public Response Execute(NancyContext context, IResponseFormatter response) { if (!configurationStore.GetIsEnabled()) { return(responseCreator.AsStatusCode(HttpStatusCode.BadRequest)); } var model = modelBinder.Bind <LoginCommand>(context); var attemptedUsername = model.Username; var requestUserHostAddress = context.Request.UserHostAddress; var action = loginTracker.BeforeAttempt(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Ban) { return(responseCreator.BadRequest("You have had too many failed login attempts in a short period of time. Please try again later.")); } var userResult = credentialValidator.ValidateCredentials(attemptedUsername, model.Password); if (!userResult.Succeeded) { loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Slow) { sleep.For(1000); } return(responseCreator.BadRequest(userResult.FailureReason)); } var user = userResult.User; if (user == null || !user.IsActive || user.IsService) { loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Slow) { sleep.For(1000); } return(responseCreator.BadRequest("Invalid username or password.")); } loginTracker.RecordSucess(attemptedUsername, requestUserHostAddress); var cookie = issuer.CreateAuthCookie(context, user.IdentificationToken, model.RememberMe); return(responseCreator.AsOctopusJson(response, userMapper.MapToResource(user)) .WithCookie(cookie) .WithStatusCode(HttpStatusCode.OK) .WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo))); }