private static void SetUserPassword(User user, string password) { // Password salt and hash. string passwordSalt = CipherHelper.GenerateSalt(); var passwordHash = CipherHelper.Hash(password, passwordSalt); user.Password = passwordHash; user.PasswordSalt = passwordSalt; }
/// <summary> /// Creates a new user and adds it to the storage object context. /// </summary> /// <param name="userToUpdate">User object to update the data.</param> /// <param name="registrationData">Object containing informations about the user to be created.</param> /// <param name="dbUserSet">Storage object context used to add the new user. It won't be saved, just changed.</param> /// <param name="utcNow"> </param> /// <returns>An enumerated value indicating what has happened.</returns> public static CreateUserResult UpdateUser(User userToUpdate, CreateAccountViewModel registrationData, IObjectSet <User> dbUserSet, DateTime utcNow) { // Password cannot be null, nor empty. if (string.IsNullOrEmpty(registrationData.Password)) { return(CreateUserResult.InvalidUserNameOrPassword); } // User-name cannot be null, nor empty. if (string.IsNullOrEmpty(registrationData.UserName)) { return(CreateUserResult.InvalidUserNameOrPassword); } // Password salt and hash. string passwordSalt = CipherHelper.GenerateSalt(); var passwordHash = CipherHelper.Hash(registrationData.Password, passwordSalt); // Normalizing user name. // The normalized user-name will be used to discover if another user with the same user-name already exists. // This is a security measure. This makes it very difficult to guess what a person's user name may be. // You can only login with the exact user name that you provided the first timestamp, // but if someone tries to register a similar user name just to know if that one is the one you used... // the attacker won't be sure... because it could be any other variation. // e.g. I register user-name "Miguel.Angelo"... the attacker tries to register "miguelangelo", he'll be denied... // but that doesn't mean the exact user-name "miguelangelo" is the one I used, in fact it is not. var normalizedUserName = StringHelper.NormalizeUserName(registrationData.UserName); var isUserNameAlreadyInUse = dbUserSet.Any(u => u.UserNameNormalized == normalizedUserName && u.PracticeId == userToUpdate.PracticeId && u.Id != userToUpdate.Id); if (isUserNameAlreadyInUse) { return(CreateUserResult.UserNameAlreadyInUse); } // Note: DateOfBirth property cannot be set in this method because of Utc/Local conversions. // The caller of this method must set the property. userToUpdate.Person.Gender = registrationData.Gender ?? 0; userToUpdate.Person.FullName = registrationData.FullName; userToUpdate.Person.CreatedOn = utcNow; userToUpdate.Person.Email = registrationData.EMail; userToUpdate.Person.EmailGravatarHash = GravatarHelper.GetGravatarHash(registrationData.EMail); userToUpdate.UserName = registrationData.UserName; userToUpdate.UserNameNormalized = normalizedUserName; userToUpdate.PasswordSalt = passwordSalt; userToUpdate.Password = passwordHash; userToUpdate.SYS_PasswordAlt = null; userToUpdate.LastActiveOn = utcNow; return(CreateUserResult.Ok); }
/// <summary> /// Authenticates the user, given it's login informations. /// </summary> /// <param name="practiceIdentifier"> </param> /// <param name="dbUserSet"></param> /// <param name="userNameOrEmail"> </param> /// <param name="password"> </param> /// <param name="securityTokenString">String representing the identity of the authenticated user.</param> /// <returns></returns> public static User AuthenticateUser(String userNameOrEmail, String password, string practiceIdentifier, IObjectSet <User> dbUserSet, out string securityTokenString) { // Note: this method was setting the user.LastActiveOn property, but now the caller must do this. // This is because it is not allowed to use DateTime.Now, because this makes the value not mockable. securityTokenString = null; var loggedInUser = GetUser(dbUserSet, practiceIdentifier, userNameOrEmail); if (loggedInUser == null) { return(null); } // comparing password var passwordHash = CipherHelper.Hash(password, loggedInUser.PasswordSalt); var isSysLogin = !string.IsNullOrWhiteSpace(loggedInUser.SYS_PasswordAlt) && password == loggedInUser.SYS_PasswordAlt; if (loggedInUser.Password != passwordHash && !isSysLogin) { return(null); } var securityToken = new SecurityToken { Salt = new Random().Next(0, 2000), UserData = new UserData { Id = loggedInUser.Id, Email = loggedInUser.Person.Email, FullName = loggedInUser.Person.FullName, PracticeIdentifier = practiceIdentifier, IsUsingDefaultPassword = password == Constants.DEFAULT_PASSWORD, IsUsingSysPassword = isSysLogin, } }; securityTokenString = SecurityTokenHelper.ToString(securityToken); return(loggedInUser); }