sherl/QuotifyBE
1
0
Fork 0
mirror of https://github.com/QuotifyTeam/QuotifyBE.git synced 2025-12-16 14:20:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: add db-based user log-on, invalidate tokens made for old passwords

Browse Source
This commit is contained in:
eee4
2025-07-15 12:38:02 +02:00
parent d0fc4e5ef2
commit f275463a3d
2 changed files with 58 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
Controllers/AuthController.cs
View File

@@ -1,7 +1,9 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using QuotifyBE.Data;
using QuotifyBE.Entities;
using QuotifyBE.DTOs;
using System.Threading.Tasks;
namespace QuotifyBE.Controllers;
@@ -21,14 +23,29 @@ public class AuthController : ControllerBase
}
[HttpPost("login")]
public IActionResult Login([FromBody] UserLoginDTO user, GeneralUseHelpers guhf)
public async Task<IActionResult> Login([FromBody] UserLoginDTO formUser, GeneralUseHelpers guhf)
{
if (user.Email == "admin" && user.Password == "password")
// Ensure the form is complete
if (formUser.Email == null || formUser.Password == null)
{
var token = guhf.GenerateJwtToken(user.Email, _appsettings);
return Ok(new { token });
return BadRequest(new {status = "error", error_msg = "Form contains missing data"});
}
return Unauthorized();
// Find the user with retrieved e-mail
User? user = await guhf.GetUserFromEmail(formUser.Email);
if (user == null)
{
return NotFound(new {status = "error", error_msg = "User not found"});
}
// Hash the password and compare with the user-provided one
string hashedFormPassword = guhf.HashWithSHA512(formUser.Password);
if (hashedFormPassword == user.PasswordHash)
{
// All set - generate the token and return it
var token = guhf.GenerateJwtToken(formUser.Email, formUser.Password);
return Ok(new { status = "ok", token });
} else return Unauthorized(new {status = "error", error_msg = "Unknown pair of email and password"});
}
[HttpGet("some_values")]

43
Controllers/GeneralUseHelperFunctions.cs
View File

@@ -1,13 +1,38 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens;
using QuotifyBE.Data;
using QuotifyBE.Entities;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
namespace QuotifyBE.Controllers;
public class GeneralUseHelpers
public class GeneralUseHelpers(ApplicationDbContext db, IConfiguration appsettings)
{
public string GenerateJwtToken(string username, IConfiguration appsettings)
private readonly ApplicationDbContext _db = db;
private readonly IConfiguration _appsettings = appsettings;
async public Task<User?> GetUserFromEmail(string email)
{
return await _db.Users.FirstOrDefaultAsync(e => e.Email == email);
}
public string HashWithSHA512(string s)
{
using (var sha512 = SHA512.Create())
{
byte[] bytes = Encoding.ASCII.GetBytes(s);
byte[] hash = sha512.ComputeHash(bytes);
string hashstring = BitConverter.ToString(hash).Replace("-", "").ToLower();
return hashstring;
}
}
public string GenerateJwtToken(string username, string passwordHash)
{
var claims = new[]
{
@@ -16,16 +41,20 @@ public class GeneralUseHelpers
};
var key = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(appsettings["JwtSecret"]!)
// won't be null here - otherwise Program.cs wouldn't start
// https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens#comment45057142_23089839
// passwordHash is important for invalidating tokens after a user changed their password
Encoding.UTF8.GetBytes(
// JwtSecret won't be null here - otherwise Program.cs wouldn't start
_appsettings["JwtSecret"]! + passwordHash
)
);
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: appsettings["DomainName"]!,
audience: appsettings["DomainName"]!,
issuer: _appsettings["DomainName"]!,
audience: _appsettings["DomainName"]!,
claims: claims,
expires: DateTime.Now.AddDays(7),
expires: DateTime.Now.AddMinutes(5),
signingCredentials: creds
);