public void PasswordHashing_PasswordVerificationWorks()
{
var hashed = Passwords.CreateSaltedPasswordHash("test1234");
Assert.True(Passwords.CheckPassword(hashed, "test1234"));
Assert.False(Passwords.CheckPassword(hashed, "test12345"));
Assert.False(Passwords.CheckPassword(hashed, "test123"));
}
public void PasswordHashing_DifferentSaltsHaveDifferentResults()
{
byte[] salt1 = { 1, 2, 3, 4, 5, 6, 7, 8 };
byte[] salt2 = { 2, 2, 3, 4, 5, 6, 7, 8 };
Assert.NotEqual(Passwords.CreateSaltedPasswordHash("test1234", salt1),
Passwords.CreateSaltedPasswordHash("test1234", salt2));
}
public void PasswordHashing_KnownPasswordHashMatches()
{
byte[] salt = { 1, 2, 3, 4, 5, 6, 7, 8 };
// Hashed string has nonsense in it
// ReSharper disable StringLiteralTypo
Assert.Equal("AQIDBAUGBwg=:9CtRsYKuet+gr6NRVnrIjd37nKwH1sTCEI3kdt8i5N0oJF+n1JUR3Idy2SuU1+zi",
Passwords.CreateSaltedPasswordHash("test1234", salt));
// ReSharper enable StringLiteralTypo
}
public void PasswordHashing_AutomaticallyGeneratedSaltsAreDifferent()
{
var result1 = Passwords.CreateSaltedPasswordHash("test1234");
var result2 = Passwords.CreateSaltedPasswordHash("test1234");
var result3 = Passwords.CreateSaltedPasswordHash("test1234");
if (result1 == result2 && result2 == result3)
{
Assert.True(false, "subsequently created hashes without set salt should be different");
}
}
public async Task <IActionResult> Post(RegistrationFormData request)
{
if (!csrfVerifier.IsValidCSRFToken(request.CSRF, null, false))
{
return(BadRequest("Invalid CSRF"));
}
if (!SecurityHelpers.SlowEquals(request.RegistrationCode, configuration.RegistrationCode))
{
return(BadRequest("Invalid registration code"));
}
if (!request.Email.Contains('@'))
{
return(BadRequest("Email is invalid"));
}
// Check for conflicting username or email
if (await database.Users.FirstOrDefaultAsync(u => u.UserName == request.Name) != null ||
await database.Users.FirstOrDefaultAsync(u => u.Email == request.Email) != null)
{
return(BadRequest("There is already an account associated with the given email or name"));
}
var password = Passwords.CreateSaltedPasswordHash(request.Password);
var user = new User()
{
Email = request.Email,
UserName = request.Name,
PasswordHash = password,
Local = true
};
await database.Users.AddAsync(user);
Models.User.OnNewUserCreated(user, jobClient);
await database.SaveChangesAsync();
logger.LogInformation("New user registered {Name} ({Email})", request.Name, request.Email);
return(Created($"/users/{user.Id}", user.GetInfo(RecordAccessLevel.Private)));
}
