using System.Security.Claims; using JobTrackerApi.Models; using JobTrackerApi.Services; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Mvc; using Microsoft.EntityFrameworkCore; namespace JobTrackerApi.Controllers; [ApiController] [Route("api/auth")] public sealed class AuthController : ControllerBase { private readonly IConfiguration _cfg; private readonly UserManager _users; private readonly ITokenService _tokens; private readonly IAppEmailSender _email; private readonly IGoogleTokenValidator _googleTokens; public AuthController(IConfiguration cfg, UserManager users, ITokenService tokens, IAppEmailSender email, IGoogleTokenValidator googleTokens) { _cfg = cfg; _users = users; _tokens = tokens; _email = email; _googleTokens = googleTokens; } [HttpGet("config")] [AllowAnonymous] public IActionResult Config() { var requireAuth = _cfg.GetValue("Auth:Require", false); var googleEnabled = !string.IsNullOrWhiteSpace((_cfg["Auth:GoogleClientId"] ?? string.Empty).Trim()); var allowRegistration = _cfg.GetValue("Auth:AllowRegistration", false); return Ok(new { requireAuth, googleEnabled, localEnabled = true, allowRegistration, }); } public sealed record LoginRequest(string Email, string Password); public sealed record RegisterRequest(string Email, string Password); public sealed record AuthResult(string AccessToken, string TokenType); public sealed record GoogleLinkDto(bool Linked, string? Email, DateTimeOffset? LinkedAt); public sealed record MeResult( string Provider, string? Id, string? Email, string? UserName, string? FirstName, string? LastName, string? DisplayName, string? ProfileCvText, string? AvatarImageDataUrl, IList Roles, GoogleLinkDto? GoogleLink); public sealed record UpdateProfileRequest(string? Email, string? UserName, string? FirstName, string? LastName, string? DisplayName, string? ProfileCvText); public sealed record GoogleTokenRequest(string Token); [HttpPost("login")] [AllowAnonymous] public async Task> Login([FromBody] LoginRequest request, CancellationToken cancellationToken) { var email = (request.Email ?? string.Empty).Trim(); var password = request.Password ?? string.Empty; if (email.Length == 0) return BadRequest("Email is required."); if (password.Length == 0) return BadRequest("Password is required."); var user = await _users.FindByEmailAsync(email) ?? await _users.FindByNameAsync(email); if (user is null) return Unauthorized(); var ok = await _users.CheckPasswordAsync(user, password); if (!ok) return Unauthorized(); var token = await _tokens.CreateAccessTokenAsync(user, cancellationToken); return Ok(new AuthResult(token, "Bearer")); } [HttpPost("register")] [AllowAnonymous] public async Task> Register([FromBody] RegisterRequest request, CancellationToken cancellationToken) { var allow = _cfg.GetValue("Auth:AllowRegistration", false); if (!allow) return StatusCode(403, "Registration is disabled."); var email = (request.Email ?? string.Empty).Trim(); var password = request.Password ?? string.Empty; if (email.Length == 0) return BadRequest("Email is required."); if (password.Length == 0) return BadRequest("Password is required."); var existing = await _users.FindByEmailAsync(email); if (existing is not null) return BadRequest("User already exists."); var user = new ApplicationUser { UserName = email, Email = email, EmailConfirmed = true }; var res = await _users.CreateAsync(user, password); if (!res.Succeeded) { return BadRequest(string.Join("; ", res.Errors.Select(e => e.Description))); } var token = await _tokens.CreateAccessTokenAsync(user, cancellationToken); return Ok(new AuthResult(token, "Bearer")); } [HttpPost("google/exchange")] [AllowAnonymous] public async Task> ExchangeGoogleToken([FromBody] GoogleTokenRequest request, CancellationToken cancellationToken) { var token = (request.Token ?? string.Empty).Trim(); if (token.Length == 0) return BadRequest("Google token is required."); GoogleTokenPrincipal google; try { google = await _googleTokens.ValidateAsync(token, cancellationToken); } catch (Exception ex) { return Unauthorized(ex.Message); } var user = await _users.Users.FirstOrDefaultAsync( x => x.GoogleSubject == google.Subject || (!string.IsNullOrWhiteSpace(google.Email) && x.GoogleEmail == google.Email), cancellationToken); if (user is null) { return Unauthorized("This Google account is not linked to a Jobbjakt user yet."); } if (string.IsNullOrWhiteSpace(user.GoogleSubject) || !string.Equals(user.GoogleSubject, google.Subject, StringComparison.Ordinal)) { user.GoogleSubject = google.Subject; user.GoogleEmail = google.Email; user.GoogleLinkedAt ??= DateTimeOffset.UtcNow; await _users.UpdateAsync(user); } var appToken = await _tokens.CreateAccessTokenAsync(user, cancellationToken); return Ok(new AuthResult(appToken, "Bearer")); } [HttpGet("me")] [Authorize] public async Task Me(CancellationToken cancellationToken) { var user = await _users.GetUserAsync(User); if (user is not null) { var roles = await _users.GetRolesAsync(user); return Ok(ToMeResult(user, roles)); } var email = User.FindFirstValue(ClaimTypes.Email) ?? User.FindFirstValue("email"); var sub = User.FindFirstValue(ClaimTypes.NameIdentifier) ?? User.FindFirstValue("sub"); var iss = User.FindFirstValue("iss") ?? string.Empty; var provider = iss.Contains("accounts.google.com", StringComparison.OrdinalIgnoreCase) ? "google" : "external"; return Ok(new MeResult( Provider: provider, Id: sub, Email: email, UserName: null, FirstName: User.FindFirstValue("given_name"), LastName: User.FindFirstValue("family_name"), DisplayName: User.FindFirstValue("name"), ProfileCvText: null, AvatarImageDataUrl: null, Roles: Array.Empty(), GoogleLink: provider == "google" ? new GoogleLinkDto(false, email, null) : null)); } [HttpPut("profile")] [Authorize(AuthenticationSchemes = "local")] public async Task UpdateProfile([FromBody] UpdateProfileRequest request) { var user = await _users.GetUserAsync(User); if (user is null) { return StatusCode(501, "Profile updates are only supported for local username/password accounts."); } var email = TrimOrNull(request.Email); var userName = TrimOrNull(request.UserName); var firstName = TrimOrNull(request.FirstName); var lastName = TrimOrNull(request.LastName); var displayName = TrimOrNull(request.DisplayName); var profileCvText = TrimOrNull(request.ProfileCvText); if (email is not null) user.Email = email; if (userName is not null) user.UserName = userName; user.FirstName = firstName; user.LastName = lastName; user.DisplayName = displayName; user.ProfileCvText = profileCvText; var res = await _users.UpdateAsync(user); if (!res.Succeeded) return BadRequest(string.Join("; ", res.Errors.Select(e => e.Description))); return NoContent(); } [HttpPost("google/link")] [Authorize(AuthenticationSchemes = "local")] public async Task> LinkGoogle([FromBody] GoogleTokenRequest request, CancellationToken cancellationToken) { var user = await _users.GetUserAsync(User); if (user is null) { return Unauthorized(); } var token = (request.Token ?? string.Empty).Trim(); if (token.Length == 0) return BadRequest("Google token is required."); GoogleTokenPrincipal google; try { google = await _googleTokens.ValidateAsync(token, cancellationToken); } catch (Exception ex) { return BadRequest(ex.Message); } var conflict = await _users.Users .Where(x => x.Id != user.Id) .FirstOrDefaultAsync(x => x.GoogleSubject == google.Subject || (!string.IsNullOrWhiteSpace(google.Email) && x.GoogleEmail == google.Email), cancellationToken); if (conflict is not null) { return Conflict("That Google account is already linked to another Jobbjakt user."); } user.GoogleSubject = google.Subject; user.GoogleEmail = google.Email; user.GoogleLinkedAt = DateTimeOffset.UtcNow; user.DisplayName ??= TrimOrNull(google.Name); user.FirstName ??= TrimOrNull(google.GivenName); user.LastName ??= TrimOrNull(google.FamilyName); var result = await _users.UpdateAsync(user); if (!result.Succeeded) { return BadRequest(string.Join("; ", result.Errors.Select(e => e.Description))); } return Ok(new GoogleLinkDto(true, user.GoogleEmail, user.GoogleLinkedAt)); } [HttpDelete("google/link")] [Authorize(AuthenticationSchemes = "local")] public async Task UnlinkGoogle() { var user = await _users.GetUserAsync(User); if (user is null) { return Unauthorized(); } user.GoogleSubject = null; user.GoogleEmail = null; user.GoogleLinkedAt = null; var result = await _users.UpdateAsync(user); if (!result.Succeeded) { return BadRequest(string.Join("; ", result.Errors.Select(e => e.Description))); } return NoContent(); } [HttpPost("avatar")] [Authorize(AuthenticationSchemes = "local")] [RequestSizeLimit(5_000_000)] public async Task UploadAvatar([FromForm] IFormFile? file) { var user = await _users.GetUserAsync(User); if (user is null) { return Unauthorized(); } if (file is null || file.Length == 0) { return BadRequest("Image file is required."); } if (!string.Equals(file.ContentType, "image/png", StringComparison.OrdinalIgnoreCase) && !string.Equals(file.ContentType, "image/jpeg", StringComparison.OrdinalIgnoreCase) && !string.Equals(file.ContentType, "image/webp", StringComparison.OrdinalIgnoreCase)) { return BadRequest("Only PNG, JPEG, or WebP images are supported."); } if (file.Length > 5_000_000) { return BadRequest("Avatar image is too large."); } await using var stream = file.OpenReadStream(); using var memory = new MemoryStream(); await stream.CopyToAsync(memory); var bytes = memory.ToArray(); var base64 = Convert.ToBase64String(bytes); user.AvatarImageDataUrl = $"data:{file.ContentType};base64,{base64}"; var result = await _users.UpdateAsync(user); if (!result.Succeeded) { return BadRequest(string.Join("; ", result.Errors.Select(e => e.Description))); } return Ok(new { avatarImageDataUrl = user.AvatarImageDataUrl }); } [HttpDelete("avatar")] [Authorize(AuthenticationSchemes = "local")] public async Task DeleteAvatar() { var user = await _users.GetUserAsync(User); if (user is null) { return Unauthorized(); } user.AvatarImageDataUrl = null; var result = await _users.UpdateAsync(user); if (!result.Succeeded) { return BadRequest(string.Join("; ", result.Errors.Select(e => e.Description))); } return NoContent(); } public sealed record ChangePasswordRequest(string CurrentPassword, string NewPassword); [HttpPost("change-password")] [Authorize(AuthenticationSchemes = "local")] public async Task ChangePassword([FromBody] ChangePasswordRequest request) { var user = await _users.GetUserAsync(User); if (user is null) { return StatusCode(501, "Password changes are only supported for local username/password accounts."); } if (string.IsNullOrWhiteSpace(request.CurrentPassword)) return BadRequest("CurrentPassword is required."); if (string.IsNullOrWhiteSpace(request.NewPassword)) return BadRequest("NewPassword is required."); var res = await _users.ChangePasswordAsync(user, request.CurrentPassword, request.NewPassword); if (!res.Succeeded) return BadRequest(string.Join("; ", res.Errors.Select(e => e.Description))); return NoContent(); } public sealed record RequestPasswordResetRequest(string Email); [HttpPost("request-password-reset")] [AllowAnonymous] public async Task RequestPasswordReset([FromBody] RequestPasswordResetRequest request, CancellationToken cancellationToken) { var email = (request.Email ?? string.Empty).Trim(); if (email.Length == 0) return NoContent(); var user = await _users.FindByEmailAsync(email); if (user is null || string.IsNullOrWhiteSpace(user.Email)) { return NoContent(); } var token = await _users.GeneratePasswordResetTokenAsync(user); var baseUrl = (_cfg["App:PublicBaseUrl"] ?? string.Empty).Trim().TrimEnd('/'); if (string.IsNullOrWhiteSpace(baseUrl)) { baseUrl = $"{Request.Scheme}://{Request.Host}"; } var link = $"{baseUrl}/reset-password?email={Uri.EscapeDataString(user.Email)}&token={Uri.EscapeDataString(token)}"; await _email.SendAsync( user.Email, "Password reset", $"You requested a password reset for Jobbjakt.\n\nReset link:\n{link}\n\nIf you did not request this, you can ignore this email.", cancellationToken ); return NoContent(); } public sealed record ResetPasswordRequest(string Email, string Token, string NewPassword); [HttpPost("reset-password")] [AllowAnonymous] public async Task ResetPassword([FromBody] ResetPasswordRequest request) { var email = (request.Email ?? string.Empty).Trim(); var token = request.Token ?? string.Empty; var newPassword = request.NewPassword ?? string.Empty; if (email.Length == 0) return BadRequest("Email is required."); if (token.Length == 0) return BadRequest("Token is required."); if (newPassword.Length == 0) return BadRequest("NewPassword is required."); var user = await _users.FindByEmailAsync(email); if (user is null) return BadRequest("Invalid email or token."); var res = await _users.ResetPasswordAsync(user, token, newPassword); if (!res.Succeeded) return BadRequest(string.Join("; ", res.Errors.Select(e => e.Description))); return NoContent(); } private static string? TrimOrNull(string? value) { return string.IsNullOrWhiteSpace(value) ? null : value.Trim(); } private static MeResult ToMeResult(ApplicationUser user, IList roles) { return new MeResult( Provider: "local", Id: user.Id, Email: user.Email, UserName: user.UserName, FirstName: user.FirstName, LastName: user.LastName, DisplayName: user.DisplayName, ProfileCvText: user.ProfileCvText, AvatarImageDataUrl: user.AvatarImageDataUrl, Roles: roles, GoogleLink: new GoogleLinkDto( Linked: !string.IsNullOrWhiteSpace(user.GoogleSubject), Email: user.GoogleEmail, LinkedAt: user.GoogleLinkedAt)); } }