I am implementing the asp.net core identity library in the minimal API project, and the user table's PasswordHash field performs its default hashing and salt but I want to perform my custom hashing and salting password. So, how can I change the type of PasswordHash from "string" to "byte[]"
Also, the PasswordHash field should not implement any default hashing mechanism
CodePudding user response:
I did something like this
on registration
private void CreatePasswordHash(string Password, out byte[] PasswordHash, out byte[] PasswordSalt)
{
using (var hmac = new HMACSHA512())
{
PasswordSalt = hmac.Key;
PasswordHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(Password));
}
}
Then,
public async Task<ServiceResponse<AspNetUsers>> AddUser(AddUserDto user)
{
var ServiceResponse = new ServiceResponse<AspNetUsers>();
AspNetUsers Users = _mapper.Map<AspNetUsers>(user);
try
{
if (await UserExist(Users.UserName))
{
ServiceResponse.Success = false;
ServiceResponse.Message = "User Already Exist";
return ServiceResponse;
}
CreatePasswordHash(Users.PasswordHash, out byte[] PasswordMade, out byte[] PasswordSalt);
Users.Id = CommonCode.NewGUID();
Users.SecurityStamp = CommonCode.NewGUID();
Users.ConcurrencyStamp = CommonCode.NewGUID();
Users.PasswordHash = Convert.ToBase64String(PasswordMade);
Users.PasswordSalt = PasswordSalt;
var AddUser = await _context.Users.AddAsync(Users);
await _context.SaveChangesAsync();
ServiceResponse.Data = await _context.Users.SingleAsync(x => x.Id == Users.Id);
ServiceResponse.Success = true;
ServiceResponse.Message = "User successfully added!";
}
catch (Exception ex)
{
ServiceResponse.Success = false;
ServiceResponse.Message = ex.Message;
}
return ServiceResponse;
}
at the time of login, I did something like this.
private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[] passwordSalt)
{
using (var hmac = new HMACSHA512(passwordSalt))
{
var computeHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(password));
for (int i = 0; i < computeHash.Length; i )
{
if (computeHash[i] != passwordHash[i])
{
return false;
}
}
return true;
}
}
then,
public async Task<ServiceResponse<string>> Login(LoginInformation Credentials)
{
var ServiceResponse = new ServiceResponse<string>();
try
{
var User = await _context.Users.FirstOrDefaultAsync(x => x.Email.ToLower() == Credentials.Email.ToLower());
if(User == null){
ServiceResponse.Success = false;
ServiceResponse.Message = "User not found.";
}
else
if(!VerifyPasswordHash(Credentials.Password, Convert.FromBase64String(User.PasswordHash), User.PasswordSalt))
{
ServiceResponse.Success = false;
ServiceResponse.Message = "Username Or Password Is Incorrect";
}
else{
ServiceResponse.Data = "Login success";
ServiceResponse.Success = true;
ServiceResponse.Message = "Login is Successfull!";
}
}
catch (Exception ex)
{
ServiceResponse.Data = string.Empty;
ServiceResponse.Success = false;
ServiceResponse.Message = ex.Message;
}
return ServiceResponse;
}