DDD - how and where change password for user entity?

Question 1

I am thinking how to change password for user entity in my OOD Spring application.

What seems to me to be the easiest way:

Ask repository for particular user account entity
Encode plain password with password encoder outside of the entity
Set encoded password back to entity
Ask repository to save the user entity

Is this correct approach to detach password encoding to external service or should it be processed in domain object?

Question 2

Maybe, the correct approach is to abstract authentication strategies of the user account where password-based auth is just one of possible many? Then this whole thing can be totally outside the domain layer. In other words, are you sure you want to have authentication as responsibility of "user entity"?

Question 3

It's not terribly important where exactly the password is hashed, as long as all of the hashing is kept together in one place. E.g. an entity like this would be perfectly valid:

class PasswordAuthentication {
 private User user;
 private String hashedPassword; // includes salt
 /** Check whether the provided password is correct.
 */
 public boolean checkPassword(String plaintextPassword) {
 return secureCompare(hashedPassword, passwordHash(plaintextPassword, hashedPassword));
 }
 /** Set a new password.
 */
 public void resetPassword(String plaintextPassword) {
 hashedPassword = passwordHash(plaintextPassword, createNewSalt());
 }
}

Your point about an "external service" is correct, in so far as user authentication is often a separate bounded context from your main domain model. It is correct that e.g. an entity the represents a user profile shouldn't also do crypto.

Question 4

What is a exact reason of check and reset password methods in your entity? Please could you elaborate it in more detail? Thank you.

Question 5

@Artegon The methods are just supposed to be common password authentication operations. I've expanded them with a bit of pseudocode.

amon amon 136k27 gold badges295 silver badges386 bronze badges · Answer 1 · 2018-07-15 11:40:17Z

It's not terribly important where exactly the password is hashed, as long as all of the hashing is kept together in one place. E.g. an entity like this would be perfectly valid:

class PasswordAuthentication {
 private User user;
 private String hashedPassword; // includes salt
 /** Check whether the provided password is correct.
 */
 public boolean checkPassword(String plaintextPassword) {
 return secureCompare(hashedPassword, passwordHash(plaintextPassword, hashedPassword));
 }
 /** Set a new password.
 */
 public void resetPassword(String plaintextPassword) {
 hashedPassword = passwordHash(plaintextPassword, createNewSalt());
 }
}

Your point about an "external service" is correct, in so far as user authentication is often a separate bounded context from your main domain model. It is correct that e.g. an entity the represents a user profile shouldn't also do crypto.

What is a exact reason of check and reset password methods in your entity? Please could you elaborate it in more detail? Thank you.
@Artegon The methods are just supposed to be common password authentication operations. I've expanded them with a bit of pseudocode.

Stack Exchange Network

DDD - how and where change password for user entity?

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

DDD - how and where change password for user entity?

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions