Bcrypt密码验证

Question

I'm trying to decrypt the password on the login method, but it allows to login with any password I type in, not sure why, maybe someone could help me out? My login method in the db layer:

public string loginUser(string userName, string pass)
{
    string result = "";

    try
    {
        var mongoClient = new MongoClient("mongodb://localhost");
        var database = mongoClient.GetDatabase("SearchForKnowledge");
        var coll = database.GetCollection<BsonDocument>("Users");

        var filter = Builders<BsonDocument>.Filter.Eq("userName", userName);
        var results = coll.Find(filter).ToList().First();
        if (BCrypt.Net.BCrypt.Verify(pass, results["password"].ToString()))
        {
            result = results["userName"].ToString();
        }
    }
    catch (Exception ex)
    {
        result = "";
    }
    return result;
}

My user controller:

public ActionResult Login(UsersLogin form)
{
    User user = new User();
    UserDB udb = new UserDB();

    if (!form.Username.IsEmpty())
    {
        udb.loginUser(form.Username, form.Password);
        Session["userName"] = form.Username;
        return RedirectToRoute("Home");
    }
    return RedirectToRoute("Login");
}

Answer 1

The problem is in your controller

udb.loginUser(form.Username, form.Password);
Session["userName"] = form.Username;
return RedirectToRoute("Home");

You call udb.loginUser(form.Username, form.Password); , but you never check the return value of udb.loginUser method, so your code will always redirect to the home page no matter what the user name and password are.

Based on the code of loginUser method, it will return an empty string if the login fails, so change the above three lines of code to below

var loginResult = udb.loginUser(form.Username, form.Password);
if (!string.IsNullOrEmpty(loginResult))
{
    Session["userName"] = form.Username;
    return RedirectToRoute("Home");
}