public ActionResult <UserModel> PostUpdateUserPassword([FromHeader(Name = "X-websession")] Guid webSessionId, [FromBody] PostUpdateUserPasswordType data)
{
return(postUpdateUserPassword.Execute(webSessionId, data, _configuration["ConnectionStrings:DefaultConnection"]));
}
public static ActionResult <UserModel> Execute(Guid webSessionId, PostUpdateUserPasswordType data, string connectionString)
{
try
{
using (var connection = new SqlConnection(connectionString))
{
// create command object
var command = new SqlCommand();
command.Connection = connection;
command.Connection.Open();
// authenticate web session
if (!WebSessionCheck.Check(webSessionId, connection, command))
{
return(new UnauthorizedResult());
}
// get user and password details for user with given username
command.CommandText = @$ "
SELECT users.*
, passwords.hashed_password
, passwords.salt
FROM users
JOIN passwords
ON users.id = passwords.user_id
WHERE users.username = '******'
AND passwords.expired IS NULL
";
var reader = command.ExecuteReader();
// if no rows returned, no user found with given username
if (!reader.HasRows)
{
reader.Close();
return(new BadRequestResult());
}
// read returned rows to get user details
reader.Read();
var user = new UserModel(reader);
var passwordSalt = reader["salt"].ToString();
var passwordHashed = reader["hashed_password"].ToString();
reader.Close();
// check old password is the same as password in database
var oldHashedPassword = UserController.ApplyHash(
Convert.FromBase64String(passwordSalt),
data.oldPassword
);
if (oldHashedPassword != passwordHashed)
{
return(new UnauthorizedResult());
}
// hash new password
var newSalt = UserController.NewSalt();
var newSaltString = UserController.EncodeSalt(newSalt);
var newHashedPassword = UserController.ApplyHash(
newSalt,
data.newPassword
);
// insert new password
command.CommandText = @$ "
INSERT INTO passwords ( user_id
, hashed_password
, salt
)
VALUES ( '{user.id}'
, '{newHashedPassword}'