protected async Task <CheckPasswordStatus> ProcessDoesNotMatchAndReturnAsync(string uniqueIdentifier, PasswordLockMode lockMode, int failedAttemptCount)
        {
            _logger.LogDebug("Password does not match.");
            if (lockMode == PasswordLockMode.DoNotLock)
            {
                return(CheckPasswordStatus.Error(_localizer["Password was not correct."], CheckPasswordStatusCode.PasswordIncorrect));
            }

            var currentFailedAttemptCount = failedAttemptCount + 1;

            if (currentFailedAttemptCount >= _passwordlessLoginOptions.TempLockPasswordFailedAttemptCount)
            {
                var lockUntil = DateTime.UtcNow.AddMinutes(_passwordlessLoginOptions.TempLockPasswordMinutes);
                _logger.LogDebug("Locking password until {0} (UTC)", lockUntil);
                if (lockMode == PasswordLockMode.TrustedClient)
                {
                    // for sign in attempts from a trusted client, we reset the failure account when doing a temp
                    // lock so that the next failure after a lockout will not initiate another lockout period
                    currentFailedAttemptCount = 0;
                }
                await _passwordHashStore.UpdatePasswordHashTempLockAsync(uniqueIdentifier, lockUntil, currentFailedAttemptCount);

                return(CheckPasswordStatus.Error(_localizer["Password is temporarily locked."], CheckPasswordStatusCode.TemporarilyLocked));
            }
            else
            {
                _logger.LogDebug("Updating failed attempt count");
                await _passwordHashStore.UpdatePasswordHashFailureCountAsync(uniqueIdentifier, failedAttemptCount + 1);

                return(CheckPasswordStatus.Error(_localizer["Password was not correct."], CheckPasswordStatusCode.PasswordIncorrect));
            }
        }
        public async Task <CheckPasswordStatus> CheckPasswordAsync(string uniqueIdentifier, string password, PasswordLockMode lockMode)
        {
            _logger.LogDebug("Checking password for {0}", uniqueIdentifier);
            var response = await _passwordHashStore.GetPasswordHashAsync(uniqueIdentifier);

            if (response.HasError)
            {
                var status = new CheckPasswordStatus();
                status.Add(response.Status);
                status.StatusCode = CheckPasswordStatusCode.NotFound;
                return(status);
            }
            var hashInfo = response.Result;


            if (AccountIsLocked(lockMode, hashInfo.FailedAttemptCount, hashInfo.TempLockUntilUTC))
            {
                return(CheckPasswordStatus.Error(_localizer["Password is temporarily locked."], CheckPasswordStatusCode.TemporarilyLocked));
            }

            var checkHashResult = _passwordHashService.CheckPasswordHash(hashInfo.Hash, password);

            switch (checkHashResult)
            {
            case CheckPasswordHashResult.DoesNotMatch:
                return(await ProcessDoesNotMatchAndReturnAsync(uniqueIdentifier, lockMode, hashInfo.FailedAttemptCount));

            case CheckPasswordHashResult.MatchesNeedsRehash:
                return(await ProcessMatchesNeedsRehashAndReturnAsync(uniqueIdentifier, password));

            case CheckPasswordHashResult.Matches:
                return(await ProcessMatchesAndReturnAsync(uniqueIdentifier));

            default:
                // this should never happen
                return(CheckPasswordStatus.Error(_localizer["An unexpected error occurred."], CheckPasswordStatusCode.ServiceFailure));
            }
        }