在我的asp.net核心应用程序中,我想实现忘记密码的情况(添加新密码并更新db中的哈希和盐)。当我保存用户时,它将创建用户名,密码哈希和密码盐。我自己不存储密码。我正在使用HMACSHA512进行密码哈希处理。
[我的创建用户方案如下:
public async Task<User> CreateUser(User user, string password, int organizationId)
{
CreatePasswordHash(password, out byte[] passwordHash, out byte[] passwordSalt);
user.PasswordHash = passwordHash;
user.PasswordSalt = passwordSalt;
user.Role = UserRole.User;
await _context.Users.AddAsync(user);
await _context.SaveChangesAsync();
return user;
}
private void CreatePasswordHash(string password, out byte[] passwordHash, out byte[]
passwordSalt)
{
using var hmac = new HMACSHA512();
passwordSalt = hmac.Key;
passwordHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(password));
}
登录场景如下:
public async Task<User> Login(string username, string password)
{
var user = await _context.Users.FirstOrDefaultAsync(x => x.Username == username);
if (user == null)
return null;
return !VerifyPasswordHash(password, user.PasswordHash, user.PasswordSalt) ? null :
user;
}
private bool VerifyPasswordHash(string password, byte[] passwordHash, byte[]
passwordSalt)
{
using var hmac = new HMACSHA512(passwordSalt);
var computedHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(password));
return !computedHash.Where((t, i) => t != passwordHash[i]).Any();
}
有几种方法可以选择
HTH