public async Task <JwtRefreshDTO> AllowLogin(string username, string password) { var helperShared = new YetAnotherPrivateChat.Shared.HelperShared.Helper(); var user = await ctx.Users.FirstOrDefaultAsync(c => c.Username == username); var allowed = helperShared.ComparePassword(user.Password, password); if (!allowed) { throw new Exception("Denied login, please check your password and username"); } int expiration = 6; /* * What is the rationale of adding the row id to the Refresh token? * Since we need to check if the Refresh Token is still valid or not we need some identification. * I could send a blank Refresh token and save its string to the DB, but them I would have all of the Refresh tokens stored * If a breach happened the attacker would have access of all the users, but now since I'm not storing anything the attacker would also need the secret key * So I'm pretty much adding another chain to protect the application. */ var refreshTokenDb = new RefreshTokenDb(user.UserId, expiration); var result = _context.RefreshDb.Add(refreshTokenDb); await _context.SaveChangesAsync(); var refreshToken = new RefreshToken(expiration, result.Entity.RefreshTokenDbId); var jwt = new JwtToken(user.UserId, user.RegistrationDate, user.Admin); return(new JwtRefreshDTO(refreshToken, jwt)); }
public async Task <bool> AllowUsernameAndEmail(string email, string username, MyDbContext ctx) { var usr = await ctx.Users.AnyAsync(c => c.Username == username); if (usr) { return(false); } //due to the idea of hashing the emails, I them need to query all of them to compare.... var hashList = await ctx.Users.Select(c => c.Email).ToListAsync(); var helperShared = new YetAnotherPrivateChat.Shared.HelperShared.Helper(); foreach (var hash in hashList) { if (helperShared.CompareEmail(hash, email)) { return(false); } } return(true); }