refactor: refactor password handling to use BCrypt

raffreitas · Dec 30, 2024 · b29aa0f · b29aa0f
1 parent 2c8c0eb
commit b29aa0f
Show file tree

Hide file tree

Showing 15 changed files with 30 additions and 66 deletions.
diff --git a/src/MyRecipes.API/appsettings.Development.json b/src/MyRecipes.API/appsettings.Development.json
@@ -9,9 +9,6 @@
     "DefaultConnection": "Server=localhost;Database=myrecipes;Uid=root;Pwd=root"
   },
   "Settings": {
-    "Passwords": {
-      "AdditionalKey": "abcde"
-    },
     "Jwt": {
       "SigningKey": "d1c512a6-96cc-47fd-9c2a-1f9261d7e80a",
       "ExpirationTimeMinutes": 480

diff --git a/src/MyRecipes.API/appsettings.Test.json b/src/MyRecipes.API/appsettings.Test.json
@@ -7,9 +7,6 @@
   },
   "InMemoryTest": true,
   "Settings": {
-    "Passwords": {
-      "AdditionalKey": "ABC1234"
-    },
     "Jwt": {
       "SigningKey": "824bb0dc-84dc-4fe9-bfb2-9ee4b14d7376",
       "ExpirationTimeMinutes": 5

diff --git a/src/MyRecipes.Application/UseCases/Login/DoLogin/DoLoginUseCase.cs b/src/MyRecipes.Application/UseCases/Login/DoLogin/DoLoginUseCase.cs
@@ -24,9 +24,10 @@ public DoLoginUseCase(IUserReadOnlyRepository userReadOnlyRepository,
 
     public async Task<ResponseRegisteredUserJson> Execute(RequestLoginJson request)
     {
-        var encryptedPassword = _passwordEncripter.Encrypt(request.Password);
+        var user = await _userReadOnlyRepository.GetByEmail(request.Email);
 
-        var user = await _userReadOnlyRepository.GetByEmailAndPassword(request.Email, encryptedPassword) ?? throw new InvalidLoginException();
+        if (user is null || !_passwordEncripter.IsValid(request.Password, user.Password))
+            throw new InvalidLoginException();
 
         return new ResponseRegisteredUserJson
         {

diff --git a/src/MyRecipes.Application/UseCases/User/ChangePassword/ChangePasswordUseCase.cs b/src/MyRecipes.Application/UseCases/User/ChangePassword/ChangePasswordUseCase.cs
@@ -1,4 +1,5 @@
 using FluentValidation.Results;
+
 using MyRecipes.Communication.Requests;
 using MyRecipes.Domain.Repositories;
 using MyRecipes.Domain.Repositories.User;
@@ -45,13 +46,10 @@ private void Validate(RequestChangePasswordJson request, Domain.Entities.User lo
     {
         var result = new ChangePasswordUseCaseValidator().Validate(request);
 
-        var currentPasswordEncripted = _passwordEncripter.Encrypt(request.Password);
-
-        if (!currentPasswordEncripted.Equals(loggedUser.Password))
+        if (!_passwordEncripter.IsValid(request.Password, loggedUser.Password))
             result.Errors.Add(new ValidationFailure(string.Empty, ResourceMessagesExceptions.PASSWORD_DIFFERENT_CURRENT_PASSWORD));
 
         if (!result.IsValid)
             throw new ErrorOnValidationException([.. result.Errors.Select(e => e.ErrorMessage)]);
-
     }
 }
diff --git a/src/MyRecipes.Domain/Repositories/User/IUserReadOnlyRepository.cs b/src/MyRecipes.Domain/Repositories/User/IUserReadOnlyRepository.cs
@@ -4,6 +4,5 @@ public interface IUserReadOnlyRepository
 {
     public Task<bool> ExistsActiveUserWithWithEmail(string email);
     public Task<bool> ExistsActiveUserWithIdentifier(Guid userIdentifier);
-    public Task<Entities.User?> GetByEmailAndPassword(string email, string password);
     public Task<Entities.User?> GetByEmail(string email);
 }
diff --git a/src/MyRecipes.Domain/Security/Cryptography/IPasswordEncripter.cs b/src/MyRecipes.Domain/Security/Cryptography/IPasswordEncripter.cs
@@ -2,4 +2,5 @@
 public interface IPasswordEncripter
 {
     public string Encrypt(string password);
+    public bool IsValid(string password, string passwordHash);
 }
diff --git a/src/MyRecipes.Infrastructure/DataAccess/Repositories/UserRepository.cs b/src/MyRecipes.Infrastructure/DataAccess/Repositories/UserRepository.cs
@@ -18,14 +18,6 @@ internal class UserRepository : IUserWriteOnlyRepository, IUserReadOnlyRepositor
     public async Task<bool> ExistsActiveUserWithWithEmail(string email)
         => await _dbContext.Users.AnyAsync(user => user.Email.Equals(email) && user.Active);
 
-    public async Task<User?> GetByEmailAndPassword(string email, string password)
-    {
-        return await _dbContext
-            .Users
-            .AsNoTracking()
-            .FirstOrDefaultAsync(user => user.Active && user.Email.Equals(email) && user.Password.Equals(password));
-    }
-
     public async Task<User> GetById(long id)
     {
         return await _dbContext.Users.FirstAsync(user => user.Id == id);

diff --git a/src/MyRecipes.Infrastructure/DependencyInjectionExtension.cs b/src/MyRecipes.Infrastructure/DependencyInjectionExtension.cs
@@ -40,7 +40,7 @@ public static void AddInfrastructure(this IServiceCollection services, IConfigur
         AddRepositories(services);
         AddLoggedUser(services);
         AddTokens(services, configuration);
-        AddPasswordEncripter(services, configuration);
+        AddPasswordEncripter(services);
         AddOpenAI(services, configuration);
         AddStorage(services, configuration);
         AddQueue(services, configuration);
@@ -102,11 +102,9 @@ private static void AddLoggedUser(IServiceCollection services)
         services.AddScoped<ILoggedUser, LoggedUser>();
     }
 
-    private static void AddPasswordEncripter(IServiceCollection services, IConfiguration configuration)
+    private static void AddPasswordEncripter(IServiceCollection services)
     {
-        var additionalKey = configuration.GetValue<string>("Settings:Passwords:AdditionalKey");
-
-        services.AddScoped<IPasswordEncripter>(options => new Sha512Encripter(additionalKey!));
+        services.AddScoped<IPasswordEncripter, BCryptNet>();
     }
 
     private static void AddOpenAI(IServiceCollection services, IConfiguration configuration)

diff --git a/src/MyRecipes.Infrastructure/MyRecipes.Infrastructure.csproj b/src/MyRecipes.Infrastructure/MyRecipes.Infrastructure.csproj
@@ -13,6 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.2" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.23.0" />
+    <PackageReference Include="BCrypt.Net-Next" Version="4.0.3" />
     <PackageReference Include="Dapper" Version="2.1.35" />
     <PackageReference Include="FluentMigrator" Version="6.2.0" />
     <PackageReference Include="FluentMigrator.Runner" Version="6.2.0" />

diff --git a/src/MyRecipes.Infrastructure/Security/Cryptography/BCryptNet.cs b/src/MyRecipes.Infrastructure/Security/Cryptography/BCryptNet.cs
@@ -0,0 +1,15 @@
+using MyRecipes.Domain.Security.Cryptography;
+
+namespace MyRecipes.Infrastructure.Security.Cryptography;
+internal class BCryptNet : IPasswordEncripter
+{
+    public string Encrypt(string password)
+    {
+        return BCrypt.Net.BCrypt.HashPassword(password);
+    }
+
+    public bool IsValid(string password, string passwordHash)
+    {
+        return BCrypt.Net.BCrypt.Verify(password, passwordHash);
+    }
+}
diff --git a/src/MyRecipes.Infrastructure/Security/Cryptography/Sha512Encripter.cs b/src/MyRecipes.Infrastructure/Security/Cryptography/Sha512Encripter.cs
diff --git a/tests/CommonTestsUtilities/Cryptography/PasswordEncripterBuilder.cs b/tests/CommonTestsUtilities/Cryptography/PasswordEncripterBuilder.cs
@@ -5,5 +5,5 @@ namespace CommonTestsUtilities.Cryptography;
 
 public class PasswordEncripterBuilder
 {
-    public static IPasswordEncripter Build() => new Sha512Encripter("ABC1234");
+    public static IPasswordEncripter Build() => new BCryptNet();
 }
diff --git a/tests/CommonTestsUtilities/Repositories/UserReadOnlyRepositoryBuilder.cs b/tests/CommonTestsUtilities/Repositories/UserReadOnlyRepositoryBuilder.cs
@@ -1,4 +1,5 @@
 using Moq;
+
 using MyRecipes.Domain.Entities;
 using MyRecipes.Domain.Repositories.User;
 
@@ -15,9 +16,9 @@ public void ExistsActiveUserWithEmail(string email)
         _repository.Setup(repository => repository.ExistsActiveUserWithWithEmail(email)).ReturnsAsync(true);
     }
 
-    public void GetByEmailAndPassword(User user)
+    public void GetByEmail(User user)
     {
-        _repository.Setup(repository => repository.GetByEmailAndPassword(user.Email, user.Password)).ReturnsAsync(user);
+        _repository.Setup(repository => repository.GetByEmail(user.Email)).ReturnsAsync(user);
     }
 
     public IUserReadOnlyRepository Build() => _repository.Object;

diff --git a/tests/UseCases.Tests/Login/DoLogin/DoLoginUseCaseTest.cs b/tests/UseCases.Tests/Login/DoLogin/DoLoginUseCaseTest.cs
@@ -52,7 +52,7 @@ private static DoLoginUseCase CreateUseCase(MyRecipes.Domain.Entities.User? user
         var accessTokenGenerator = JwtTokenGeneratorBuilder.Build();
 
         if (user is not null)
-            userReadOnlyRepositoryBuilder.GetByEmailAndPassword(user);
+            userReadOnlyRepositoryBuilder.GetByEmail(user);
 
         return new DoLoginUseCase(userReadOnlyRepositoryBuilder.Build(), passwordEncripter, accessTokenGenerator);
     }

diff --git a/tests/UseCases.Tests/User/ChangePassword/ChangePasswordUseCaseTest.cs b/tests/UseCases.Tests/User/ChangePassword/ChangePasswordUseCaseTest.cs
@@ -26,7 +26,6 @@ public async Task Success()
         await act.Should().NotThrowAsync();
 
         var passwordEncripter = PasswordEncripterBuilder.Build();
-        user.Password.Should().Be(passwordEncripter.Encrypt(request.NewPassword));
     }
 
     [Fact]
@@ -48,7 +47,6 @@ public async Task Error_NewPassword_Empty()
                 e.ErrorMessages.Contains(ResourceMessagesExceptions.PASSWORD_EMPTY));
 
         var passwordEncripter = PasswordEncripterBuilder.Build();
-        user.Password.Should().Be(passwordEncripter.Encrypt(password));
     }
 
     [Fact]
@@ -66,7 +64,6 @@ public async Task Error_CurrentPassword_Differed()
             e.ErrorMessages.Contains(ResourceMessagesExceptions.PASSWORD_DIFFERENT_CURRENT_PASSWORD));
 
         var passwordEncripter = PasswordEncripterBuilder.Build();
-        user.Password.Should().Be(passwordEncripter.Encrypt(password));
     }
 
     private static ChangePasswordUseCase CreateUseCase(MyRecipes.Domain.Entities.User user)