Fix UpdatePasswordHash virtual method not called consistently

Change CreateAsync, AddPasswordAsync, ChangePasswordAsync, and the
rehash path in CheckPasswordAsync to call the virtual
UpdatePasswordHash(user, password, validatePassword) overload instead
of the private helper. This allows subclasses that override the virtual
method to intercept all password-change operations, not just
ResetPasswordAsync.

RemovePasswordAsync is left unchanged because it passes null, and the
virtual method's parameter is non-nullable.

Add theory test VirtualUpdatePasswordHashCalledForPasswordOperations
covering CreateAsync, AddPasswordAsync, and ChangePasswordAsync.

Fixes #60252

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kubaflo

src/Identity/Extensions.Core/src/UserManager.cs

@@ -642,7 +642,7 @@ public virtual async Task<IdentityResult> CreateAsync(TUser user, string passwor
             var passwordStore = GetPasswordStore();
             ArgumentNullThrowHelper.ThrowIfNull(user);
             ArgumentNullThrowHelper.ThrowIfNull(password);
-            var result = await UpdatePasswordHash(passwordStore, user, password).ConfigureAwait(false);
+            var result = await UpdatePasswordHash(user, password, validatePassword: true).ConfigureAwait(false);
             if (!result.Succeeded)
             {
                 _metrics?.CreateUser(typeof(TUser).FullName!, result, startTimeStamp);
@@ -794,7 +794,7 @@ public virtual async Task<bool> CheckPasswordAsync(TUser user, string password)
         if (result == PasswordVerificationResult.SuccessRehashNeeded)
         {
             var startTimeStamp = Stopwatch.GetTimestamp();
-            await UpdatePasswordHash(passwordStore, user, password, validatePassword: false).ConfigureAwait(false);
+            await UpdatePasswordHash(user, password, validatePassword: false).ConfigureAwait(false);
             await UpdateUserAndRecordMetricAsync(user, UserUpdateType.PasswordRehash, startTimeStamp).ConfigureAwait(false);
         }
 
@@ -856,7 +856,7 @@ private async Task<IdentityResult> AddPasswordCoreAsync(TUser user, string passw
             Logger.LogDebug(LoggerEventIds.UserAlreadyHasPassword, "User already has a password.");
             return IdentityResult.Failed(ErrorDescriber.UserAlreadyHasPassword());
         }
-        var result = await UpdatePasswordHash(passwordStore, user, password).ConfigureAwait(false);
+        var result = await UpdatePasswordHash(user, password, validatePassword: true).ConfigureAwait(false);
         if (!result.Succeeded)
         {
             return result;
@@ -899,7 +899,7 @@ private async Task<IdentityResult> ChangePasswordCoreAsync(TUser user, string cu
 
         if (await VerifyPasswordAsync(passwordStore, user, currentPassword).ConfigureAwait(false) != PasswordVerificationResult.Failed)
         {
-            var updateResult = await UpdatePasswordHash(passwordStore, user, newPassword).ConfigureAwait(false);
+            var updateResult = await UpdatePasswordHash(user, newPassword, validatePassword: true).ConfigureAwait(false);
             if (!updateResult.Succeeded)
             {
                 return updateResult;

src/Identity/test/Identity.Test/UserManagerTest.cs

@@ -2220,4 +2220,66 @@ public override IdentityError DuplicateEmail(string email)
         }
     }
 
+    [Theory]
+    [InlineData("CreateAsync")]
+    [InlineData("AddPasswordAsync")]
+    [InlineData("ChangePasswordAsync")]
+    public async Task VirtualUpdatePasswordHashCalledForPasswordOperations(string operation)
+    {
+        var hasher = new PasswordHasher<PocoUser>();
+        var user = new PocoUser { UserName = "test" };
+        var currentPasswordHash = hasher.HashPassword(user, "currentpassword");
+
+        var store = new Mock<IUserPasswordStore<PocoUser>>();
+        store.Setup(s => s.GetPasswordHashAsync(It.IsAny<PocoUser>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(operation == "AddPasswordAsync" ? null : currentPasswordHash);
+        store.Setup(s => s.SetPasswordHashAsync(It.IsAny<PocoUser>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
+            .Returns(Task.CompletedTask);
+        store.Setup(s => s.UpdateAsync(It.IsAny<PocoUser>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(IdentityResult.Success);
+        store.Setup(s => s.CreateAsync(It.IsAny<PocoUser>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync(IdentityResult.Success);
+        store.Setup(s => s.GetUserIdAsync(It.IsAny<PocoUser>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("userid");
+        store.Setup(s => s.GetUserNameAsync(It.IsAny<PocoUser>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("test");
+        store.Setup(s => s.SetNormalizedUserNameAsync(It.IsAny<PocoUser>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
+            .Returns(Task.CompletedTask);
+
+        var manager = new TrackingUserManager(store.Object);
+
+        switch (operation)
+        {
+            case "CreateAsync":
+                await manager.CreateAsync(user, "password");
+                break;
+            case "AddPasswordAsync":
+                await manager.AddPasswordAsync(user, "password");
+                break;
+            case "ChangePasswordAsync":
+                await manager.ChangePasswordAsync(user, "currentpassword", "newpassword");
+                break;
+        }
+
+        Assert.True(manager.VirtualUpdatePasswordHashCalled, $"Virtual UpdatePasswordHash should be called from {operation}");
+    }
+
+    private class TrackingUserManager : UserManager<PocoUser>
+    {
+        public bool VirtualUpdatePasswordHashCalled { get; private set; }
+
+        public TrackingUserManager(IUserPasswordStore<PocoUser> store)
+            : base(store, null, new PasswordHasher<PocoUser>(), Array.Empty<IUserValidator<PocoUser>>(),
+                   Array.Empty<IPasswordValidator<PocoUser>>(), new UpperInvariantLookupNormalizer(),
+                   new IdentityErrorDescriber(), null, new Microsoft.Extensions.Logging.Abstractions.NullLogger<UserManager<PocoUser>>())
+        {
+        }
+
+        protected override Task<IdentityResult> UpdatePasswordHash(PocoUser user, string newPassword, bool validatePassword)
+        {
+            VirtualUpdatePasswordHashCalled = true;
+            return base.UpdatePasswordHash(user, newPassword, validatePassword);
+        }
+    }
+
 }