public async Task <string> Authenticate(string username, string password)
{
var user = await _busService.SendGetUserRequest(new GetUserRequest
{
Username = username,
PasswordHash = CryptoAlgorithms.SHA256(password)
});
// return null if user not found
if (user == null || user.UserInfo == null)
{
throw new AuthService.Exceptions.LoginException("Username or password is incorrect");
}
// authentication successful so generate jwt token
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, user.UserInfo.UserId.ToString())
}),
Expires = DateTime.UtcNow.AddDays(7),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return(tokenHandler.WriteToken(token));
}
public async Task <GetUserResponse> Register(string firstName, string lastName, string username, string password)
{
var user = await _busService.SendGetUserRequest(new Shared.GetUserRequest
{
Username = username
});
if (user.UserInfo != null)
{
throw new AuthService.Exceptions.RegisterException("Provided email address is taken");
}
var newUser = new UserInfo
{
UserId = Guid.NewGuid().ToString(),
FirstName = firstName,
LastName = lastName,
Username = username,
PasswordHash = CryptoAlgorithms.SHA256(password)
};
user = await _busService.SendAddUserRequest(newUser);
return(user);
}
private static byte[] Hash(string target, string argument)
{
// This algorithm previously used MemoryStream and BinaryWriter, but this was causing a measurable
// performance hit since Event Validation code might be run in a tight loop. We'll instead just
// build up the buffer to be hashed manually.
int targetStringLength = (target != null) ? target.Length : 0; // null and empty 'target' treated equally
int argumentStringLength = (argument != null) ? argument.Length : 0; // null and empty 'argument' treated equally
byte[] bufferToBeHashed = new byte[8 + (targetStringLength + argumentStringLength) * 2]; // for each string, 4 bytes length prefix + (2 * length) bytes for UTF-16 payload
// copy strings into buffer
int currentOffset = 0;
CopyStringToBuffer(target, bufferToBeHashed, ref currentOffset);
CopyStringToBuffer(argument, bufferToBeHashed, ref currentOffset);
Debug.Assert(currentOffset == bufferToBeHashed.Length, "Should have populated the entire buffer.");
// hash the buffer
byte[] fullHash;
using (SHA256 hashAlgorithm = CryptoAlgorithms.CreateSHA256()) {
fullHash = hashAlgorithm.ComputeHash(bufferToBeHashed);
}
// truncate to desired size; SHA evenly distributes entropy throughout the generated hash,
// so for simplicity we'll just chop off the last several bytes
byte[] truncatedHash = new byte[HASH_SIZE_IN_BYTES];
Buffer.BlockCopy(fullHash, 0, truncatedHash, 0, HASH_SIZE_IN_BYTES);
return(truncatedHash);
}
public static String HashPasswordForStoringInConfigFile(String password, String passwordFormat)
{
if (password == null)
{
throw new ArgumentNullException("password");
}
if (passwordFormat == null)
{
throw new ArgumentNullException("passwordFormat");
}
HashAlgorithm hashAlgorithm;
if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha1"))
{
hashAlgorithm = CryptoAlgorithms.CreateSHA1();
}
else if (StringUtil.EqualsIgnoreCase(passwordFormat, "md5"))
{
hashAlgorithm = CryptoAlgorithms.CreateMD5();
}
else
{
throw new ArgumentException(SR.GetString(SR.InvalidArgumentValue, "passwordFormat"));
}
using (hashAlgorithm) {
return(CryptoUtil.BinaryToHex(hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(password))));
}
}
/////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////
private static string EncodePassword(string password, byte[] salt)
{
byte [] bufPass = Encoding.Unicode.GetBytes(password);
byte [] bufAll = new byte[salt.Length + bufPass.Length];
salt.CopyTo(bufAll, 0);
bufPass.CopyTo(bufAll, salt.Length);
byte[] buffer = null;
// SHA1 is forbidden for *new* code, but this is an existing feature that we could
// not change without locking users out of their existing membership databases.
// We are tracking upgrading this to a stronger algorithm in DevDiv #286797.
#pragma warning disable 618 // [Obsolete] warning
using (SHA1 s = CryptoAlgorithms.CreateSHA1())
buffer = s.ComputeHash(bufAll);
#pragma warning restore 618
return(Convert.ToBase64String(buffer));
}
