159 lines
6.4 KiB
C#
159 lines
6.4 KiB
C#
using Microsoft.AspNetCore.Antiforgery;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Microsoft.AspNetCore.RateLimiting;
|
|
using Microsoft.Extensions.Diagnostics.HealthChecks;
|
|
using Nexus.Api.DTOs;
|
|
using Nexus.Api.Integrations;
|
|
using Nexus.Api.Services;
|
|
|
|
namespace Nexus.Api.Controllers;
|
|
|
|
[ApiController]
|
|
[Route("api/v1/auth")]
|
|
public class AuthController(
|
|
IAuthService authService,
|
|
IAntiforgery antiforgery,
|
|
IConfiguration config,
|
|
IHostEnvironment env) : ControllerBase
|
|
{
|
|
[HttpGet("csrf")]
|
|
public IActionResult GetCsrfToken()
|
|
{
|
|
var tokens = antiforgery.GetAndStoreTokens(HttpContext);
|
|
return Ok(new { token = tokens.RequestToken });
|
|
}
|
|
|
|
[HttpPost("login")]
|
|
[EnableRateLimiting("auth")]
|
|
public async Task<IResult> Login([FromBody] LoginRequest request, CancellationToken ct)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.Password))
|
|
return Results.ValidationProblem(new Dictionary<string, string[]> { ["credentials"] = ["Email and password are required."] });
|
|
|
|
var session = await authService.LoginAsync(request, ct);
|
|
if (session is null) return Results.Unauthorized();
|
|
|
|
SetRefreshCookie(Response, session.RefreshToken);
|
|
Response.Headers.CacheControl = "no-store";
|
|
return Results.Ok(ToAuthResponse(session));
|
|
}
|
|
|
|
[HttpPost("refresh")]
|
|
[EnableRateLimiting("auth")]
|
|
public async Task<IResult> Refresh(CancellationToken ct)
|
|
{
|
|
if (!Request.Cookies.TryGetValue("nexus_refresh", out var refreshToken))
|
|
return Results.Unauthorized();
|
|
|
|
var session = await authService.RefreshAsync(refreshToken!, ct);
|
|
if (session is null)
|
|
{
|
|
ClearRefreshCookie(Response);
|
|
return Results.Unauthorized();
|
|
}
|
|
|
|
SetRefreshCookie(Response, session.RefreshToken);
|
|
Response.Headers.CacheControl = "no-store";
|
|
return Results.Ok(ToAuthResponse(session));
|
|
}
|
|
|
|
[HttpPost("logout")]
|
|
public async Task<IResult> Logout(CancellationToken ct)
|
|
{
|
|
if (Request.Cookies.TryGetValue("nexus_refresh", out var refreshToken))
|
|
await authService.RevokeAsync(refreshToken!, ct);
|
|
|
|
ClearRefreshCookie(Response);
|
|
return Results.NoContent();
|
|
}
|
|
|
|
[HttpGet("me")]
|
|
public async Task<IResult> GetMe(CancellationToken ct)
|
|
{
|
|
var subject = User.FindFirst(System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames.Sub)?.Value;
|
|
if (!Guid.TryParse(subject, out var userId)) return Results.Unauthorized();
|
|
|
|
var user = await authService.GetUserAsync(userId, ct);
|
|
return user is null
|
|
? Results.Unauthorized()
|
|
: Results.Ok(new UserInfo { Id = user.Id, Email = user.Email, DisplayName = user.DisplayName, Role = user.Role });
|
|
}
|
|
|
|
[HttpPatch("profile")]
|
|
public async Task<IResult> UpdateProfile([FromBody] UpdateProfileRequest request, CancellationToken ct)
|
|
{
|
|
var subject = User.FindFirst(System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames.Sub)?.Value;
|
|
if (!Guid.TryParse(subject, out var userId)) return Results.Unauthorized();
|
|
|
|
var user = await authService.UpdateProfileAsync(userId, request, ct);
|
|
return user is null
|
|
? Results.NotFound()
|
|
: Results.Ok(new UserInfo { Id = user.Id, Email = user.Email, DisplayName = user.DisplayName, Role = user.Role });
|
|
}
|
|
|
|
[HttpPost("admin-reset-password")]
|
|
[EnableRateLimiting("agents")]
|
|
public async Task<IResult> AdminResetPassword([FromBody] AdminResetPasswordRequest request, CancellationToken ct)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.NewPassword) || string.IsNullOrWhiteSpace(request.AdminToken))
|
|
return Results.ValidationProblem(new Dictionary<string, string[]> { ["request"] = ["Email, new password, and admin token are required."] });
|
|
|
|
if (request.NewPassword.Length < 10)
|
|
return Results.ValidationProblem(new Dictionary<string, string[]> { ["newPassword"] = ["New password must be at least 10 characters."] });
|
|
|
|
var success = await authService.AdminResetPasswordAsync(request.Email, request.NewPassword, request.AdminToken, ct);
|
|
if (!success)
|
|
return Results.Problem("Password reset failed. Check the admin token, email, and that the user exists.", statusCode: 400);
|
|
|
|
return Results.Ok(new { message = "Password reset successfully." });
|
|
}
|
|
|
|
[HttpPost("change-password")]
|
|
public async Task<IResult> ChangePassword([FromBody] ChangePasswordRequest request, CancellationToken ct)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(request.CurrentPassword) || string.IsNullOrWhiteSpace(request.NewPassword))
|
|
return Results.ValidationProblem(new Dictionary<string, string[]> { ["password"] = ["Current and new passwords are required."] });
|
|
|
|
if (request.NewPassword.Length < 10)
|
|
return Results.ValidationProblem(new Dictionary<string, string[]> { ["newPassword"] = ["New password must be at least 10 characters."] });
|
|
|
|
var subject = User.FindFirst(System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames.Sub)?.Value;
|
|
if (!Guid.TryParse(subject, out var userId)) return Results.Unauthorized();
|
|
|
|
var success = await authService.ChangePasswordAsync(userId, request, ct);
|
|
return success ? Results.Ok(new { message = "Password changed successfully." }) : Results.Problem("Current password is incorrect.", statusCode: 400);
|
|
}
|
|
|
|
private static AuthResponse ToAuthResponse(AuthSession session) => new()
|
|
{
|
|
AccessToken = session.AccessToken,
|
|
ExpiresAt = session.ExpiresAt,
|
|
User = session.User
|
|
};
|
|
|
|
private void SetRefreshCookie(HttpResponse response, string token)
|
|
{
|
|
var days = config.GetValue<int?>("Jwt:RefreshTokenExpirationDays") ?? 7;
|
|
response.Cookies.Append("nexus_refresh", token, new CookieOptions
|
|
{
|
|
HttpOnly = true,
|
|
Secure = !env.IsDevelopment(),
|
|
SameSite = SameSiteMode.Strict,
|
|
Path = "/api/v1/auth",
|
|
MaxAge = TimeSpan.FromDays(days),
|
|
IsEssential = true
|
|
});
|
|
}
|
|
|
|
private void ClearRefreshCookie(HttpResponse response)
|
|
{
|
|
response.Cookies.Delete("nexus_refresh", new CookieOptions
|
|
{
|
|
HttpOnly = true,
|
|
Secure = !env.IsDevelopment(),
|
|
SameSite = SameSiteMode.Strict,
|
|
Path = "/api/v1/auth"
|
|
});
|
|
}
|
|
}
|