feat(auth): implement secure authentication flow with CORS and password hashing

- Add CORS configuration for frontend access in development and production
- Replace plain password storage with hashing using IPinHasher service
- Update LoginCommandHandler to use IRequestApiResponseHandler and return proper API responses
- Standardize error response codes in ApiResponse class

Author: TranHuyThang9999

Common/Responses.cs

@@ -33,21 +33,21 @@ public ApiResponse(string message, int code = 0, int httpStatus = 400)
     public static ApiResponse<T> Success(T data, string message = "Success")
         => new(data, message, 0, 200);
 
-    public static ApiResponse<T> NotFound(string message = "Not Found", int code = 40401)
+    public static ApiResponse<T> NotFound(string message = "Not Found", int code = 401)
         => new(message, code, 404);
 
-    public static ApiResponse<T> BadRequest(string message = "Bad Request", int code = 40001)
+    public static ApiResponse<T> BadRequest(string message = "Bad Request", int code = 400)
         => new(message, code, 400);
 
-    public static ApiResponse<T> Unauthorized(string message = "Unauthorized", int code = 40101)
+    public static ApiResponse<T> Unauthorized(string message = "Unauthorized", int code = 401)
         => new(message, code, 401);
 
-    public static ApiResponse<T> Forbidden(string message = "Forbidden", int code = 40301)
+    public static ApiResponse<T> Forbidden(string message = "Forbidden", int code = 403)
         => new(message, code, 403);
 
-    public static ApiResponse<T> Conflict(string message = "Conflict", int code = 40901)
+    public static ApiResponse<T> Conflict(string message = "Conflict", int code = 409)
         => new(message, code, 409);
 
-    public static ApiResponse<T> InternalServerError(string message = "Internal Server Error", int code = 50001)
+    public static ApiResponse<T> InternalServerError(string message = "Internal Server Error", int code = 500)
         => new(message, code, 500);
 }

Features/Auth/Commands/LoginCommand.cs

@@ -1,8 +1,9 @@
 using MediatR;
+using PaymentCoreServiceApi.Common.Mediator;
 
 namespace PaymentCoreServiceApi.Features.Auth.Commands;
 
-public record LoginCommand : IRequest<LoginResponse>
+public record LoginCommand : IRequestApiResponse<LoginResponse>
 {
     public string UserName { get; init; } = default!;
     public string Password { get; init; } = default!;

Features/Auth/Commands/LoginCommandHandler.cs

@@ -1,44 +1,65 @@
 using MediatR;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
-using PaymentCoreServiceApi.Core.Interfaces.Repositories.Write;
+using PaymentCoreServiceApi.Common;
+using PaymentCoreServiceApi.Common.Mediator;
 using PaymentCoreServiceApi.Infrastructure.DbContexts;
 using PaymentCoreServiceApi.Services;
 
 namespace PaymentCoreServiceApi.Features.Auth.Commands;
 
-public class LoginCommandHandler : IRequestHandler<LoginCommand, LoginResponse>
+public class LoginCommandHandler : IRequestApiResponseHandler<LoginCommand, LoginResponse>
 {
     private readonly AppDbContext _context;
     private readonly IJwtService _jwtService;
     private readonly IExecutionContext _currentUser;
+    private readonly IPinHasher _pinHasher;
 
     public LoginCommandHandler(
-        AppDbContext context, 
+        AppDbContext context,
         IJwtService jwtService,
-        IExecutionContext currentUser)
+        IExecutionContext currentUser,
+        IPinHasher pinHasher)
     {
         _context = context;
         _jwtService = jwtService;
         _currentUser = currentUser;
+        _pinHasher = pinHasher;
     }
 
-    public async Task<LoginResponse> Handle(LoginCommand request, CancellationToken cancellationToken)
+    public async Task<ApiResponse<LoginResponse>> Handle(LoginCommand request, CancellationToken cancellationToken)
     {
+        if (string.IsNullOrWhiteSpace(request.UserName) || string.IsNullOrWhiteSpace(request.Password))
+        {
+            return ApiResponse<LoginResponse>.BadRequest("Username and password are required");
+        }
+
         var user = await _context.Users
-            .FirstOrDefaultAsync(u => u.UserName == request.UserName, cancellationToken);
+            .FirstOrDefaultAsync(u => 
+                (u.UserName == request.UserName || u.Email == request.UserName) 
+                && u.Active && !u.Deleted, 
+                cancellationToken);
 
-        if (user == null || user.Password != request.Password) 
+        if (user == null)
         {
-            throw new UnauthorizedAccessException("Invalid username or password");
+            return ApiResponse<LoginResponse>.Unauthorized("Invalid username or password");
+        }
+        if (!_pinHasher.VerifyPin(request.Password, user.Password))
+        {
+            return ApiResponse<LoginResponse>.Unauthorized("Invalid username or password");
         }
 
+        // Generate JWT token
         var token = _jwtService.GenerateToken(user);
 
-        return new LoginResponse
+        // Create response
+        var loginResponse = new LoginResponse
         {
             Token = token,
             RefreshToken = "",
-            Expiration = DateTime.Now.AddHours(1)
+            Expiration = DateTime.Now.AddHours(1),
         };
+
+        return ApiResponse<LoginResponse>.Success(loginResponse);
     }
-}
+}

Features/Users/Commands/CreateUserCommandHandler.cs

@@ -3,16 +3,20 @@
 using PaymentCoreServiceApi.Core.Entities.UserGenerated;
 using PaymentCoreServiceApi.Core.Interfaces.Repositories.Read;
 using PaymentCoreServiceApi.Core.Interfaces.Repositories.Write;
+using PaymentCoreServiceApi.Services;
 
 namespace PaymentCoreServiceApi.Features.Users.Commands;
 public class CreateUserCommandHandler: IRequestApiResponseHandler<CreateUserCommand, User>
 {
     private readonly IUserWriteRepository _userWriteRepository;
     private readonly IUserReadRepository _userReadRepository;
-    public CreateUserCommandHandler(IUserWriteRepository userWriteRepository, IUserReadRepository userReadRepository)
+    private readonly IPinHasher _pinHasher;
+    
+    public CreateUserCommandHandler(IUserWriteRepository userWriteRepository, IUserReadRepository userReadRepository, IPinHasher pinHasher)
     {
         _userWriteRepository = userWriteRepository;
         _userReadRepository = userReadRepository;
+        _pinHasher = pinHasher;
     }
 
     public async Task<ApiResponse<User>> Handle(CreateUserCommand request, CancellationToken cancellationToken)
@@ -32,7 +36,7 @@ public async Task<ApiResponse<User>> Handle(CreateUserCommand request, Cancellat
                 Age = request.Age,
                 Email = request.Email,
                 UserName = request.UserName,
-                Password = request.Password,
+                Password = _pinHasher.HashPin(request.Password),
                 PhoneNumber = request.PhoneNumber,
                 Address = request.Address,
                 Active = true

Program.cs

@@ -10,6 +10,29 @@
 // Add services to the container.
 builder.Services.AddControllers();
 
+// Add CORS configuration from appsettings
+builder.Services.AddCors(options =>
+{
+    var corsConfig = builder.Configuration.GetSection("Cors");
+    var allowedOrigins = corsConfig.GetSection("AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
+    
+    options.AddPolicy("AllowFrontend", policy =>
+    {
+        policy.WithOrigins(allowedOrigins)
+            .AllowAnyMethod()
+            .AllowAnyHeader()
+            .AllowCredentials();
+    });
+    
+    // Policy cho development - cho phép tất cả
+    options.AddPolicy("AllowAll", policy =>
+    {
+        policy.AllowAnyOrigin()
+            .AllowAnyMethod()
+            .AllowAnyHeader();
+    });
+});
+
 builder.Services.AddDbContext<AppDbContext>(options => 
     options.UseNpgsql(builder.Configuration.GetConnectionString("PostgresConnection")));
 
@@ -27,11 +50,17 @@
 
 var app = builder.Build();
 
+// Configure CORS - phải đặt trước các middleware khác
 if (app.Environment.IsDevelopment())
 {
+    app.UseCors("AllowAll"); // Cho phép tất cả trong development
     app.UseSwagger();
     app.UseSwaggerUI();
 }
+else
+{
+    app.UseCors("AllowFrontend"); // Chỉ cho phép các domain cụ thể trong production
+}
 
 app.UseHttpsRedirection();
 

appsettings.Development.json

@@ -4,5 +4,25 @@
       "Default": "Information",
       "Microsoft.AspNetCore": "Warning"
     }
+  },
+  "Cors": {
+    "AllowedOrigins": [
+      "http://localhost:3000",
+      "http://localhost:3001",
+      "http://localhost:4200",
+      "http://localhost:5173",
+      "http://localhost:8080",
+      "https://localhost:3000",
+      "https://localhost:3001",
+      "https://localhost:4200",
+      "https://localhost:5173",
+      "https://localhost:8080",
+      "http://127.0.0.1:3000",
+      "http://127.0.0.1:5173"
+    ],
+    "AllowCredentials": true,
+    "AllowAnyMethod": true,
+    "AllowAnyHeader": true,
+    "AllowAllOrigins": true
   }
 }

appsettings.json

@@ -13,5 +13,22 @@
     "Issuer": "payment-core-service",
     "Audience": "payment-core-clients"
   },
+  "Cors": {
+    "AllowedOrigins": [
+      "http://localhost:3000",
+      "http://localhost:3001",
+      "http://localhost:4200",
+      "http://localhost:5173",
+      "http://localhost:8080",
+      "https://localhost:3000",
+      "https://localhost:3001",
+      "https://localhost:4200",
+      "https://localhost:5173",
+      "https://localhost:8080"
+    ],
+    "AllowCredentials": true,
+    "AllowAnyMethod": true,
+    "AllowAnyHeader": true
+  },
   "AllowedHosts": "*"
 }