How to compare password by SS

benhaben · July 21, 2015, 12:03pm

Hi，
I use UserAuth to create user，and now i want to user to reset their password, before reset password, i want to compare the old password(has encrypted) and the user’s input password（raw string）.

Could you tell me how to compare password by SS？

benhaben · July 21, 2015, 12:30pm

github.com

ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/SaltedHash.cs

using System;
using System.Security.Cryptography;
using System.Text;
using ServiceStack.Text;

namespace ServiceStack.Auth
{
    public interface IHashProvider
    {
        void GetHashAndSaltString(string Data, out string Hash, out string Salt);
        bool VerifyHashString(string Data, string Hash, string Salt);
    }

    /// <summary>
    /// Thank you Martijn
    /// http://www.dijksterhuis.org/creating-salted-hash-values-in-c/
    /// 
    /// Stronger/Slower Alternative: 
    /// https://github.com/defuse/password-hashing/blob/master/PasswordStorage.cs
    /// </summary>

This file has been truncated. show original

i find this gist

balexandre · July 21, 2015, 12:32pm

in the TryAuthenticate method (you can search in Git) you see such call:

var saltedHash = HostContext.Resolve<IHashProvider>();
return saltedHash.VerifyHashString(password, userAuth.PasswordHash, userAuth.Salt);

where saltedHash can be new SaltedHash(); it always depend on the method that you used to create the password in the first place.

this will return true is the password is a match.

if you are using an AuthRepository you might be better just call the method yourself:

IUserAuth userAuth = null;
var authRepo = ServiceLocator.Current.GetInstance<MyAuthRepository>();
if(!authRepo.TryAuthenticate(userName, password, out userAuth)) {
  throw new Exception("User mismatch");
}

// you have the user as userAuth, and you can use that object to update the new password with a call to UpdateUserAuth()