public bool VerifyPassword(User storedUser, LoginCredentialsForm credentials)
{
PasswordIngredients credentialIngredients = new PasswordIngredients()
{
Passphrase = credentials.Passphrase, Salt = storedUser.Salt
};
credentialIngredients = HashPassphrase(credentialIngredients);
return(storedUser.Password == credentialIngredients.Password);
}
/// <summary>
/// Hashes the provided password. If salt is porivided, this is used;
/// otherwise randomly generated salt is used;
/// Based off of microsoft Document here:
/// https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing
/// </summary>
public PasswordIngredients HashPassphrase(PasswordIngredients ingredients)
{
if (ingredients.Salt == null)
{
ingredients.Salt = new byte[128 / 8];
using (var rng = RandomNumberGenerator.Create())
rng.GetBytes(ingredients.Salt);
}
ingredients.Password = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: ingredients.Passphrase,
salt: ingredients.Salt,
prf: KeyDerivationPrf.HMACSHA1,
iterationCount: 10000,
numBytesRequested: 256 / 8));
return(ingredients);
}