public IUser CreateUser(CreateUserParams createUserParams)
{
Logger.Information("CreateUser {0} {1}", createUserParams.Username, createUserParams.Email);
var user = new UserRecord();
user.UserName = createUserParams.Username;
user.Email = createUserParams.Email;
user.NormalizedUserName = createUserParams.Username.ToLowerInvariant();
user.HashAlgorithm = PBKDF2;
SetPassword(user, createUserParams.Password);
user.RegistrationStatus = UserStatus.Approved;
user.EmailStatus = UserStatus.Approved;
if (createUserParams.IsApproved)
{
user.RegistrationStatus = UserStatus.Approved;
user.EmailStatus = UserStatus.Approved;
}
var userContext = new UserContext { User = user, Cancel = false, UserParameters = createUserParams };
_userEventHandlers.Creating(userContext);
if (userContext.Cancel)
{
return null;
}
_userRepository.Create(user);
_userEventHandlers.Created(userContext);
if (user.RegistrationStatus == UserStatus.Approved)
{
_userEventHandlers.Approved(user);
}
return user;
}
private bool ValidatePasswordHashed(UserRecord UserRecord, string password)
{
var saltBytes = Convert.FromBase64String(UserRecord.PasswordSalt);
bool isValid;
if (UserRecord.HashAlgorithm == PBKDF2)
{
// We can't reuse ComputeHashBase64 as the internally generated salt repeated calls to Crypto.HashPassword() return different results.
isValid = Crypto.VerifyHashedPassword(UserRecord.Password, Encoding.Unicode.GetString(CombineSaltAndPassword(saltBytes, password)));
}
else
{
isValid = SecureStringEquality(UserRecord.Password, ComputeHashBase64(UserRecord.HashAlgorithm, saltBytes, password));
}
// Migrating older password hashes to Default algorithm if necessary and enabled.
if (isValid && UserRecord.HashAlgorithm != DefaultHashAlgorithm)
{
var keepOldConfiguration = ConfigurationManager.AppSettings["Orchard.Users.KeepOldPasswordHash"];
if (String.IsNullOrEmpty(keepOldConfiguration) || keepOldConfiguration.Equals("false", StringComparison.OrdinalIgnoreCase))
{
UserRecord.HashAlgorithm = DefaultHashAlgorithm;
UserRecord.Password = ComputeHashBase64(UserRecord.HashAlgorithm, saltBytes, password);
}
}
return isValid;
}
private bool ValidatePassword(UserRecord UserRecord, string password)
{
// Note - the password format stored with the record is used
// otherwise changing the password format on the site would invalidate
// all logins
switch (UserRecord.PasswordFormat)
{
case MembershipPasswordFormat.Clear:
return ValidatePasswordClear(UserRecord, password);
case MembershipPasswordFormat.Hashed:
return ValidatePasswordHashed(UserRecord, password);
case MembershipPasswordFormat.Encrypted:
return ValidatePasswordEncrypted(UserRecord, password);
default:
throw new ApplicationException("Unexpected password format value");
}
}
private bool ValidatePasswordEncrypted(UserRecord UserRecord, string password)
{
return String.Equals(password, Encoding.UTF8.GetString(_encryptionService.Decode(Convert.FromBase64String(UserRecord.Password))), StringComparison.Ordinal);
}
private static bool ValidatePasswordClear(UserRecord UserRecord, string password)
{
return UserRecord.Password == password;
}
private void SetPasswordEncrypted(UserRecord UserRecord, string password)
{
UserRecord.Password = Convert.ToBase64String(_encryptionService.Encode(Encoding.UTF8.GetBytes(password)));
UserRecord.PasswordSalt = null;
UserRecord.PasswordFormat = MembershipPasswordFormat.Encrypted;
}
private static void SetPasswordClear(UserRecord UserRecord, string password)
{
UserRecord.PasswordFormat = MembershipPasswordFormat.Clear;
UserRecord.Password = password;
UserRecord.PasswordSalt = null;
}
private static void SetPasswordHashed(UserRecord UserRecord, string password)
{
var saltBytes = new byte[0x10];
using (var random = new RNGCryptoServiceProvider())
{
random.GetBytes(saltBytes);
}
UserRecord.PasswordFormat = MembershipPasswordFormat.Hashed;
UserRecord.Password = ComputeHashBase64(UserRecord.HashAlgorithm, saltBytes, password);
UserRecord.PasswordSalt = Convert.ToBase64String(saltBytes);
}
void SetPassword(UserRecord record, string password)
{
switch (GetSettings().PasswordFormat) {
case MembershipPasswordFormat.Clear:
SetPasswordClear(record, password);
break;
case MembershipPasswordFormat.Hashed:
SetPasswordHashed(record, password);
break;
case MembershipPasswordFormat.Encrypted:
SetPasswordEncrypted(record, password);
break;
default:
throw new ApplicationException("Unexpected password format value");
}
}
private static bool ValidatePasswordHashed(UserRecord record, string password)
{
var saltBytes = Convert.FromBase64String(record.PasswordSalt);
var passwordBytes = Encoding.Unicode.GetBytes(password);
var combinedBytes = saltBytes.Concat(passwordBytes).ToArray();
var hashAlgorithm = HashAlgorithm.Create(record.HashAlgorithm);
var hashBytes = hashAlgorithm.ComputeHash(combinedBytes);
return record.Password == Convert.ToBase64String(hashBytes);
}
private static bool ValidatePasswordEncrypted(UserRecord record, string password)
{
throw new NotImplementedException();
}
private static void SetPasswordHashed(UserRecord record, string password)
{
var saltBytes = new byte[0x10];
var random = new RNGCryptoServiceProvider();
random.GetBytes(saltBytes);
var passwordBytes = Encoding.Unicode.GetBytes(password);
var combinedBytes = saltBytes.Concat(passwordBytes).ToArray();
var hashAlgorithm = HashAlgorithm.Create(record.HashAlgorithm);
var hashBytes = hashAlgorithm.ComputeHash(combinedBytes);
record.PasswordFormat = MembershipPasswordFormat.Hashed;
record.Password = Convert.ToBase64String(hashBytes);
record.PasswordSalt = Convert.ToBase64String(saltBytes);
}
private static void SetPasswordEncrypted(UserRecord record, string password)
{
throw new NotImplementedException();
}