public HttpResponseMessage Login(string username, string password)
        {
            try
            {
                Token = ApiServices.GetToken();
                var response = _userServices.Login(username, password);
                var nonce    = ApiServices.GetNonce();

                var auth = new Auth.AuthTicket
                {
                    Domain = FormsAuthentication.CookieDomain,
                    ExpirationInMinutes = 60,
                    Persistent          = true,
                    UserData            = $"{response.AuthResult.User?.RolesList}",
                    UserName            = username,
                    Version             = 1
                };

                var cookie = Auth.GetAuthTicket(auth);

                var data = new List <IDataResult>
                {
                    new AuthDataResponse(response.AuthResult.User)
                    {
                        Message = response.Message,
                        Success = response.Success,
                    }
                };

                ApiServices.AddSession(Token, nonce, ClientRequestData.UserAgent);

                var result = new ApiResult(data, Stopwatch, "auth/login", Token, nonce, cookie);
                return(Request.CreateResponse(HttpStatusCode.OK, result, new JsonMediaTypeFormatter()));
            }
            catch (InvalidTokenException tx)
            {
                return(Request.CreateResponse(HttpStatusCode.Unauthorized, new { message = tx.Message }, new JsonMediaTypeFormatter()));
            }
            catch (ArizonaAppException appx)
            {
                return(Request.CreateResponse(HttpStatusCode.NotAcceptable, new { message = appx.Message }, new JsonMediaTypeFormatter()));
            }
            catch (Exception ex)
            {
                return(Request.CreateResponse(HttpStatusCode.InternalServerError, new { message = ex.Message }, new JsonMediaTypeFormatter()));
            }
        }