227 lines
9.0 KiB
C#
227 lines
9.0 KiB
C#
// src/Webshop.Application/Services/Auth/AuthService.cs
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.Extensions.Configuration;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Linq;
|
|
using System.Security.Claims;
|
|
using System.Text;
|
|
using System.Threading.Tasks;
|
|
using Webshop.Application;
|
|
using Webshop.Application.DTOs.Auth;
|
|
using Webshop.Application.Services.Public.Interfaces;
|
|
using Webshop.Domain.Identity;
|
|
using Webshop.Infrastructure.Data;
|
|
|
|
namespace Webshop.Application.Services.Auth
|
|
{
|
|
public class AuthService : IAuthService
|
|
{
|
|
private readonly UserManager<ApplicationUser> _userManager;
|
|
private readonly IEmailService _emailService;
|
|
private readonly IConfiguration _configuration;
|
|
private readonly ApplicationDbContext _context;
|
|
|
|
public AuthService(
|
|
UserManager<ApplicationUser> userManager,
|
|
IEmailService emailService,
|
|
IConfiguration configuration,
|
|
ApplicationDbContext context)
|
|
{
|
|
_userManager = userManager;
|
|
_emailService = emailService;
|
|
_configuration = configuration;
|
|
_context = context;
|
|
}
|
|
|
|
public async Task<ServiceResult> RegisterUserAsync(RegisterRequestDto request)
|
|
{
|
|
var userExists = await _userManager.FindByEmailAsync(request.Email);
|
|
if (userExists != null)
|
|
{
|
|
return ServiceResult.Fail(ServiceResultType.InvalidInput, "Ein Benutzer mit dieser E-Mail-Adresse existiert bereits.");
|
|
}
|
|
|
|
var user = new ApplicationUser { Email = request.Email, UserName = request.Email, CreatedDate = DateTimeOffset.UtcNow };
|
|
var result = await _userManager.CreateAsync(user, request.Password);
|
|
|
|
if (!result.Succeeded)
|
|
{
|
|
var errors = string.Join(" ", result.Errors.Select(e => e.Description));
|
|
return ServiceResult.Fail(ServiceResultType.Failure, errors);
|
|
}
|
|
|
|
await _userManager.AddToRoleAsync(user, "Customer");
|
|
|
|
var customerProfile = new Domain.Entities.Customer
|
|
{
|
|
AspNetUserId = user.Id,
|
|
FirstName = request.FirstName,
|
|
LastName = request.LastName
|
|
};
|
|
_context.Customers.Add(customerProfile);
|
|
await _context.SaveChangesAsync();
|
|
|
|
// Link generieren und Service aufrufen
|
|
await SendConfirmationLinkAsync(user);
|
|
|
|
return ServiceResult.Ok();
|
|
}
|
|
|
|
public async Task<ServiceResult<AuthResponseDto>> LoginUserAsync(LoginRequestDto request)
|
|
{
|
|
var user = await _userManager.FindByEmailAsync(request.Email);
|
|
if (user == null || !await _userManager.CheckPasswordAsync(user, request.Password))
|
|
{
|
|
return ServiceResult.Fail<AuthResponseDto>(ServiceResultType.Unauthorized, "Ungültige Anmeldeinformationen.");
|
|
}
|
|
|
|
if (!await _userManager.IsEmailConfirmedAsync(user))
|
|
{
|
|
return ServiceResult.Fail<AuthResponseDto>(ServiceResultType.Unauthorized, "E-Mail-Adresse wurde noch nicht bestätigt.");
|
|
}
|
|
|
|
var roles = await _userManager.GetRolesAsync(user);
|
|
var token = GenerateJwtToken(user, roles);
|
|
|
|
var response = new AuthResponseDto
|
|
{
|
|
IsAuthSuccessful = true,
|
|
Token = token,
|
|
UserId = user.Id,
|
|
Email = user.Email,
|
|
Roles = roles.ToList()
|
|
};
|
|
return ServiceResult.Ok(response);
|
|
}
|
|
|
|
public async Task<ServiceResult<AuthResponseDto>> LoginAdminAsync(LoginRequestDto request)
|
|
{
|
|
var loginResult = await LoginUserAsync(request);
|
|
if (loginResult.Type != ServiceResultType.Success)
|
|
{
|
|
return ServiceResult.Fail<AuthResponseDto>(loginResult.Type, loginResult.ErrorMessage!);
|
|
}
|
|
|
|
var user = await _userManager.FindByEmailAsync(request.Email);
|
|
if (user == null || !await _userManager.IsInRoleAsync(user, "Admin"))
|
|
{
|
|
return ServiceResult.Fail<AuthResponseDto>(ServiceResultType.Forbidden, "Keine Berechtigung für den Admin-Zugang.");
|
|
}
|
|
|
|
return loginResult;
|
|
}
|
|
|
|
public async Task<ServiceResult> ConfirmEmailAsync(string userId, string token)
|
|
{
|
|
if (string.IsNullOrEmpty(userId) || string.IsNullOrEmpty(token))
|
|
{
|
|
return ServiceResult.Fail(ServiceResultType.InvalidInput, "Benutzer-ID und Token sind erforderlich.");
|
|
}
|
|
|
|
var user = await _userManager.FindByIdAsync(userId);
|
|
if (user == null)
|
|
{
|
|
return ServiceResult.Fail(ServiceResultType.NotFound, "Ungültiger Bestätigungsversuch.");
|
|
}
|
|
|
|
var result = await _userManager.ConfirmEmailAsync(user, token);
|
|
return result.Succeeded
|
|
? ServiceResult.Ok()
|
|
: ServiceResult.Fail(ServiceResultType.Failure, "E-Mail-Bestätigung fehlgeschlagen.");
|
|
}
|
|
|
|
public async Task<ServiceResult> ResendEmailConfirmationAsync(string email)
|
|
{
|
|
var user = await _userManager.FindByEmailAsync(email);
|
|
if (user == null) return ServiceResult.Ok();
|
|
|
|
if (user.EmailConfirmed)
|
|
{
|
|
return ServiceResult.Fail(ServiceResultType.InvalidInput, "Diese E-Mail-Adresse ist bereits bestätigt.");
|
|
}
|
|
|
|
await SendConfirmationLinkAsync(user);
|
|
return ServiceResult.Ok();
|
|
}
|
|
|
|
public async Task<ServiceResult> ForgotPasswordAsync(ForgotPasswordRequestDto request)
|
|
{
|
|
var user = await _userManager.FindByEmailAsync(request.Email);
|
|
if (user != null)
|
|
{
|
|
var token = await _userManager.GeneratePasswordResetTokenAsync(user);
|
|
var clientUrl = _configuration["App:ClientUrl"];
|
|
|
|
// Sicherstellen, dass URL-Parameter escaped sind
|
|
var resetLink = $"{clientUrl}/reset-password?token={Uri.EscapeDataString(token)}&email={Uri.EscapeDataString(request.Email)}";
|
|
|
|
await _emailService.SendPasswordResetAsync(user.Email!, resetLink);
|
|
}
|
|
|
|
// WICHTIG: Wir geben IMMER Ok zurück, auch wenn der User nicht existiert.
|
|
// Das verhindert "User Enumeration" (Hacker können nicht prüfen, welche E-Mails existieren).
|
|
return ServiceResult.Ok();
|
|
}
|
|
|
|
public async Task<ServiceResult> ResetPasswordAsync(ResetPasswordDto request)
|
|
{
|
|
var user = await _userManager.FindByEmailAsync(request.Email);
|
|
if (user == null)
|
|
{
|
|
return ServiceResult.Fail(ServiceResultType.InvalidInput, "Fehler beim Zurücksetzen des Passworts.");
|
|
}
|
|
|
|
var result = await _userManager.ResetPasswordAsync(user, request.Token, request.NewPassword);
|
|
|
|
return result.Succeeded
|
|
? ServiceResult.Ok()
|
|
: ServiceResult.Fail(ServiceResultType.InvalidInput, string.Join(" ", result.Errors.Select(e => e.Description)));
|
|
}
|
|
|
|
// --- Helper Methods ---
|
|
|
|
private async Task SendConfirmationLinkAsync(ApplicationUser user)
|
|
{
|
|
var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);
|
|
var clientUrl = _configuration["App:ClientUrl"]; // z.B. https://localhost:5001/api/v1/Auth
|
|
|
|
// WICHTIG: Uri.EscapeDataString ist sicherer für Token in URLs als HttpUtility
|
|
var confirmationLink = $"{clientUrl}/confirm-email?userId={user.Id}&token={Uri.EscapeDataString(token)}";
|
|
|
|
await _emailService.SendEmailConfirmationAsync(user.Email!, confirmationLink);
|
|
}
|
|
|
|
private string GenerateJwtToken(ApplicationUser user, IList<string> roles)
|
|
{
|
|
var claims = new List<Claim>
|
|
{
|
|
new Claim(JwtRegisteredClaimNames.Sub, user.Id),
|
|
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
|
|
new Claim(JwtRegisteredClaimNames.Email, user.Email!)
|
|
};
|
|
|
|
foreach (var role in roles)
|
|
{
|
|
claims.Add(new Claim(ClaimTypes.Role, role));
|
|
}
|
|
|
|
var jwtSettings = _configuration.GetSection("JwtSettings");
|
|
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings["Secret"]!));
|
|
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
|
|
var expires = DateTime.UtcNow.AddMinutes(double.Parse(jwtSettings["ExpirationMinutes"]!));
|
|
|
|
var token = new JwtSecurityToken(
|
|
issuer: jwtSettings["Issuer"],
|
|
audience: jwtSettings["Audience"],
|
|
claims: claims,
|
|
expires: expires,
|
|
signingCredentials: creds
|
|
);
|
|
|
|
return new JwtSecurityTokenHandler().WriteToken(token);
|
|
}
|
|
}
|
|
} |