DEV Community

Sugumar
Sugumar

Posted on

AuthController

#security #api #backend #dotnet

AuthController (API)

Namespace: FL_Accounting_Suite.API.Controllers
Route: api/auth
Purpose: Handles user authentication, including login, registration, and JWT token generation.

Dependencies:

  • IUserRepository / _unitOfWork.Users — for user data access
  • IUnitOfWork — for database transaction handling
  • IConfiguration — for JWT secret key retrieval
  • BCrypt.Net — for password hashing and verification

1. Login Endpoint

Route: POST api/auth/login
Purpose: Authenticates a user and returns a JWT token.

Request Body (LoginDto):


{"email": "admin@futurelogic.com",

    "password": "Admin@123"}
Enter fullscreen mode Exit fullscreen mode

Logic Flow:

  1. Validate request model.
  2. Fetch user by email using _unitOfWork.Users.GetByEmailAsync().
  3. Check password with BCrypt.Verify().
  4. Ensure account is not deleted.
  5. Generate JWT token using GenerateJwtToken().
  6. Return AuthResponseDto with user info and token.

Response (AuthResponseDto):

{
  "Token": "<JWT_TOKEN>",
  "UserId": "guid",
  "FullName": "John Doe",
  "Email": "john@example.com",
  "RoleName": "Admin",
  "CompanyId": "guid"
}
Enter fullscreen mode Exit fullscreen mode

Error Responses:

  • 400 Bad Request — Invalid model.
  • 401 Unauthorized — Invalid email/password or deactivated account.

2. Register Endpoint

Route: POST api/auth/register
Purpose: Registers a new user and returns a JWT token.

Request Body (RegisterDto):

{
  "FullName": "John Doe",
  "Email": "john@example.com",
  "Password": "userpassword",
  "RoleId": "guid",
  "CompanyId": "guid"
}
Enter fullscreen mode Exit fullscreen mode

Logic Flow:

  1. Validate request model.
  2. Check for duplicate email.
  3. Create new User entity.
  4. Hash password using BCrypt.HashPassword().
  5. Save user via _unitOfWork.Users.AddAsync().
  6. Generate JWT token.
  7. Return AuthResponseDto with user info and token.

Response (AuthResponseDto):

{
  "Token": "<JWT_TOKEN>",
  "UserId": "guid",
  "FullName": "John Doe",
  "Email": "john@example.com",
  "RoleName": "User",
  "CompanyId": "guid"
}
Enter fullscreen mode Exit fullscreen mode

Error Responses:

  • 400 Bad Request — Invalid model.
  • 409 Conflict — Email already exists.

3. JWT Token Generation

Method: GenerateJwtToken(User user)
Purpose: Creates a JWT token for the authenticated user.

Token Details:

  • Expiration: 3 hours (DateTime.UtcNow.AddHours(3))

  • Claims included:

    • NameIdentifieruser.Id
    • Emailuser.Email
    • Nameuser.FullName
    • Roleuser.Role?.Name
    • CompanyIduser.CompanyId

  • Signing Algorithm: HmacSha256

  • Secret Key: Retrieved from appsettings.json (Jwt:Key)

Return Value: JWT token string

4. Notes

  • Passwords are never stored or transmitted in plain text.
  • Uses BCrypt for secure password hashing.
  • Accounts marked as IsDeleted cannot log in.
  • JWT token contains all necessary user info for authentication & authorization.

If you want, I can also create a diagram showing the login & registration flow with JWT for easier understanding—it’s very handy for documentation.

Do you want me to create that?

Top comments (0)