public UserResult UpdatePassword(string username, string existingPassword, string newPassword)
        {
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(username));
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(existingPassword));
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(newPassword));

            UserResult result;

            var userCredentials = GetUserCredentials(username);

            if (userCredentials == null)
            {
                // User does not exist
                result = new UserResult(false);

                return(result);
            }

            var isPasswordMatch = IsPasswordMatch(userCredentials, existingPassword);

            if (!isPasswordMatch)
            {
                result = new UserResult(false);

                result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("ExistingPasswordIncorrect"));
            }

            throw new NotImplementedException();
        }
        public UserResult ValidatePassword(string username, string password)
        {
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(username));
            Contract.Requires(!string.IsNullOrWhiteSpace(password)); // Intentionally no exception

            UserResult result;

            if (string.IsNullOrWhiteSpace(password))
            {
                result = new UserResult(false);

                result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));

                return(result);
            }

            var userCredentials = GetUserCredentials(username);

            if (userCredentials == null)
            {
                // User does not exist
                result = new UserResult(false);

                result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));

                return(result);
            }

            var isPasswordMatch = IsPasswordMatch(userCredentials, password);

            if (isPasswordMatch)
            {
                return(new UserResult(true));
            }

            result = new UserResult(false);

            result.AddValidationMessage(string.Empty, _stringLocalizer.GetString("UsernamePasswordIncorrect"));

            return(result);
        }
        public UserResult CreateUser(string userName, string displayName, string emailAddress, string password, string twitterUserName)
        {
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(userName));
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(displayName));
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(emailAddress));
            Contract.Requires <ArgumentException>(!string.IsNullOrWhiteSpace(password));

            var userNameExistsCommand = new SqlCommand("security.UserNameExists")
            {
                CommandType = CommandType.StoredProcedure,
                Connection  = _securitySqlConnectionWrapper.SqlConnection
            };

            userNameExistsCommand.Parameters.AddWithValue("userName", userName);

            var userNameExists = Convert.ToBoolean(userNameExistsCommand.ExecuteScalar());

            var emailAddressExistsCommand = new SqlCommand("security.EmailAddressExists")
            {
                CommandType = CommandType.StoredProcedure,
                Connection  = _securitySqlConnectionWrapper.SqlConnection
            };

            emailAddressExistsCommand.Parameters.AddWithValue("emailAddress", emailAddress);

            var emailExists = Convert.ToBoolean(emailAddressExistsCommand.ExecuteScalar());

            if (userNameExists || emailExists)
            {
                var result = new UserResult(false);

                if (userNameExists)
                {
                    result.AddValidationMessage("UserName", _stringLocalizer.GetString("UsernameInUse"));
                }

                if (emailExists)
                {
                    result.AddValidationMessage("EmailAddress", _stringLocalizer.GetString("EmailAddressInUse"));
                    // Nb - This is proof of concept code, production systems should probably include email
                    // validation as part of the process and email the address provided to state the address
                    // is already in use to prevent enumeration attacks.
                }

                return(result);
            }

            var defaultIdentityVersionCommand = new SqlCommand("security.GetDefaultIdentityVersion")
            {
                CommandType = CommandType.StoredProcedure,
                Connection  = _securitySqlConnectionWrapper.SqlConnection
            };

            var identityId = 1;

            var hashIterations = 2500;

            using (var defaultIdentityVersion = defaultIdentityVersionCommand.ExecuteReader())
            {
                if (defaultIdentityVersion.Read())
                {
                    var identityVersionIndex = defaultIdentityVersion.GetOrdinal("IdentityVersion");

                    identityId = defaultIdentityVersion.GetInt32(identityVersionIndex);

                    var hashIterationsIndex = defaultIdentityVersion.GetOrdinal("HashIterations");

                    hashIterations = defaultIdentityVersion.GetInt32(hashIterationsIndex);
                }
            }

            var salt = UserExtensions.GenerateSalt();

            var passwordHash = UserExtensions.HashPassword(Encoding.UTF8.GetBytes(password), salt, hashIterations);

            var createUserCommand = new SqlCommand("security.CreateUser")
            {
                CommandType = CommandType.StoredProcedure,
                Connection  = _securitySqlConnectionWrapper.SqlConnection
            };

            createUserCommand.Parameters.AddWithValue("userName", userName);
            createUserCommand.Parameters.AddWithValue("displayName", displayName);
            createUserCommand.Parameters.AddWithValue("emailAddress", emailAddress);
            createUserCommand.Parameters.AddWithValue("passwordHash", Convert.ToBase64String(passwordHash));
            createUserCommand.Parameters.AddWithValue("passwordSalt", Convert.ToBase64String(salt));
            createUserCommand.Parameters.AddWithValue("twitterUserName", twitterUserName);
            createUserCommand.Parameters.AddWithValue("userIdentityVersion", identityId);

            createUserCommand.ExecuteNonQuery();

            return(new UserResult(true));
        }