Basic and Form authentication

Both authentication providers have a method to provide a callback that must generate a Principal from given a UserPasswordCredentialor null for invalid credentials. That callback is marked as suspending, so that you can validate credentials in an asynchronous fashion.

You can use several strategies for validating:

Remember that both the and the password from the credentials are arbitrary values.Remember to escape and/or validate them when accessing with those values to the file system, a database,when storing them, or generating HTML with its content, etc.

Strategy: Validating using UserHashedTableAuth

There is a class that handles hashed passwords in-memory to authenticate .You can populate it from constants in code or from another source. You can use predefined digest functionsor your own.

Configuring server/routes:

The idea here is that you are not storing the actual password but a hash, so even if your data source is leaked,the passwords are not directly compromised. Though keep in mind that when using poor passwords and weak hashing algorithmsit is possible to do brute-force attacks. You can append (instead of prepend) long salt values and do multiple hashstages or do key derivate functions to increase security and make brute-force attacks non-viable.You can also enforce or encourage strong passwords when creating users.