AuthProviderExtensions.VerifyPassword rehash problem

Tom · April 17, 2023, 3:14pm

Hello mythz!

If I increase the PasswordHasher iteration count the passwordHasher.VerifyPassword needsRehash parameter return with true value but the AuthProviderExtensions.VerifyPassword function not use that. And It cause not rehash the password.

This is your current code: https://github.com/ServiceStack/ServiceStack/blob/4f25840bba7d80eb3cb8797c4117850fc5da22c5/ServiceStack/src/ServiceStack/Auth/AuthProviderExtensions.cs#L192

if (passwordHasher.VerifyPassword(userAuth.PasswordHash, providedPassword, out needsRehash))
{
  needsRehash = HostContext.Config.UseSaltedHash;
  return true;
}

I think this would be the correct:

if (passwordHasher.VerifyPassword(userAuth.PasswordHash, providedPassword, out needsRehash))
{
  needsRehash = HostContext.Config.UseSaltedHash || needsRehash;
  return true;
}

What do you think?

Thank you,
Tom

mythz · April 17, 2023, 4:04pm

Yeah that makes more sense, updated in this commit.

Unfortunately MyGet isn’t working again so I’ve published v6.8.1+ packages with this fix to GitHub Packages.