What class should have ability to set a password (Repository, User, etc)?

I'm using Entity Framework 4. I'm not really sure where the responsibility of setting a user's password should be. I thought about on the Repository like SetPasswo开发者_开发知识库rd(User user, string password). But it doesn't seem right.

The main problem is that it can't just be a simple property setter since I also return the salt that's generated.

You may want to create a module of some sort to handle password creation for the User class to call out to. This is more compliant with the Single Responsibility Principle (a class should have only 1 responsibility, sometimes read as "only 1 reason to change").

Since your passwords should be salted and hashed before they are persisted, that's definately out of the scope of what a User should be doing. Then you could have a module separate of the User for authenticating the password using the same salt and hash method.

You could introduce a Password class. The Password property on the User class should be of type Password, instead of string.

public class User
{
  public Password Password { get; set; }
}

public class Password
{
  private string value;
  private string salt;

  public Password(string value)
  {
    this.salt = "generated salt";
    this.value = value;
  }

  public string ToHashedString()
  {
    // Return the hashed password.
  }
}

The Password class could be responsible for generating the salt itself. You can also introduce a PasswordService that uses other dependencies to generate the salt and construct a Password instance.

It should not be in the Repository as it should only be for database access and not for business logic. I think it should be in User class.

public class User
{
  IUserPasswordManager _userPasswordManager;

  public string SetPassword(string oldPassword, string newPassword)
  {
     //Set password and return salt
     return _userPasswordManager.SetPasswordForUser(this, oldPassword, newPAssword);  

  }

}