Store and compare passwords as hash to improve system security

Directory.Build.props

@@ -1,7 +1,7 @@
 <Project>
   <Import Project="dependencies.props" />
   <PropertyGroup>
-    <Version>1.1.1</Version>
+    <Version>1.1.2</Version>
     <Authors>Tudor Stanciu</Authors>
     <Company>STA</Company>
     <PackageTags>IdentityServer</PackageTags>

IdentityServer.Application/DependencyInjectionExtensions.cs

@@ -12,6 +12,7 @@ namespace IdentityServer.Application
         {
             services.AddStores();
             services.AddSingleton<IConfigProvider, ConfigProvider>();
+            services.AddSingleton<IHashingService, HashingService>();
             services.AddSingleton<ITokenService, TokenService>();
             services.AddScoped<IUserService, UserService>();
             services.AddSingleton<IBehaviorService, BehaviorService>();

IdentityServer.Application/Services/Abstractions/IHashingService.cs

@@ -0,0 +1,11 @@
+namespace IdentityServer.Application.Services.Abstractions
+{
+    internal interface IHashingService
+    {
+        string HashMd5(string text);
+        string HashSha1(string text);
+        string HashSha256(string text);
+        string HashSha384(string text);
+        string HashSha512(string text);
+    }
+}

IdentityServer.Application/Services/HashingService.cs

@@ -0,0 +1,59 @@
+using IdentityServer.Application.Services.Abstractions;
+using System;
+using System.Security.Authentication;
+using System.Security.Cryptography;
+
+namespace IdentityServer.Application.Services
+{
+    internal class HashingService : IHashingService
+    {
+        public string HashMd5(string text) => Hash(text, HashAlgorithmType.Md5);
+        public string HashSha1(string text) => Hash(text, HashAlgorithmType.Sha1);
+        public string HashSha256(string text) => Hash(text, HashAlgorithmType.Sha256);
+        public string HashSha384(string text) => Hash(text, HashAlgorithmType.Sha384);
+        public string HashSha512(string text) => Hash(text, HashAlgorithmType.Sha512);
+
+        private string Hash(string text, HashAlgorithmType algorithm)
+        {
+            if (string.IsNullOrEmpty(text))
+                throw new ArgumentException("Cannot hash null value.", nameof(text));
+
+            using (var sha = GetHashAlgorithm(algorithm))
+            {
+                byte[] textData = System.Text.Encoding.UTF8.GetBytes(text);
+                byte[] hash = sha.ComputeHash(textData);
+
+                var str = BitConverter.ToString(hash);
+
+                return str.Replace("-", String.Empty);
+            }
+        }
+
+        private HashAlgorithm GetHashAlgorithm(HashAlgorithmType algorithmType)
+        {
+            switch (algorithmType)
+            {
+                case HashAlgorithmType.None:
+                    throw new ArgumentException("Do not use this method with HashAlgorithmType.None.", nameof(algorithmType));
+
+                case HashAlgorithmType.Md5:
+                    return MD5.Create();
+
+                case HashAlgorithmType.Sha1:
+                    return SHA1.Create();
+
+                case HashAlgorithmType.Sha256:
+                    return SHA256.Create();
+
+                case HashAlgorithmType.Sha384:
+                    return SHA384.Create();
+
+                case HashAlgorithmType.Sha512:
+                    return SHA512.Create();
+
+                default:
+                    throw new NotImplementedException($"HashAlgorithmType {algorithmType} is not implemented.");
+            }
+        }
+    }
+}

IdentityServer.Application/Services/UserService.cs

@@ -1,4 +1,5 @@
-using IdentityServer.Application.Stores;
+using IdentityServer.Application.Services.Abstractions;
+using IdentityServer.Application.Stores;
 using IdentityServer.Domain.Abstractions;
 using IdentityServer.Domain.Entities;
 using IdentityServer.Domain.Models;
@@ -14,18 +15,21 @@ namespace IdentityServer.Application.Services
         private readonly IIdentityRepository _identityRepository;
         private readonly ITokenService _tokenService;
         private readonly IConfigProvider _configProvider;
+        private readonly IHashingService _hashingService;
 
-        public UserService(ITokenStore securityStore, IIdentityRepository identityRepository, ITokenService tokenService, IConfigProvider configProvider)
+        public UserService(ITokenStore securityStore, IIdentityRepository identityRepository, ITokenService tokenService, IConfigProvider configProvider, IHashingService hashingService)
         {
-            _securityStore = securityStore;
+            _securityStore=securityStore;
-            _identityRepository = identityRepository;
+            _identityRepository=identityRepository;
-            _tokenService = tokenService;
+            _tokenService=tokenService;
-            _configProvider = configProvider;
+            _configProvider=configProvider;
+            _hashingService=hashingService;
         }
 
         public async Task<Token> Authenticate(string userName, string password)
         {
-            var user = await _identityRepository.GetUser(userName, password);
+            var passwordHash = _hashingService.HashSha256(password);
+            var user = await _identityRepository.GetUser(userName, passwordHash);
             var valid = ValidateUser(user);
             if (!valid)
                 return null;

ReleaseNotes.xml

@@ -34,6 +34,13 @@
     <Version>1.1.1</Version>
     <Content>
       ◾ Added NDB.Infrastructure.DatabaseMigration
+      ◾ Organized sql scripts to meet database migrator requirements
+	</Content>
+  </Note>
+  <Note>
+    <Version>1.1.2</Version>
+    <Content>
+      ◾ Store and compare passwords as hash to improve system security
 	</Content>
   </Note>
 </ReleaseNotes>