I'm using Entity Framework 4. I'm not really sure where the responsibility of setting a user's password should be. I thought about on the Repository like SetPassword(User user, string password). But it doesn't seem right.
The main problem is that it can't just be a simple property setter since I also return the salt that's generated.
It should not be in the Repository as it should only be for database access and not for business logic. I think it should be in User class.
public class User
{
IUserPasswordManager _userPasswordManager;
public string SetPassword(string oldPassword, string newPassword)
{
//Set password and return salt
return _userPasswordManager.SetPasswordForUser(this, oldPassword, newPAssword);
}
}
You may want to create a module of some sort to handle password creation for the User class to call out to. This is more compliant with the Single Responsibility Principle (a class should have only 1 responsibility, sometimes read as "only 1 reason to change").
Since your passwords should be salted and hashed before they are persisted, that's definately out of the scope of what a User should be doing. Then you could have a module separate of the User for authenticating the password using the same salt and hash method.
You could introduce a Password class. The Password property on the User class should be of type Password, instead of string.
public class User
{
public Password Password { get; set; }
}
public class Password
{
private string value;
private string salt;
public Password(string value)
{
this.salt = "generated salt";
this.value = value;
}
public string ToHashedString()
{
// Return the hashed password.
}
}
The Password class could be responsible for generating the salt itself. You can also introduce a PasswordService that uses other dependencies to generate the salt and construct a Password instance.