Authenticate Api added. JWT Authentication added. Roles and functions copied to the claims. JWTOptions are read from appsettings. Hash password is stored in DB Seed.

Author: HasanJaved-Developer

CentralizedLoggingApi/appsettings.Production.json

@@ -1,5 +1,5 @@
 {
   "ConnectionStrings": {
-    "DefaultConnection": "Server=db,1433;Database=CentralizedLoggingDB;User=sa;Password=Bisp@123;MultipleActiveResultSets=true;TrustServerCertificate=True;Encrypt=False;"
+    "DefaultConnection": "Server=db,1433;Database=UserManagementDB;User=sa;Password=Bisp@123;MultipleActiveResultSets=true;TrustServerCertificate=True;Encrypt=False;"
   }
 }

UserManagementApi/Controllers/UsersController.cs

@@ -1,7 +1,16 @@
-using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity.Data;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
 using UserManagementApi.Data;
 using UserManagementApi.DTO;
+using UserManagementApi.DTO.Auth;
+using UserManagementApi.Models;
 
 namespace UserManagementApi.Controllers
 {
@@ -11,17 +20,68 @@ namespace UserManagementApi.Controllers
     public class UsersController : ControllerBase
     {
         private readonly AppDbContext _db;
-        public UsersController(AppDbContext db) => _db = db;
+        private readonly JwtOptions _jwt;
 
-        // GET: api/users/{userId}/permissions
+        public UsersController(AppDbContext db, IOptions<JwtOptions> jwtOptions)
+        {
+            _db = db;
+            _jwt = jwtOptions.Value;
+        }
+        // --------- NEW: POST /api/users/authenticate ----------
+        [HttpPost("authenticate")]
+        public async Task<ActionResult<AuthResponse>> Authenticate([FromBody] DTO.LoginRequest req)
+        {
+            if (string.IsNullOrWhiteSpace(req.UserName) || string.IsNullOrWhiteSpace(req.Password))
+                return BadRequest("Username and password are required.");
+
+            // Validate user (plain text as per your seed)
+            var user = await _db.Users
+                .Include(u => u.UserRoles)
+                    .ThenInclude(ur => ur.Role)
+                .FirstOrDefaultAsync(u => u.UserName == req.UserName && u.Password == req.Password);
+
+            if (user == null)
+                return Unauthorized("Invalid credentials.");
+
+            // Collect roles & function codes for claims (optional but handy)
+            var roleIds = user.UserRoles.Select(ur => ur.RoleId).ToList();
+
+            var functionCodes = await _db.RoleFunctions
+                .Where(rf => roleIds.Contains(rf.RoleId))
+                .Select(rf => rf.Function.Code)
+                .Distinct()
+                .ToListAsync();
+
+            var token = GenerateJwt(user, user.UserRoles.Select(ur => ur.Role.Name).Distinct().ToList(), functionCodes, out var expiresAtUtc);
+
+            // Get the same permissions tree you already expose
+            var permissions = await BuildPermissionsForUser(user.Id);
+
+            return Ok(new AuthResponse(user.Id, user.UserName, token, expiresAtUtc, permissions));
+        }
+
+        // --------- (Existing) GET /api/users/{userId}/permissions ----------
+        // Now protected by JWT; call with Bearer token returned by /authenticate
+        [Authorize]
         [HttpGet("{userId:int}/permissions")]
         public async Task<ActionResult<UserPermissionsDto>> GetPermissions(int userId)
         {
+            // Optional: you can enforce that a user can only view their own permissions
+            // by comparing userId with the token's sub, if desired.
+
             var user = await _db.Users.FirstOrDefaultAsync(u => u.Id == userId);
             if (user == null) return NotFound($"User {userId} not found.");
 
-            // Build a single LINQ query that filters functions to those reachable
-            // via the user's roles (no client-side filtering).
+            var dto = await BuildPermissionsForUser(userId);
+            return Ok(dto);
+        }
+
+        // ----- helpers -----
+
+        private async Task<UserPermissionsDto> BuildPermissionsForUser(int userId)
+        {
+            var user = await _db.Users.FirstAsync(u => u.Id == userId);
+
             var categories = await _db.Categories
                 .Select(c => new CategoryDto(
                     c.Id,
@@ -30,19 +90,50 @@ public async Task<ActionResult<UserPermissionsDto>> GetPermissions(int userId)
                       .Select(m => new ModuleDto(
                           m.Id, m.Name, m.Area, m.Controller, m.Action,
                           m.Functions
-                           .Where(f => f.RoleFunctions
-                               .Any(rf => rf.Role.UserRoles.Any(ur => ur.UserId == userId)))
-                           .Select(f => new FunctionDto(f.Id, f.Code, f.DisplayName))
-                           .ToList()
+                            .Where(f => f.RoleFunctions
+                                .Any(rf => rf.Role.UserRoles.Any(ur => ur.UserId == userId)))
+                            .Select(f => new FunctionDto(f.Id, f.Code, f.DisplayName))
+                            .ToList()
                       ))
-                      .Where(md => md.Functions.Any()) // keep only modules with at least one permitted function
+                      .Where(md => md.Functions.Any())
                       .ToList()
                 ))
-                .Where(cd => cd.Modules.Any()) // keep only categories with at least one permitted module
+                .Where(cd => cd.Modules.Any())
                 .ToListAsync();
 
-            var dto = new UserPermissionsDto(user.Id, user.UserName, categories);
-            return Ok(dto);
+            return new UserPermissionsDto(user.Id, user.UserName, categories);
+        }
+
+        private string GenerateJwt(AppUser user, IEnumerable<string> roles, IEnumerable<string> functionCodes, out DateTime expiresAtUtc)
+        {
+            var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwt.Key));
+            var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+            var claims = new List<Claim>
+            {
+                new(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
+                new(JwtRegisteredClaimNames.UniqueName, user.UserName)
+            };
+
+            // optional: add role claims
+            claims.AddRange(roles.Select(r => new Claim(ClaimTypes.Role, r)));
+
+            // optional: add function claims (careful: keep token size reasonable)
+            foreach (var fn in functionCodes)
+                claims.Add(new Claim("perm", fn));
+
+            var now = DateTime.UtcNow;
+            expiresAtUtc = now.AddMinutes(_jwt.ExpiresMinutes);
+
+            var token = new JwtSecurityToken(
+                issuer: _jwt.Issuer,
+                audience: _jwt.Audience,
+                claims: claims,
+                notBefore: now,
+                expires: expiresAtUtc,
+                signingCredentials: creds);
+
+            return new JwtSecurityTokenHandler().WriteToken(token);
         }
     }
 }

UserManagementApi/DTO/Auth/JwtOptions.cs

@@ -0,0 +1,10 @@
+namespace UserManagementApi.DTO.Auth
+{
+    public class JwtOptions
+    {
+        public string Issuer { get; set; } = null!;
+        public string Audience { get; set; } = null!;
+        public string Key { get; set; } = null!;
+        public int ExpiresMinutes { get; set; }
+    }
+}

UserManagementApi/DTO/PermissionDtos.cs

@@ -1,5 +1,15 @@
 namespace UserManagementApi.DTO
 {
+    public record LoginRequest(string UserName, string Password);
+
+    public record AuthResponse(
+        int UserId,
+        string UserName,
+        string Token,
+        DateTime ExpiresAtUtc,
+        UserPermissionsDto Permissions // reuse your existing permissions dto
+    );
+
     public record FunctionDto(int Id, string Code, string DisplayName);
     public record ModuleDto(int Id, string Name, string Area, string Controller, string Action, List<FunctionDto> Functions);
     public record CategoryDto(int Id, string Name, List<ModuleDto> Modules);

UserManagementApi/DbSeeder.cs

@@ -47,8 +47,8 @@ public static void Seed(IServiceProvider serviceProvider)
 
                 var users = new List<AppUser>
                 {
-                    new AppUser { Id = 1, UserName = "alice", Password = "alice" },
-                    new AppUser { Id = 2, UserName = "bob",   Password = "bob" }
+                    new AppUser { Id = 1, UserName = "alice", Password = BCrypt.Net.BCrypt.HashPassword("alice") },
+                    new AppUser { Id = 2, UserName = "bob", Password = BCrypt.Net.BCrypt.HashPassword("boob") }
                 };
 
                 var userRoles = new List<UserRole>

UserManagementApi/Program.cs

@@ -1,10 +1,14 @@
-using UserManagementApi;
-using UserManagementApi.Data;
-using UserManagementApi.Middlewares;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
 using Serilog;
 using System.Reflection;
+using System.Text;
+using UserManagementApi;
+using UserManagementApi.Data;
+using UserManagementApi.DTO.Auth;
+using UserManagementApi.Middlewares;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -22,6 +26,26 @@
 builder.Services.AddDbContext<AppDbContext>(options =>
     options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));
 
+// Add JwtOptions + Authentication
+builder.Services.Configure<JwtOptions>(builder.Configuration.GetSection("Jwt"));
+var jwt = builder.Configuration.GetSection("Jwt").Get<JwtOptions>()!;
+
+builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+    .AddJwtBearer(opt =>
+    {
+        opt.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidateAudience = true,
+            ValidateIssuerSigningKey = true,
+            ValidIssuer = jwt.Issuer,
+            ValidAudience = jwt.Audience,
+            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwt.Key)),
+            ClockSkew = TimeSpan.Zero
+        };
+    });
+
+builder.Services.AddAuthorization();
 
 builder.Services.AddHttpContextAccessor();
 
@@ -68,6 +92,8 @@
 
 app.UseHttpsRedirection();
 
+
+app.UseAuthentication(); // must be before UseAuthorization
 app.UseAuthorization();
 
 app.MapControllers();

UserManagementApi/UserManagementApi.csproj

@@ -10,6 +10,8 @@
   </PropertyGroup>
 
   <ItemGroup>
+     <PackageReference Include="BCrypt.Net-Next" Version="4.0.3" />
+     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.8" />
      <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.7" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.8" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.8">

UserManagementApi/appsettings.Development.json

@@ -1,8 +1,5 @@
 {
-  "Logging": {
-    "LogLevel": {
-      "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
-    }
+  "ConnectionStrings": {
+    "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=UserManagementDB;Trusted_Connection=True;MultipleActiveResultSets=true"
   }
 }

UserManagementApi/appsettings.Production.json

@@ -0,0 +1,5 @@
+{
+  "ConnectionStrings": {
+    "DefaultConnection": "Server=db,1433;Database=CentralizedLoggingDB;User=sa;Password=Bisp@123;MultipleActiveResultSets=true;TrustServerCertificate=True;Encrypt=False;"
+  }
+}

UserManagementApi/appsettings.json

@@ -1,9 +1,34 @@
 {
-  "Logging": {
-    "LogLevel": {
+  "Serilog": {
+    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File", "Serilog.Formatting.Compact", "Serilog.Filters.Expressions" ],
+    "MinimumLevel": {
       "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
-    }
+      "Override": {
+        "Microsoft": "Warning",
+        "System": "Warning"
+      }
+    },
+    "Enrich": [ "FromLogContext", "WithMachineName", "WithThreadId", "WithProcessId" ],
+    "WriteTo": [
+      {
+        "Name": "File",
+        "Args": {
+          "path": "logs/dev-app-.clef",
+          "rollingInterval": "Day",
+          "rollOnFileSizeLimit": true,
+          "retainedFileCountLimit": 7,
+          "shared": true,
+          "formatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact"
+        },
+        "restrictedToMinimumLevel": "Information"
+      }
+    ]
   },
-  "AllowedHosts": "*"
+  "Jwt": {
+    "Issuer": "PermsApi",
+    "Audience": "PermsApiAudience",
+    "Key": "very_long_dev_key_change_in_prod_1234567890",
+    "ExpiresMinutes": 60
+  }
+
 }