using API.Core.Contracts.Auth;
using Shared.Contracts;
using Domain.Entities;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Service.Auth;
namespace API.Core.Controllers
{
///
/// Handles user authentication concerns: registration, login, email confirmation, and token refresh.
///
///
/// The controller is decorated with [Authorize(AuthenticationSchemes = "JWT")] by default, but most
/// actions opt out via [AllowAnonymous] since they are entry points used before a caller holds a token.
///
/// Service used to register new user accounts.
/// Service used to authenticate existing user accounts.
/// Service used to confirm user accounts and resend confirmation emails.
/// Service used to refresh JWT access/refresh token pairs.
[ApiController]
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = "JWT")]
public class AuthController(
IRegisterService registerService,
ILoginService loginService,
IConfirmationService confirmationService,
ITokenService tokenService
) : ControllerBase
{
///
/// Registers a new user account.
///
///
/// Allows anonymous access. On success, responds with 201 Created containing the new user's ID,
/// username, issued refresh/access tokens, and whether a confirmation email was sent.
///
/// The registration details, including username, name, email, date of birth, and password.
/// A 201 Created result wrapping a of .
[AllowAnonymous]
[HttpPost("register")]
public async Task> Register(
[FromBody] RegisterRequest req
)
{
var rtn = await registerService.RegisterAsync(
new UserAccount
{
UserAccountId = Guid.Empty,
Username = req.Username,
FirstName = req.FirstName,
LastName = req.LastName,
Email = req.Email,
DateOfBirth = req.DateOfBirth,
},
req.Password
);
var response = new ResponseBody
{
Message = "User registered successfully.",
Payload = new RegistrationPayload(
rtn.UserAccount.UserAccountId,
rtn.UserAccount.Username,
rtn.RefreshToken,
rtn.AccessToken,
rtn.EmailSent
),
};
return Created("/", response);
}
///
/// Authenticates a user with a username and password.
///
///
/// Allows anonymous access. On success, responds with 200 OK containing the user's ID,
/// username, and a newly issued refresh/access token pair.
///
/// The login credentials (username and password).
/// An 200 OK result wrapping a of .
[AllowAnonymous]
[HttpPost("login")]
public async Task Login([FromBody] LoginRequest req)
{
var rtn = await loginService.LoginAsync(req.Username, req.Password);
return Ok(
new ResponseBody
{
Message = "Logged in successfully.",
Payload = new LoginPayload(
rtn.UserAccount.UserAccountId,
rtn.UserAccount.Username,
rtn.RefreshToken,
rtn.AccessToken
),
}
);
}
///
/// Confirms a user account using a confirmation token.
///
///
/// Requires JWT authentication. On success, responds with 200 OK containing the confirmed
/// user's ID and the confirmation timestamp.
///
/// The confirmation token supplied via the confirmation email link.
/// A 200 OK result wrapping a of .
[HttpPost("confirm")]
public async Task Confirm([FromQuery] string token)
{
var rtn = await confirmationService.ConfirmUserAsync(token);
return Ok(
new ResponseBody
{
Message = "User with ID " + rtn.UserId + " is confirmed.",
Payload = new ConfirmationPayload(
rtn.UserId,
rtn.ConfirmedAt
),
}
);
}
///
/// Resends the account confirmation email for the specified user.
///
///
/// Requires JWT authentication. On success, responds with 200 OK.
///
/// The unique identifier of the user account to resend the confirmation email for.
/// A 200 OK result wrapping a confirming the email was resent.
[HttpPost("confirm/resend")]
public async Task ResendConfirmation([FromQuery] Guid userId)
{
await confirmationService.ResendConfirmationEmailAsync(userId);
return Ok(new ResponseBody { Message = "confirmation email has been resent" });
}
///
/// Exchanges a valid refresh token for a new access/refresh token pair.
///
///
/// Allows anonymous access. On success, responds with 200 OK containing the user's ID,
/// username, and the newly issued refresh/access token pair.
///
/// The request containing the refresh token to exchange.
/// A 200 OK result wrapping a of .
[AllowAnonymous]
[HttpPost("refresh")]
public async Task Refresh(
[FromBody] RefreshTokenRequest req
)
{
var rtn = await tokenService.RefreshTokenAsync(req.RefreshToken);
return Ok(
new ResponseBody
{
Message = "Token refreshed successfully.",
Payload = new LoginPayload(
rtn.UserAccount.UserAccountId,
rtn.UserAccount.Username,
rtn.RefreshToken,
rtn.AccessToken
),
}
);
}
}
}