sherl/QuotifyBE
1
0
Fork 0
mirror of https://github.com/QuotifyTeam/QuotifyBE.git synced 2025-12-16 14:20:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: revert passing password hash for jwt generation

Browse Source 
builder in Program.cs is not aware of it, so [Authorize] decorator can't
be provided data necessary to validate requests which contain JWT with
password
This commit is contained in:
eee4
2025-07-15 18:00:20 +02:00
parent e2eea51a08
commit 1da5e47b88
4 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Controllers/AuthController.cs
View File

@@ -15,16 +15,18 @@ public class AuthController : ControllerBase
private readonly IConfiguration _appsettings;
private readonly ApplicationDbContext _db;
private readonly GeneralUseHelpers guhf;
public AuthController(IConfiguration appsettings, ApplicationDbContext db)
public AuthController(IConfiguration appsettings, ApplicationDbContext db, GeneralUseHelpers GUHF)
{
_db = db;
_appsettings = appsettings;
guhf = GUHF;
}
// POST /api/v1/auth/login
[HttpPost("login")]
public async Task<IActionResult> Login([FromBody] UserLoginDTO formUser, GeneralUseHelpers guhf)
public async Task<IActionResult> Login([FromBody] UserLoginDTO formUser)
{
// Ensure the form is complete
if (formUser.Email == null || formUser.Password == null)
@@ -44,7 +46,7 @@ public class AuthController : ControllerBase
if (hashedFormPassword == user.PasswordHash)
{
// All set - generate the token and return it
var token = guhf.GenerateJwtToken(formUser.Email, formUser.Password);
var token = guhf.GenerateJwtToken(formUser.Email);
return Ok(new { status = "ok", token });
} else return Unauthorized(new {status = "error", error_msg = "Unknown pair of email and password"});
}

8
Controllers/GeneralUseHelperFunctions.cs
View File

@@ -32,7 +32,7 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
}
}
public string GenerateJwtToken(string username, string passwordHash)
public string GenerateJwtToken(string username)
{
var claims = new[]
{
@@ -41,11 +41,9 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
};
var key = new SymmetricSecurityKey(
// https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens#comment45057142_23089839
// passwordHash is important for invalidating tokens after a user changed their password
Encoding.UTF8.GetBytes(
// JwtSecret won't be null here - otherwise Program.cs wouldn't start
_appsettings["JwtSecret"]! + passwordHash
_appsettings["JwtSecret"]!
)
);
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
@@ -54,6 +52,8 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
issuer: _appsettings["DomainName"]!,
audience: _appsettings["DomainName"]!,
claims: claims,
// https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens#comment45057142_23089839
// small validity timeframe is important for invalidating tokens after a user changed their password
expires: DateTime.Now.AddMinutes(5),
signingCredentials: creds
);

13
Controllers/QuoteController.cs
View File

@@ -15,15 +15,20 @@ public class QuotesController : ControllerBase
{
private readonly ApplicationDbContext _db;
private readonly GeneralUseHelpers guhf;
public QuotesController(ApplicationDbContext db)
public QuotesController(ApplicationDbContext db, GeneralUseHelpers GUHF)
{
_db = db;
guhf = GUHF;
}
// GET /api/v1/quotes
[HttpGet]
public async Task<IActionResult> GetQuoteByRange()
/// <summary>
/// Get a given quote page
/// </summary>
[HttpGet("page/{page_no}")]
public async Task<IActionResult> GetQuotePage(int page_no)
{
// TODO...
@@ -47,8 +52,6 @@ public class QuotesController : ControllerBase
if (quote == null)
return NotFound(new { status = "error", error_msg = "Quote not found" });
// TODO: Consider turning the quote into a DTO
return Ok(quote.ToQuoteShortDTO(_db));
}