I recently updated my .NET Core ServiceStack version from 1.0.41 to 5.7.0 and there seems to be a breaking change with passwords
I have a somewhat custom implementation of OrmLiteAuthRepository it and if it’s nothing obvious I can get into that. But here is what I am seeing in the database
Salt or Digest1Hash is no longer populated when creating a user, and PasswordHash is much longer now. When I try to login as the new user it fails, but old users still work.
These changes were made in 2017 are covered by the v5 release notes when adopting ASP.NET Identity v3 much stronger password hashing where the password hash, version and iterations/strength are maintained in a single field which is why Salt is no longer populated, which can be used as an indication of which Users are using the new password hashing algorithm - which happens transparently when users re-authenticate after upgrading to v5.
This shouldn’t be a breaking change. If new users can’t login it would be due to your custom OrmLiteAuthRepository implementation needs to change to use the password verification APIs, i.e:
if (userAuth.VerifyPassword(password, out var needsRehash))
{
this.RecordSuccessfulLogin(userAuth, needsRehash, password);
return true;
}
Which uses the IPasswordHasher interface for hashing new passwords behind-the-scenes. This is used by all built-in Auth Providers, please refer to the latest version of OrmLiteAuthRepository to reconcile your custom implementation to use the above methods.
They’re now only created when needed since Digest Auth password hashes whose implementation rely on a much weaker MD5 hash which should only be maintained when they’re actually needed, i.e. if you’re using the DigestAuthProvider otherwise they’re not used, from the release notes:
Digest Auth Hashes are now only populated if the DigestAuthProvider is registered. If you ever intend to support Digest access authentication in future but don’t want to register the DigestAuthProvider just yet, you can force ServiceStack to continue to maintain Digest Auth Hashes with:
new AuthFeature {
CreateDigestAuthHashes = true
}
Users that don’t have Digest Auth Hashes will require logging in again in order to have it populated. If you don’t intend to use Digest Auth you can clear the DigestHa1Hash column in your UserAuth table which is otherwise unused.