public void ResetPasswordTest()
{
UserAccountRecoveryController usersController = CreateFakeUserAccountRecoveryController();
//Set up recovery token on user
TokenCreatorValidator tokenCreatorValidator = new TokenCreatorValidator(_testApiSecret);
TokenCreationParams tokenCreationParams = tokenCreatorValidator.CreateToken(_users[0].Id, 30);
_users[0].RecoverySalt = tokenCreationParams.SaltBytes;
_usersService.Update(_users[0]);
//Call endpoint with wrong token
var response = usersController.ResetPassword(new PasswordResetModel(
_users[0].Email, "wrong-token", "new-password-u1")
);
Assert.IsType <BadRequestObjectResult>(response);
Assert.True(PasswordVerifier.VerifyPasswordHash("password-u1", _users[0].PasswordHash, _users[0].PasswordSalt));
//Call endpoint and check Ok and user modifications
response = usersController.ResetPassword(new PasswordResetModel(
_users[0].Email, tokenCreationParams.TokenStr, "new-password-u1")
);
Assert.IsType <OkResult>(response);
Assert.True(PasswordVerifier.VerifyPasswordHash("new-password-u1", _users[0].PasswordHash, _users[0].PasswordSalt));
Assert.Null(_users[0].RecoverySalt);
}
public void CreateAndVerifyPasswordHashTest()
{
string password;
byte[] passwordHash, passwordSalt;
for (int i = 0; i < 100; i++)
{
password = RandomString(Random.Next(1, 33));
PasswordVerifier.CreatePasswordHash(password, out passwordHash, out passwordSalt);
Assert.True(PasswordVerifier.VerifyPasswordHash(password, passwordHash, passwordSalt));
}
}
public void RegisterTest()
{
UserAccountController userController = CreateFakeUserAccountController();
//Register user correctly
var response = userController.Register(new RegisterUserModel(
"reg-user-name", "reg-user-email", "reg-user-password"
));
Assert.IsType <OkResult>(response);
User registeredUser = _usersService.GetByEmail("reg-user-email");
Assert.Equal("reg-user-name", registeredUser.Name);
Assert.Equal("reg-user-email", registeredUser.Email);
Assert.True(PasswordVerifier.VerifyPasswordHash("reg-user-password", registeredUser.PasswordHash, registeredUser.PasswordSalt));
}
public void SetNewPassword(User user, string newPassword, string oldPassword = null)
{
if (oldPassword != null && !PasswordVerifier.VerifyPasswordHash(oldPassword, user.PasswordHash, user.PasswordSalt))
{
throw new RequestException(UserExceptionCodes.InvalidCredentials);
}
if (string.IsNullOrWhiteSpace(newPassword))
{
throw new RequestException(UserExceptionCodes.BadPassword);
}
byte[] passwordHash, passwordSalt;
PasswordVerifier.CreatePasswordHash(newPassword, out passwordHash, out passwordSalt);
user.PasswordHash = passwordHash;
user.PasswordSalt = passwordSalt;
_context.Users.Update(user);
_context.SaveChanges();
}
public void UpdatePasswordTest()
{
UsersController usersController = CreateFakeUsersController(_users[0]);
//Update password with correct newPassword
usersController.UpdatePassword(
new PasswordUpdateModel("password-u1", "new-password-u1")
);
Assert.True(PasswordVerifier.VerifyPasswordHash(
"new-password-u1", _users[0].PasswordHash, _users[0].PasswordSalt
));
//Update password with incorrect newPassword
var actionResult = usersController.UpdatePassword(
new PasswordUpdateModel("password-u1", "renew-password-u1")
);
Assert.IsType <BadRequestObjectResult>(actionResult);
Assert.True(PasswordVerifier.VerifyPasswordHash(
"new-password-u1", _users[0].PasswordHash, _users[0].PasswordSalt
));
}
public User Authenticate(string email, string password)
{
if (string.IsNullOrEmpty(email) || string.IsNullOrEmpty(password))
{
throw new RequestException(UserExceptionCodes.InvalidCredentials);
}
var user = _context.Users.SingleOrDefault(x => x.Email == email);
// check if username exists
if (user == null)
{
throw new RequestException(UserExceptionCodes.InvalidCredentials);
}
// check if password is correct
if (!PasswordVerifier.VerifyPasswordHash(password, user.PasswordHash, user.PasswordSalt))
{
throw new RequestException(UserExceptionCodes.InvalidCredentials);
}
// authentication successful
return(user);
}
