public IActionResult Authenticate([FromBody] UserDto userDto)
{
var user = _userDao.Authenticate(userDto.Email, userDto.Password);
if (user == null)
{
return(Ok(new
{
message = "Username or password is incorrect."
}));
//BUG: security bug -> Replace text to: "Account with given e-mail not found in database"
}
var key = Encoding.ASCII.GetBytes(_appSettings.Key);
var tokenDescriptor = new SecurityTokenDescriptor
{
Expires = DateTime.Now.AddHours(1),
SigningCredentials =
new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature),
Subject = new ClaimsIdentity(
new[]
{
new Claim(ClaimTypes.Name, user.Id.ToString())
})
};
var tokenHandler = new JwtSecurityTokenHandler();
var token = tokenHandler.CreateToken(tokenDescriptor);
return(Ok(new
{
user.Id,
Token = tokenHandler.WriteToken(token)
}));
}
public User Authenticate(string username, string password)
{
return(_userDao.Authenticate(username, password));
}