public async Task <ActionResult <AuthenticationResponse> > AuthenticateAsync(AuthenticationRequest request) { var user = await _users.GetByNameAsync(request.Username); if (!_hash.Test(request.Password, user?.Secret)) { return(Unauthorized($"Invalid login for user '{request.Username}'.")); } // access token can live extremely long since we have an on-demand invalidation mechanism var expiry = DateTime.UtcNow.AddMonths(1); return(new AuthenticationResponse { AccessToken = await _tokens.GenerateTokenAsync(user, expiry), User = EraseConfidential(user), Expiry = expiry }); }