Refactor authentication system to use username instead of email; implement change password functionality and logging; add NLog for logging support

2026-03-17 20:08:02 +01:00 · 2026-03-17 20:08:02 +01:00 · 6e3371514e
commit 6e3371514e
parent d3887f1dd0
12 changed files with 287 additions and 45 deletions
--- a/Services/Auth/AuthUser.cs
+++ b/Services/Auth/AuthUser.cs
@ -4,9 +4,11 @@ public sealed class AuthUser
 {
    public string Id { get; init; } = string.Empty;

-    public string Email { get; init; } = string.Empty;
+    public string Username { get; init; } = string.Empty;

-    public string EmailNormalized { get; init; } = string.Empty;
+    public string UsernameNormalized { get; init; } = string.Empty;

    public string PasswordHash { get; init; } = string.Empty;
+
+    public bool MustChangePassword { get; init; } = false;
 }
--- a/Services/Auth/CouchbaseLiteAuthService.cs
+++ b/Services/Auth/CouchbaseLiteAuthService.cs
@ -27,53 +27,71 @@ public sealed class CouchbaseLiteAuthService : IAuthService
    {
        cancellationToken.ThrowIfCancellationRequested();

-        var email = options.Value.Email.Trim();
-        var normalizedEmail = NormalizeEmail(email);
+        var username = options.Value.Username.Trim();
+        var normalizedUsername = NormalizeUsername(username);

-        if (users.GetDocument(normalizedEmail) is not null)
+        if (users.GetDocument(normalizedUsername) is not null)
        {
            return Task.CompletedTask;
        }

        var user = new AuthUser
        {
-            Id = normalizedEmail,
-            Email = email,
-            EmailNormalized = normalizedEmail,
-            PasswordHash = string.Empty
+            Id = normalizedUsername,
+            Username = username,
+            UsernameNormalized = normalizedUsername,
+            PasswordHash = string.Empty,
+            MustChangePassword = true
        };

        var passwordHash = passwordHasher.HashPassword(user, options.Value.Password);
        var userToCreate = new AuthUser
        {
-            Id = normalizedEmail,
-            Email = email,
-            EmailNormalized = normalizedEmail,
+            Id = normalizedUsername,
+            Username = username,
+            UsernameNormalized = normalizedUsername,
            PasswordHash = passwordHash
        };

-        SaveUser(userToCreate);
-        logger.LogInformation("Seeded single user account {Email} in Couchbase Lite", email);
+        // Ensure the seeded user requires a password change on first login
+        var seeded = new AuthUser
+        {
+            Id = userToCreate.Id,
+            Username = userToCreate.Username,
+            UsernameNormalized = userToCreate.UsernameNormalized,
+            PasswordHash = userToCreate.PasswordHash,
+            MustChangePassword = true
+        };
+
+        SaveUser(seeded);
+        logger.LogInformation("Seeded single user account {Username} in Couchbase Lite", username);
        return Task.CompletedTask;
    }

-    public Task<AuthUser?> ValidateCredentialsAsync(string email, string password, CancellationToken cancellationToken)
+    public Task<AuthUser?> ValidateCredentialsAsync(string username, string password, CancellationToken cancellationToken)
    {
        cancellationToken.ThrowIfCancellationRequested();

-        var user = GetUser(NormalizeEmail(email));
+        var normalizedUsername = NormalizeUsername(username);
+        var user = GetUser(normalizedUsername);
        if (user is null)
        {
+            logger.LogWarning("Authentication failed: user {Username} not found", username);
            return Task.FromResult<AuthUser?>(null);
        }

        var result = passwordHasher.VerifyHashedPassword(user, user.PasswordHash, password);
+        if (result == PasswordVerificationResult.Failed)
+        {
+            logger.LogWarning("Authentication failed: invalid password for user {Username}", username);
+        }
+
        return Task.FromResult(result == PasswordVerificationResult.Failed ? null : user);
    }

-    private AuthUser? GetUser(string normalizedEmail)
+    private AuthUser? GetUser(string normalizedUsername)
    {
-        var document = users.GetDocument(normalizedEmail);
+        var document = users.GetDocument(normalizedUsername);
        if (document is null)
        {
            return null;
@ -82,21 +100,49 @@ public sealed class CouchbaseLiteAuthService : IAuthService
        return new AuthUser
        {
            Id = document.Id,
-            Email = document.GetString("email") ?? string.Empty,
-            EmailNormalized = document.GetString("emailNormalized") ?? string.Empty,
-            PasswordHash = document.GetString("passwordHash") ?? string.Empty
+            Username = document.GetString("username") ?? document.GetString("email") ?? string.Empty,
+            UsernameNormalized = document.GetString("usernameNormalized") ?? document.GetString("emailNormalized") ?? string.Empty,
+            PasswordHash = document.GetString("passwordHash") ?? string.Empty,
+            MustChangePassword = document.GetBoolean("mustChangePassword")
        };
    }

    private void SaveUser(AuthUser user)
    {
        var document = new MutableDocument(user.Id);
-        document.SetString("email", user.Email);
-        document.SetString("emailNormalized", user.EmailNormalized);
+        document.SetString("username", user.Username);
+        document.SetString("usernameNormalized", user.UsernameNormalized);
        document.SetString("passwordHash", user.PasswordHash);
+        document.SetBoolean("mustChangePassword", user.MustChangePassword);

        users.Save(document);
    }

-    private static string NormalizeEmail(string email) => email.Trim().ToUpperInvariant();
+    public Task<bool> ChangePasswordAsync(string userId, string newPassword, CancellationToken cancellationToken)
+    {
+        cancellationToken.ThrowIfCancellationRequested();
+
+        var document = users.GetDocument(userId);
+        if (document is null)
+        {
+            return Task.FromResult(false);
+        }
+
+        var user = GetUser(userId);
+        if (user is null)
+        {
+            return Task.FromResult(false);
+        }
+
+        var newHash = passwordHasher.HashPassword(user, newPassword);
+
+        var mutable = document.ToMutable();
+        mutable.SetString("passwordHash", newHash);
+        mutable.SetBoolean("mustChangePassword", false);
+        users.Save(mutable);
+
+        return Task.FromResult(true);
+    }
+
+    private static string NormalizeUsername(string username) => username.Trim().ToUpperInvariant();
 }
--- a/Services/Auth/IAuthService.cs
+++ b/Services/Auth/IAuthService.cs
@ -4,5 +4,7 @@ public interface IAuthService
 {
    Task EnsureSeedUserAsync(CancellationToken cancellationToken);

-    Task<AuthUser?> ValidateCredentialsAsync(string email, string password, CancellationToken cancellationToken);
+    Task<AuthUser?> ValidateCredentialsAsync(string username, string password, CancellationToken cancellationToken);
+
+    Task<bool> ChangePasswordAsync(string userId, string newPassword, CancellationToken cancellationToken);
 }
--- a/Services/Auth/SingleUserSeedService.cs
+++ b/Services/Auth/SingleUserSeedService.cs
@ -32,7 +32,7 @@ public sealed class SingleUserSeedService : IHostedService
        }
        catch (Exception ex)
        {
-            logger.LogError(ex, "Unable to seed Couchbase Lite single user account {Email}", options.Value.Email);
+            logger.LogError(ex, "Unable to seed Couchbase Lite single user account {Username}", options.Value.Username);
        }
    }