better password checking

WeylonSantana · WeylonSantana · commit a043ba1170e1 · 2025-01-14T16:48:39.000-03:00
diff --git a/Intersect (Core)/Security/PasswordUtils.cs b/Intersect (Core)/Security/PasswordUtils.cs
@@ -9,4 +9,7 @@ public static string ComputePasswordHash(string password)
     {
         return BitConverter.ToString(SHA256.HashData(Encoding.UTF8.GetBytes(password ?? string.Empty))).Replace("-", string.Empty);
     }
+
+    public static bool IsValidClientPasswordHash(string? hashToValidate) =>
+            hashToValidate is { Length: 64 } && hashToValidate.All(char.IsAsciiHexDigit);
 }
diff --git a/Intersect.Server/Web/RestApi/Routes/V1/UserController.cs b/Intersect.Server/Web/RestApi/Routes/V1/UserController.cs
@@ -2,6 +2,7 @@
 using System.Text.RegularExpressions;
 using Intersect.Enums;
 using Intersect.GameObjects;
+using Intersect.Security;
 using Intersect.Server.Collections.Indexing;
 using Intersect.Server.Collections.Sorting;
 using Intersect.Server.Database;
@@ -99,7 +100,7 @@ public IActionResult RegisterUser([FromBody] UserInfoRequestBody user)
                 return BadRequest($@"Invalid username '{user.Username}'.");
             }
 
-            if (!Regex.IsMatch(user.Password?.ToUpperInvariant()?.Trim(), "^[0-9A-Fa-f]{64}$", RegexOptions.Compiled))
+            if (PasswordUtils.IsValidClientPasswordHash(user.Password))
             {
                 return BadRequest(@"Did not receive a valid password.");
             }
@@ -390,7 +391,7 @@ public IActionResult ValidatePassword(LookupKey lookupKey, [FromBody] PasswordVa
                 return BadRequest(@"No password provided.");
             }
 
-            if (!Regex.IsMatch(data.Password?.ToUpperInvariant()?.Trim(), "^[0-9A-Fa-f]{64}$", RegexOptions.Compiled))
+            if (PasswordUtils.IsValidClientPasswordHash(data.Password))
             {
                 return BadRequest(@"Did not receive a valid password.");
             }

Original file line number	Diff line number	Diff line change
`@@ -9,4 +9,7 @@ public static string ComputePasswordHash(string password)`
`9`	`9`	`{`
`10`	`10`	`return BitConverter.ToString(SHA256.HashData(Encoding.UTF8.GetBytes(password ?? string.Empty))).Replace("-", string.Empty);`
`11`	`11`	`}`
	`12`	`+`
	`13`	`+ public static bool IsValidClientPasswordHash(string? hashToValidate) =>`
	`14`	`+ hashToValidate is { Length: 64 } && hashToValidate.All(char.IsAsciiHexDigit);`
`12`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.Text.RegularExpressions;`
`3`	`3`	`using Intersect.Enums;`
`4`	`4`	`using Intersect.GameObjects;`
	`5`	`+using Intersect.Security;`
`5`	`6`	`using Intersect.Server.Collections.Indexing;`
`6`	`7`	`using Intersect.Server.Collections.Sorting;`
`7`	`8`	`using Intersect.Server.Database;`
`@@ -99,7 +100,7 @@ public IActionResult RegisterUser([FromBody] UserInfoRequestBody user)`
`99`	`100`	`return BadRequest($@"Invalid username '{user.Username}'.");`
`100`	`101`	`}`
`101`	`102`
`102`		`- if (!Regex.IsMatch(user.Password?.ToUpperInvariant()?.Trim(), "^[0-9A-Fa-f]{64}$", RegexOptions.Compiled))`
	`103`	`+ if (PasswordUtils.IsValidClientPasswordHash(user.Password))`
`103`	`104`	`{`
`104`	`105`	`return BadRequest(@"Did not receive a valid password.");`
`105`	`106`	`}`
`@@ -390,7 +391,7 @@ public IActionResult ValidatePassword(LookupKey lookupKey, [FromBody] PasswordVa`
`390`	`391`	`return BadRequest(@"No password provided.");`
`391`	`392`	`}`
`392`	`393`
`393`		`- if (!Regex.IsMatch(data.Password?.ToUpperInvariant()?.Trim(), "^[0-9A-Fa-f]{64}$", RegexOptions.Compiled))`
	`394`	`+ if (PasswordUtils.IsValidClientPasswordHash(data.Password))`
`394`	`395`	`{`
`395`	`396`	`return BadRequest(@"Did not receive a valid password.");`
`396`	`397`	`}`