public async Task <string> Authenticate(string username, string password) { var user = await _busService.SendGetUserRequest(new GetUserRequest { Username = username, PasswordHash = CryptoAlgorithms.SHA256(password) }); // return null if user not found if (user == null || user.UserInfo == null) { throw new AuthService.Exceptions.LoginException("Username or password is incorrect"); } // authentication successful so generate jwt token var tokenHandler = new JwtSecurityTokenHandler(); var key = Encoding.ASCII.GetBytes(_appSettings.Secret); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Name, user.UserInfo.UserId.ToString()) }), Expires = DateTime.UtcNow.AddDays(7), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) }; var token = tokenHandler.CreateToken(tokenDescriptor); return(tokenHandler.WriteToken(token)); }
public async Task <GetUserResponse> Register(string firstName, string lastName, string username, string password) { var user = await _busService.SendGetUserRequest(new Shared.GetUserRequest { Username = username }); if (user.UserInfo != null) { throw new AuthService.Exceptions.RegisterException("Provided email address is taken"); } var newUser = new UserInfo { UserId = Guid.NewGuid().ToString(), FirstName = firstName, LastName = lastName, Username = username, PasswordHash = CryptoAlgorithms.SHA256(password) }; user = await _busService.SendAddUserRequest(newUser); return(user); }
private static byte[] Hash(string target, string argument) { // This algorithm previously used MemoryStream and BinaryWriter, but this was causing a measurable // performance hit since Event Validation code might be run in a tight loop. We'll instead just // build up the buffer to be hashed manually. int targetStringLength = (target != null) ? target.Length : 0; // null and empty 'target' treated equally int argumentStringLength = (argument != null) ? argument.Length : 0; // null and empty 'argument' treated equally byte[] bufferToBeHashed = new byte[8 + (targetStringLength + argumentStringLength) * 2]; // for each string, 4 bytes length prefix + (2 * length) bytes for UTF-16 payload // copy strings into buffer int currentOffset = 0; CopyStringToBuffer(target, bufferToBeHashed, ref currentOffset); CopyStringToBuffer(argument, bufferToBeHashed, ref currentOffset); Debug.Assert(currentOffset == bufferToBeHashed.Length, "Should have populated the entire buffer."); // hash the buffer byte[] fullHash; using (SHA256 hashAlgorithm = CryptoAlgorithms.CreateSHA256()) { fullHash = hashAlgorithm.ComputeHash(bufferToBeHashed); } // truncate to desired size; SHA evenly distributes entropy throughout the generated hash, // so for simplicity we'll just chop off the last several bytes byte[] truncatedHash = new byte[HASH_SIZE_IN_BYTES]; Buffer.BlockCopy(fullHash, 0, truncatedHash, 0, HASH_SIZE_IN_BYTES); return(truncatedHash); }
public static String HashPasswordForStoringInConfigFile(String password, String passwordFormat) { if (password == null) { throw new ArgumentNullException("password"); } if (passwordFormat == null) { throw new ArgumentNullException("passwordFormat"); } HashAlgorithm hashAlgorithm; if (StringUtil.EqualsIgnoreCase(passwordFormat, "sha1")) { hashAlgorithm = CryptoAlgorithms.CreateSHA1(); } else if (StringUtil.EqualsIgnoreCase(passwordFormat, "md5")) { hashAlgorithm = CryptoAlgorithms.CreateMD5(); } else { throw new ArgumentException(SR.GetString(SR.InvalidArgumentValue, "passwordFormat")); } using (hashAlgorithm) { return(CryptoUtil.BinaryToHex(hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(password)))); } }
///////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////// private static string EncodePassword(string password, byte[] salt) { byte [] bufPass = Encoding.Unicode.GetBytes(password); byte [] bufAll = new byte[salt.Length + bufPass.Length]; salt.CopyTo(bufAll, 0); bufPass.CopyTo(bufAll, salt.Length); byte[] buffer = null; // SHA1 is forbidden for *new* code, but this is an existing feature that we could // not change without locking users out of their existing membership databases. // We are tracking upgrading this to a stronger algorithm in DevDiv #286797. #pragma warning disable 618 // [Obsolete] warning using (SHA1 s = CryptoAlgorithms.CreateSHA1()) buffer = s.ComputeHash(bufAll); #pragma warning restore 618 return(Convert.ToBase64String(buffer)); }