dotnet/aspnetcore

The virtual UpdatePasswordHash is only invoked by ResetPasswordAsync

Open

#60,252 opened on Feb 7, 2025

View on GitHub
 (5 comments) (0 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import
area-identitybughelp wanted

Description

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

We have made an override of UpdatePasswordHash, but it turns out it is only invoked by ResetPasswordAsync. For all other operations (CreateAsync, AddPasswordAsync, CheckPasswordAsync, RemovePasswordAsync) the private implementation with a password store is invoked. From an API perspective this is a very strange behavior since we had expected all updates of password hashes to use our override.

Our end goal was actually to extend the ValidatePasswordAsync method but it isn't virtual.

Expected Behavior

The protected virtual UpdatePasswordHash should be called so the customized logic is used for all operations and not only one. All operations should behave in the same way.

Steps To Reproduce

Make a custom UserManager class that derives from the built-in. Override the UpdatePasswordHash method and add some custom logic. This logic will only be invoked when resetting passwords and never in any other situation.

Exceptions (if any)

No response

.NET Version

.NET 6, 7, 8 and 9

Anything else?

Somewhat related to https://github.com/dotnet/aspnetcore/issues/12344

Contributor guide

Tech stack
csharp
Domain
backendauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Understanding of ASP.NET Core IdentityBasic C# virtual methodsFamiliarity with UserManager class
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate the UserManager class in the dotnet/aspnetcore repository. The bug is that the virtual UpdatePasswordHash method is only called by ResetPasswordAsync, but not by CreateAsync, AddPasswordAsync, CheckPasswordAsync, or RemovePasswordAsync. The fix likely involves updating those methods to call the virtual UpdatePasswordHash instead of the private implementation. Check the current implementation in src/Identity/Extensions.Core/src/UserManager.cs to confirm which methods use the private call and then change them to use the virtual method. Ensure backward compatibility and consider if any additional logic is needed.