时间戳

首页 > 解决方案 > 为什么 ASP.NET Core 密码验证规则不起作用?

c# - 为什么 ASP.NET Core 密码验证规则不起作用?

问题描述

我正在使用 ASP.NET Core Identity 在使用Dapper ORM的自定义数据访问层之上构建一个 ASP.NET Core 5 Web API 。从根本上说,事情按预期工作,但我意识到身份框架提供的密码验证规则没有任何效果,我不明白发生了什么。这是我所拥有的:

首先,因为我依赖于自定义数据访问层,所以我提供了 IdentityIUserStore接口的自定义实现。

public class UserStore : IUserStore<AppUser>,
                         IUserPasswordStore<AppUser>,
                         IUserEmailStore<AppUser>
{
  private IRepository<AppUser> _repository;

  public UserStore(IConfiguration configuration)
  {
    _repository = new AppUserRepository(configuration.GetConnectionString("MyConnectionString"));
  }

  // IUserStore implementation
  // IUserPasswordStore implementation
  // IUserEmailStore implementation
}

接下来,有一个绑定模型,用于提交创建新帐户所需的信息。

public class RegisterBindingModel
{
  [Required]
  [Display(Name = "UserName")]
  public string UserName
  {
    get;
    set;
  }

  [Required]
  [DataType(DataType.Password)]
  [Display(Name = "Password")]
  public string Password
  {
    get;
    set;
  }

  [DataType(DataType.Password)]
  [Display(Name = "Confirm password")]
  [Compare(nameof(Password), ErrorMessage = "The password and confirmation password do not match.")]
  public string ConfirmPassword
  {
    get;
    set;
  }

  // remaining required properties
}

接下来,通过以下方式创建新帐户AccountController

[Authorize]
[ApiController]
[Route("api/Accounts")]
public class AccountController
{
  private readonly UserManager<AppUser>     _userManager;
  private readonly IPasswordHasher<AppUser> _passwordHasher;

  public AccountController(UserManager<AppUser> userManager, IPasswordHasher<AppUser> passwordHasher)
  {
    _userManager    = userManager;
    _passwordHasher = passwordHasher;
  }

  [AllowAnonymous]
  [HttpPost]
  [Route("Register")]
  public async Task<ActionResult> Register([FromBody]RegisterBindingModel model)
  {
    if(model == null)
    {
      return BadRequest();
    }

    if(!ModelState.IsValid)
    {
      return BadRequest(ModelState);
    }

    var user = new AppUser()
    {
      UserName  = model.UserName,
      Firstname = model.Firstname,
      Lastname  = model.Lastname,
      Email     = model.Email,
      Gender    = model.Gender
    };

    user.PasswordHash     = _passwordHasher.HashPassword(user, model.Password);
    IdentityResult result = await _userManager.CreateAsync(user);

    return GetHttpResponse(result);
  }

  [AllowAnonymous]
  [HttpPost]
  [Route("Token")]
  public async Task<IActionResult> Login([FromForm]LoginBindingModel model)
  {
    if(model == null)
    {
      return BadRequest();
    }

    if(!ModelState.IsValid)
    {
      return BadRequest(ModelState);
    }

    AppUser user = await _userManager.FindByNameAsync(model.UserName);

    if(user == null || !await _userManager.CheckPasswordAsync(user, model.Password))
    {
      return Unauthorized();
    }

    DateTime                currentTime     = DateTime.UtcNow;
    JwtSecurityTokenHandler jwtTokenHandler = new();
    SecurityTokenDescriptor tokenDescriptor = new()
    {
      Subject            = new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, user.AppUserId.ToString()) }),
      IssuedAt           = currentTime,
      Expires            = currentTime.AddHours(_accessTokenValidityInHours),
      SigningCredentials = _signingCredentialsProvider.GetSigningCredentials()
    };

    return Ok(jwtTokenHandler.WriteToken(jwtTokenHandler.CreateToken(tokenDescriptor)));
  }

  ...
}

最后,事情是按如下方式连接在一起的:

public class Startup
{
  public Startup(IConfiguration configuration)
  {
    Configuration = configuration;
  }

  public IConfiguration Configuration
  {
    get;
  }

  public void ConfigureServices(IServiceCollection services)
  {
    services.AddIdentityCore<AppUser>(options => Configuration.GetSection(nameof(IdentityOptions)).Bind(options));
    services.AddScoped<IPasswordHasher<AppUser>, Identity.PasswordHasher<AppUser>>();
    services.AddTransient<IUserStore<AppUser>, UserStore>();
    ...
  }
}

相应的设置存储在appsettings.json文件中:

{
  "IdentityOptions": {
    "Password": {
      "RequiredLength": 6,
      "RequiredUniqueChars": 6,
      "RequireNonAlphanumeric": true,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireDigit": true
    },
    "Lockout": {
      "AllowedForNewUsers": true,
      "MaxFailedAccessAttempts ": 5,
      "DefaultLockoutTimeSpan ": "00:05:00"
    }
  },
  ...
}

如果我发送带有必要帐户数据的 HTTP POST 请求,那么密码是什么实际上并不重要。即使我只是1输入明显违反密码规则的密码,调用也会成功。该声明if(!ModelState.IsValid)愉快地告诉我,该模型一切正常。

据我所见,ASP.NET Core Identity 提供了一个PasswordValidator,它显然应该根据提供的设置来验证密码。从我得到的结果来看,该验证器没有在我的设置中运行。

我不清楚事情是否应该按原样工作,或者我是否需要实施一些我不知道的事情。有没有人有更多的见解,可以告诉我我在这里缺少什么?

编辑:

我刚刚意识到默认UserManager公开了一个IPasswordValidator对象列表。我的想法是使用该列表来验证我的Register方法中的密码AccountController吗?

标签: c#.netasp.net-coreasp.net-identity

解决方案

if(!ModelState.IsValid)没有看到任何错误的原因在于Password您的模型中的参数RegisterBindingModel不包含与您的 appsettings.json 上的选项相同的验证,您只需验证它是必需的(所以一个字符是可以的)。

如果要进行相同的验证,则需要在Password参数上添加更多属性。我建议你看看这个https://docs.microsoft.com/en-us/aspnet/core/mvc/models/validation?view=aspnetcore-5.0

推荐阅读