sherl/QuotifyBE
1
0
Fork 0
mirror of https://github.com/QuotifyTeam/QuotifyBE.git synced 2025-12-16 16:00:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: revert passing password hash for jwt generation

Browse Source 
builder in Program.cs is not aware of it, so [Authorize] decorator can't
be provided data necessary to validate requests which contain JWT with
password
This commit is contained in:
eee4
2025-07-15 18:00:20 +02:00
parent e2eea51a08
commit 1da5e47b88
4 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Controllers/AuthController.cs
View File

@@ -15,16 +15,18 @@ public class AuthController : ControllerBase
private readonly IConfiguration _appsettings; private readonly IConfiguration _appsettings;
private readonly ApplicationDbContext _db; private readonly ApplicationDbContext _db;
private readonly GeneralUseHelpers guhf;
public AuthController(IConfiguration appsettings, ApplicationDbContext db) public AuthController(IConfiguration appsettings, ApplicationDbContext db, GeneralUseHelpers GUHF)
{ {
_db = db; _db = db;
_appsettings = appsettings; _appsettings = appsettings;
guhf = GUHF;
} }
// POST /api/v1/auth/login // POST /api/v1/auth/login
[HttpPost("login")] [HttpPost("login")]
public async Task<IActionResult> Login([FromBody] UserLoginDTO formUser, GeneralUseHelpers guhf) public async Task<IActionResult> Login([FromBody] UserLoginDTO formUser)
{ {
// Ensure the form is complete // Ensure the form is complete
if (formUser.Email == null || formUser.Password == null) if (formUser.Email == null || formUser.Password == null)
@@ -44,7 +46,7 @@ public class AuthController : ControllerBase
if (hashedFormPassword == user.PasswordHash) if (hashedFormPassword == user.PasswordHash)
{ {
// All set - generate the token and return it // All set - generate the token and return it
var token = guhf.GenerateJwtToken(formUser.Email, formUser.Password); var token = guhf.GenerateJwtToken(formUser.Email);
return Ok(new { status = "ok", token }); return Ok(new { status = "ok", token });
} else return Unauthorized(new {status = "error", error_msg = "Unknown pair of email and password"}); } else return Unauthorized(new {status = "error", error_msg = "Unknown pair of email and password"});
} }

8
Controllers/GeneralUseHelperFunctions.cs
View File

@@ -32,7 +32,7 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
} }
} }
public string GenerateJwtToken(string username, string passwordHash) public string GenerateJwtToken(string username)
{ {
var claims = new[] var claims = new[]
{ {
@@ -41,11 +41,9 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
}; };
var key = new SymmetricSecurityKey( var key = new SymmetricSecurityKey(
// https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens#comment45057142_23089839
// passwordHash is important for invalidating tokens after a user changed their password
Encoding.UTF8.GetBytes( Encoding.UTF8.GetBytes(
// JwtSecret won't be null here - otherwise Program.cs wouldn't start // JwtSecret won't be null here - otherwise Program.cs wouldn't start
_appsettings["JwtSecret"]! + passwordHash _appsettings["JwtSecret"]!
) )
); );
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
@@ -54,6 +52,8 @@ public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettin
issuer: _appsettings["DomainName"]!, issuer: _appsettings["DomainName"]!,
audience: _appsettings["DomainName"]!, audience: _appsettings["DomainName"]!,
claims: claims, claims: claims,
// https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens#comment45057142_23089839
// small validity timeframe is important for invalidating tokens after a user changed their password
expires: DateTime.Now.AddMinutes(5), expires: DateTime.Now.AddMinutes(5),
signingCredentials: creds signingCredentials: creds
); );

13
Controllers/QuoteController.cs
View File

@@ -15,15 +15,20 @@ public class QuotesController : ControllerBase
{ {
private readonly ApplicationDbContext _db; private readonly ApplicationDbContext _db;
private readonly GeneralUseHelpers guhf;
public QuotesController(ApplicationDbContext db) public QuotesController(ApplicationDbContext db, GeneralUseHelpers GUHF)
{ {
_db = db; _db = db;
guhf = GUHF;
} }
// GET /api/v1/quotes // GET /api/v1/quotes
[HttpGet] /// <summary>
public async Task<IActionResult> GetQuoteByRange() /// Get a given quote page
/// </summary>
[HttpGet("page/{page_no}")]
public async Task<IActionResult> GetQuotePage(int page_no)
{ {
// TODO... // TODO...
@@ -47,8 +52,6 @@ public class QuotesController : ControllerBase
if (quote == null) if (quote == null)
return NotFound(new { status = "error", error_msg = "Quote not found" }); return NotFound(new { status = "error", error_msg = "Quote not found" });
// TODO: Consider turning the quote into a DTO
return Ok(quote.ToQuoteShortDTO(_db)); return Ok(quote.ToQuoteShortDTO(_db));
} }

3
Program.cs
View File

@@ -8,7 +8,8 @@ using System.Text;
var builder = WebApplication.CreateBuilder(args); var builder = WebApplication.CreateBuilder(args);
// Configure Database Connection // Configure Database Connection
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection") ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found."); var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found.");
builder.Services.AddDbContext<ApplicationDbContext>(options => builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseNpgsql(connectionString)); options.UseNpgsql(connectionString));