public async Task <IActionResult> RemoveAccount([FromBody] RemovalRequest request)
{
try
{
var issuedAt = AuthService.TokenIssueDateTime(Request.Headers["Authorization"]);
//Tries to remove an user entry and revoke any related token.
var response = await _authService.RemoveAccount(request, issuedAt);
return(StatusCode(response.Code ?? 200, response));
}
catch (Exception)
{
return(BadRequest(new GenericResponse
{
Code = (int)HttpStatusCode.BadRequest,
Status = (int)Model.Transient.StatusCode.UnknowException,
Message = "Generic error in request."
}));
}
}
public async Task <IResponse> RemoveAccount(RemovalRequest request, DateTime issuedAt)
{
if (string.IsNullOrEmpty(request.Email) || string.IsNullOrEmpty(request.Password))
{
return new GenericResponse
{
Code = (int)HttpStatusCode.BadRequest,
Status = (int)StatusCode.EmailPasswordMissing
}
}
;
var email = await _context.Users.SingleOrDefaultAsync(x => x.Email == request.Email);
//Check if email exists.
if (email == null)
{
return new GenericResponse
{
Code = (int)HttpStatusCode.BadRequest,
Status = (int)StatusCode.UserMissing
}
}
;
//Invalidates any access tokens that were created before the password was last changed.
if (email.PasswordLastUpdatedUtc > issuedAt)
{
return new GenericResponse
{
Code = (int)HttpStatusCode.BadRequest,
Status = (int)StatusCode.AccessTokenInvalid
}
}
;
//Password must match with current one before the user is able to delete the user.
if (!IsPasswordHashValid(request.Password, email.PasswordHash, email.PasswordSalt))
{
return new GenericResponse
{
Code = (int)HttpStatusCode.BadRequest,
Status = (int)StatusCode.EmailPasswordInvalid
}
}
;
//Forces the expiration of all still valid refresh tokens.
await RevokeAllTokensFrom(email);
//Removes or deactivates the user.
if (request.Deactivate)
{
email.WasDeactivated = true;
email.DeactivationDate = DateTime.UtcNow;
}
else
{
_context.Users.Remove(email);
}
await _context.SaveChangesAsync();
return(new GenericResponse
{
Code = (int)HttpStatusCode.OK,
Status = (int)StatusCode.OkWithNoContent
});
}
