public async Task <JwtRefreshDTO> AllowLogin(string username, string password)
{
var helperShared = new YetAnotherPrivateChat.Shared.HelperShared.Helper();
var user = await ctx.Users.FirstOrDefaultAsync(c => c.Username == username);
var allowed = helperShared.ComparePassword(user.Password, password);
if (!allowed)
{
throw new Exception("Denied login, please check your password and username");
}
int expiration = 6;
/*
* What is the rationale of adding the row id to the Refresh token?
* Since we need to check if the Refresh Token is still valid or not we need some identification.
* I could send a blank Refresh token and save its string to the DB, but them I would have all of the Refresh tokens stored
* If a breach happened the attacker would have access of all the users, but now since I'm not storing anything the attacker would also need the secret key
* So I'm pretty much adding another chain to protect the application.
*/
var refreshTokenDb = new RefreshTokenDb(user.UserId, expiration);
var result = _context.RefreshDb.Add(refreshTokenDb);
await _context.SaveChangesAsync();
var refreshToken = new RefreshToken(expiration, result.Entity.RefreshTokenDbId);
var jwt = new JwtToken(user.UserId, user.RegistrationDate, user.Admin);
return(new JwtRefreshDTO(refreshToken, jwt));
}
public async Task <bool> AllowUsernameAndEmail(string email, string username, MyDbContext ctx)
{
var usr = await ctx.Users.AnyAsync(c => c.Username == username);
if (usr)
{
return(false);
}
//due to the idea of hashing the emails, I them need to query all of them to compare....
var hashList = await ctx.Users.Select(c => c.Email).ToListAsync();
var helperShared = new YetAnotherPrivateChat.Shared.HelperShared.Helper();
foreach (var hash in hashList)
{
if (helperShared.CompareEmail(hash, email))
{
return(false);
}
}
return(true);
}
