Implement ASP.NET Security (edit)

Basically:

1. Make a new user
2. Make a new role
3. Make a new Claim
4. Add Claim to Role
5. Add User to Role
6. Make a new Policy with claim (during configure services)
7. Check for user being authorized for policy

SQL Insert

https://stackoverflow.com/questions/41513890/creating-asp-net-identity-user-using-sql

How to create 100 users

https://stackoverflow.com/questions/41435437/creating-test-users-with-password-hash-in-asp-net-identity-2-2-1

public async Task CreateTestUsers() {

    var db = new ApplicationDbContext();
    var userStore = new UserStore<ApplicationUser>(db);
    var userManager = new ApplcationUserManager(userStore);

    for (var i = 1; i <= 100; i++) {
        var username = "User" + i;

        var user = db.Users.FirstOrDefault(u => u.UserName == username);
        if (user == null) {
            user = new ApplicationUser() {
                            UserName = username,
                            Email = username + "@" + username + "." + username,
                            EmailConfirmed = true,
                            LockoutEnabled = false
                        };

            var password = username;
            var result = await userManager.CreateAsync(user, password);
        }
    }
}

ASP.NET Web Security: Protect User Passwords with Hashing and Salt

http://www.itprotoday.com/web-development/aspnet-web-security-protect-user-passwords-hashing-and-salt

https://www.codeproject.com/Articles/844722/Hashing-Passwords-using-ASP-NETs-Crypto-Class

http://www.c-sharpcorner.com/article/hashing-passwords-in-net-core-with-tips/

http://www.c-sharpcorner.com/UploadFile/145c93/save-password-using-salted-hashing/

ASP.NET Web Security: Protect User Passwords with Hashing and Salt - Unit Test

using System;
using System.Data.SqlClient;
using System.Security.Cryptography;
using System.Text;

namespace ConsoleApp1
{
internal class Utils
{
public static Boolean ValidatePassword(String enteredPassword, String storedHash, String storedSalt)
{
// Consider this function as an internal function where parameters like
// storedHash and storedSalt are read from the database and then passed.

var hash = HashPassword(enteredPassword, storedSalt);
return String.Equals(storedHash, hash);
}

public static String HashPassword(String password, String salt)
{
var combinedPassword = String.Concat(password, salt);
var sha256 = new SHA256Managed();
var bytes = Encoding.UTF8.GetBytes(combinedPassword);
var hash = sha256.ComputeHash(bytes);
return Convert.ToBase64String(hash);
}

public static String GetRandomSalt(Int32 size = 12)
{
var random = new RNGCryptoServiceProvider();
var salt = new Byte[size];
random.GetBytes(salt);
return Convert.ToBase64String(salt);
}
}

internal class Program
{
private static void Main(string[] args)
{
var defaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(15);
var lockoutEndDate = new DateTimeOffset(DateTime.Now + defaultAccountLockoutTimeSpan);

Console.WriteLine(lockoutEndDate);

const string email = "manhnv8383@gmail.com";
const string password = "Abc@123";

var salt = Utils.GetRandomSalt();

var passwordHash = Utils.HashPassword(password, salt);

using (var conn = new SqlConnection("Server=192.168.2.26;Database=IdentityServerDb;user id=sa;password=123456;"))
{
const string newUserSql = "INSERT INTO \"AspNetUsers\" (\"Id\", \"AccessFailedCount\", \"ConcurrencyStamp\", \"Email\", \"EmailConfirmed\", \"LockoutEnabled\", \"LockoutEnd\", \"NormalizedEmail\", \"NormalizedUserName\", \"PasswordHash\", \"PhoneNumber\", \"PhoneNumberConfirmed\", \"SecurityStamp\", \"TwoFactorEnabled\", \"UserName\") VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14);";

using (var insertCommand = new SqlCommand(newUserSql, conn))
{
insertCommand.Parameters.AddWithValue("@p0", Guid.NewGuid()); //Id
insertCommand.Parameters.AddWithValue("@p1", 0); //AccessFailedCount
insertCommand.Parameters.AddWithValue("@p2", Guid.NewGuid()); //ConcurrencyStamp
insertCommand.Parameters.AddWithValue("@p3", email); //Email
insertCommand.Parameters.AddWithValue("@p4", 0); //EmailConfirmed
insertCommand.Parameters.AddWithValue("@p5", 0); //LockoutEnabled
insertCommand.Parameters.AddWithValue("@p6", lockoutEndDate); //LockoutEnd
insertCommand.Parameters.AddWithValue("@p7", email.ToUpper()); //NormalizedEmail
insertCommand.Parameters.AddWithValue("@p8", email.ToUpper()); //NormalizedUserName
insertCommand.Parameters.AddWithValue("@p9", passwordHash); //PasswordHash
insertCommand.Parameters.AddWithValue("@p10", DBNull.Value); //PhoneNumber
insertCommand.Parameters.AddWithValue("@p11", 0); //PhoneNumberConfirmed
insertCommand.Parameters.AddWithValue("@p12", Guid.NewGuid()); //SecurityStamp
insertCommand.Parameters.AddWithValue("@p13", 0); //TwoFactorEnabled
insertCommand.Parameters.AddWithValue("@p14", email); //UserName

conn.Open();

insertCommand.ExecuteNonQuery();
}
}
}
}
}