBytes(password), salt, hashIterations);
var createUserCommand = new SqlCommand("security.CreateUser")
{
CommandType = CommandType.StoredProcedure,
Connection = _securitySqlConnectionWrapper.SqlConnection
};
createUserCommand.Parameters.AddWithValue("userName", userName);
createUserCommand.Parameters.AddWithValue("displayName", displayName);
createUserCommand.Parameters.AddWithValue("emailAddress", emailAddress);
createUserCommand.Parameters.AddWithValue("passwordHash", Convert.ToBase64String(passwordHash));
createUserCommand.Parameters.AddWithValue("passwordSalt", Convert.ToBase64String(salt));
createUserCommand.Parameters.AddWithValue("twitterUserName", twitterUserName);
createUserCommand.Parameters.AddWithValue("userIdentityVersion", identityId);
createUserCommand.ExecuteNonQuery();
return(new UserResult(true));
}
