Geek Answers Handbook

What is all that SetPasswordHashAsync has to do in IPasswordStore in MVC 5?

I am a little confused trying to implement IPasswordStore in the new asp.net mvc 5. I want to use my own ORM.

Take this familiar piece of code from the secure AccountController, which runs when the register screen is used in the sample project.

public async Task<ActionResult> Register(RegisterViewModel model) { if (ModelState.IsValid) { var user = new ApplicationUser() { UserName = model.UserName }; var result = await UserManager.CreateAsync(user, model.Password); if (result.Succeeded) { await SignInAsync(user, isPersistent: false); return RedirectToAction("Index", "Home"); } else { AddErrors(result); } } // If we got this far, something failed, redisplay form return View(model); } 

  var result = await UserManager.CreateAysnc(user, model.Password)

the string first calls the IPasswordStore function

  public Task SetPasswordHashAsync(TUser user, string passwordHash)

without first call from IUserStore

  public Task CreateAsync(TUser user)

How to set password hash if user is not already created in db? In addition, we don’t even know if we can create the proposed β€œuser” because we did not check if the username was executed using

  public Task<TUser> FindByNameAsync(string userNameIn)

which is called right after.

Any ideas?

+8
asp.net-mvc-5
source share
3 answers

You are correct in noting that you probably should not keep the password hash for the user until the user is created. You can save the password hash in a place that will be canceled if the user is not created at all. The password should not be stored until the user is created and saved, i.e. In CreateAsync(TUser user) .

IdentityUser in the EntityFramework implementation will be such a place, and this will allow you to store both user and password information in the CreateAsync method. I'm not saying that you should reference the Identity.EntityFramework assembly, simply saying that one of the possible solutions is a User object that has both User and PasswordHash information like IdentityUser.

+2
source share

Always set the password hash property of your user object in the body of the IUserPasswordStore.SetPasswordHashAsync method, since the IUser interface IUser not define the property, so the UserManager cannot set it. If you do, then update the user database entry, if the user exists, you can add a password hash when you finally create your user in the IUserStore.CreateAsync method.

This principle also works for the IUserSecurityStampStore.SetSecurityStampAsync method.

+1
source share

Well, I was there, downloaded the source code for ASP.NET Identity from Git, and found:

 public virtual async Task<IdentityResult> CreateAsync(TUser user, string password) { ThrowIfDisposed(); var passwordStore = GetPasswordStore(); if (user == null) { throw new ArgumentNullException("user"); } if (password == null) { throw new ArgumentNullException("password"); } var result = await UpdatePasswordHash(passwordStore, user, password); if (!result.Succeeded) { return result; } return await CreateAsync(user); }

If you provide your own, then at a minimum it should be as secure as the out-of-the-box solution. when I implemented mine, I looked at each function and implemented my own custom layer and data classes.

I ended up implementing quite some code, which otherwise I would not have, regarding hashing your users. Passwords I am a user, something similar to Cespry's Answer . Call me paranoid, don't like to use the default salt for my passwords ....

0
source share

More articles:


All Articles