feat: username/password authentication for admin and merchant panels
CI/CD / CI · API (dotnet build + test) (push) Successful in 49s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 42s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m8s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 46s
CI/CD / CI · Koja (tsc) (push) Successful in 49s
CI/CD / Deploy · all services (push) Has been cancelled
CI/CD / CI · API (dotnet build + test) (push) Successful in 49s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 42s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m8s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 46s
CI/CD / CI · Koja (tsc) (push) Successful in 49s
CI/CD / Deploy · all services (push) Has been cancelled
- Add PasswordHasher utility (PBKDF2/SHA-256, 100k iterations)
- Add Username + PasswordHash fields to Employee and SystemAdmin entities
- EF migration: AddPasswordLogin (nullable columns on both tables)
- Meezi.API: POST /api/auth/login (employee password login, CHOOSE_CAFE support)
- Meezi.API: PUT/DELETE /api/cafes/{id}/employees/{id}/credentials (Owner/Manager only)
- Meezi.Admin.API: POST /api/admin/auth/login + PUT /api/admin/auth/password
- Dashboard login page: OTP / Password tabs
- Admin login page: OTP / Password tabs
- HR screen: new Credentials tab for setting employee username/password
- PlatformDataSeeder: ensure system admin + integration settings in production
- Trial countdown banner: updated deadline to 1 Tir 1405 (Jun 22)
- i18n: fa/en/ar updated for all new UI strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -38,6 +38,26 @@ public class AuthController : ControllerBase
|
||||
_verifyRegisterValidator = verifyRegisterValidator;
|
||||
}
|
||||
|
||||
[HttpPost("login")]
|
||||
[ProducesResponseType(typeof(ApiResponse<AuthTokenResponse>), StatusCodes.Status200OK)]
|
||||
public async Task<IActionResult> LoginWithPassword(
|
||||
[FromBody] LoginWithPasswordRequest request,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(request.Username) || string.IsNullOrWhiteSpace(request.Password))
|
||||
return BadRequest(ValidationError("Username and password are required."));
|
||||
|
||||
var (success, data, code, message, choices) = await _authService.LoginWithPasswordAsync(request, cancellationToken);
|
||||
|
||||
if (!success && code == "CHOOSE_CAFE")
|
||||
return Ok(new ApiResponse<CafeChoicesResponse>(false, choices, new ApiError("CHOOSE_CAFE", "Please select a café to continue.")));
|
||||
|
||||
if (!success)
|
||||
return ErrorResult(code!, message!);
|
||||
|
||||
return Ok(new ApiResponse<AuthTokenResponse>(true, data));
|
||||
}
|
||||
|
||||
[HttpPost("send-otp")]
|
||||
[EnableRateLimiting("auth-otp")]
|
||||
[ProducesResponseType(typeof(ApiResponse<SendOtpResponse>), StatusCodes.Status200OK)]
|
||||
@@ -193,6 +213,9 @@ public class AuthController : ControllerBase
|
||||
return new ApiResponse<object>(false, null, new ApiError("VALIDATION_ERROR", first.ErrorMessage, first.PropertyName));
|
||||
}
|
||||
|
||||
private static ApiResponse<object> ValidationError(string message) =>
|
||||
new(false, null, new ApiError("VALIDATION_ERROR", message));
|
||||
|
||||
private IActionResult ErrorResult(string code, string message) => code switch
|
||||
{
|
||||
"RATE_LIMITED" => StatusCode(StatusCodes.Status429TooManyRequests,
|
||||
|
||||
@@ -1,9 +1,12 @@
|
||||
using FluentValidation;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Meezi.API.Models.Hr;
|
||||
using Meezi.API.Services;
|
||||
using Meezi.Core.Enums;
|
||||
using Meezi.Core.Interfaces;
|
||||
using Meezi.Core.Utilities;
|
||||
using Meezi.Infrastructure.Data;
|
||||
using Meezi.Shared;
|
||||
|
||||
namespace Meezi.API.Controllers;
|
||||
@@ -15,17 +18,20 @@ public class HrController : CafeApiControllerBase
|
||||
private readonly IValidator<CreateLeaveRequest> _leaveValidator;
|
||||
private readonly IValidator<ReviewLeaveRequest> _reviewValidator;
|
||||
private readonly IValidator<CreateSalaryRequest> _salaryValidator;
|
||||
private readonly AppDbContext _db;
|
||||
|
||||
public HrController(
|
||||
IHrService hr,
|
||||
IValidator<CreateLeaveRequest> leaveValidator,
|
||||
IValidator<ReviewLeaveRequest> reviewValidator,
|
||||
IValidator<CreateSalaryRequest> salaryValidator)
|
||||
IValidator<CreateSalaryRequest> salaryValidator,
|
||||
AppDbContext db)
|
||||
{
|
||||
_hr = hr;
|
||||
_leaveValidator = leaveValidator;
|
||||
_reviewValidator = reviewValidator;
|
||||
_salaryValidator = salaryValidator;
|
||||
_db = db;
|
||||
}
|
||||
|
||||
[HttpGet("employees")]
|
||||
@@ -201,4 +207,66 @@ public class HrController : CafeApiControllerBase
|
||||
if (data is null) return NotFoundError();
|
||||
return Ok(new ApiResponse<EmployeeSalaryDto>(true, data));
|
||||
}
|
||||
|
||||
/// <summary>Set or update username/password credentials for an employee. Owner/Manager only.</summary>
|
||||
[HttpPut("employees/{employeeId}/credentials")]
|
||||
public async Task<IActionResult> SetCredentials(
|
||||
string cafeId,
|
||||
string employeeId,
|
||||
[FromBody] SetEmployeeCredentialsRequest request,
|
||||
ITenantContext tenant,
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsureManager(tenant) is { } forbidden) return forbidden;
|
||||
|
||||
var username = request.Username.Trim().ToLowerInvariant();
|
||||
|
||||
if (string.IsNullOrWhiteSpace(username))
|
||||
return BadRequest(new ApiResponse<object>(false, null, new ApiError("VALIDATION_ERROR", "Username is required.", "Username")));
|
||||
|
||||
if (request.Password.Length < 8)
|
||||
return BadRequest(new ApiResponse<object>(false, null, new ApiError("VALIDATION_ERROR", "Password must be at least 8 characters.", "Password")));
|
||||
|
||||
var employee = await _db.Employees
|
||||
.FirstOrDefaultAsync(e => e.Id == employeeId && e.CafeId == cafeId && e.DeletedAt == null, ct);
|
||||
|
||||
if (employee is null) return NotFoundError();
|
||||
|
||||
// Check username uniqueness within the cafe (excluding the employee itself)
|
||||
var conflict = await _db.Employees
|
||||
.AnyAsync(e => e.CafeId == cafeId && e.Id != employeeId && e.DeletedAt == null
|
||||
&& e.Username != null && e.Username.ToLower() == username, ct);
|
||||
if (conflict)
|
||||
return Conflict(new ApiResponse<object>(false, null, new ApiError("USERNAME_TAKEN", "This username is already in use by another employee.")));
|
||||
|
||||
employee.Username = username;
|
||||
employee.PasswordHash = PasswordHasher.Hash(request.Password);
|
||||
await _db.SaveChangesAsync(ct);
|
||||
|
||||
return Ok(new ApiResponse<object>(true, null));
|
||||
}
|
||||
|
||||
/// <summary>Remove username/password credentials from an employee. Owner/Manager only.</summary>
|
||||
[HttpDelete("employees/{employeeId}/credentials")]
|
||||
public async Task<IActionResult> RemoveCredentials(
|
||||
string cafeId,
|
||||
string employeeId,
|
||||
ITenantContext tenant,
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsureManager(tenant) is { } forbidden) return forbidden;
|
||||
|
||||
var employee = await _db.Employees
|
||||
.FirstOrDefaultAsync(e => e.Id == employeeId && e.CafeId == cafeId && e.DeletedAt == null, ct);
|
||||
|
||||
if (employee is null) return NotFoundError();
|
||||
|
||||
employee.Username = null;
|
||||
employee.PasswordHash = null;
|
||||
await _db.SaveChangesAsync(ct);
|
||||
|
||||
return Ok(new ApiResponse<object>(true, null));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,6 +2,9 @@ namespace Meezi.API.Models.Auth;
|
||||
|
||||
public record SendOtpRequest(string Phone);
|
||||
|
||||
/// <summary>Username + password login (alternative to OTP). Optional cafeId to scope to a specific café.</summary>
|
||||
public record LoginWithPasswordRequest(string Username, string Password, string? CafeId = null);
|
||||
|
||||
public record VerifyOtpRequest(string Phone, string Code, string? CafeId = null);
|
||||
|
||||
public record RefreshTokenRequest(string RefreshToken);
|
||||
|
||||
@@ -59,3 +59,6 @@ public record CreateSalaryRequest(
|
||||
decimal Deductions);
|
||||
|
||||
public record TodayShiftDto(ShiftType ShiftType, string Label);
|
||||
|
||||
/// <summary>Set or update username/password credentials for an employee.</summary>
|
||||
public record SetEmployeeCredentialsRequest(string Username, string Password);
|
||||
|
||||
@@ -403,6 +403,61 @@ public class AuthService : IAuthService
|
||||
return slug;
|
||||
}
|
||||
|
||||
public async Task<(bool Success, AuthTokenResponse? Data, string? ErrorCode, string? ErrorMessage, CafeChoicesResponse? Choices)> LoginWithPasswordAsync(
|
||||
LoginWithPasswordRequest request,
|
||||
CancellationToken cancellationToken = default)
|
||||
{
|
||||
var username = request.Username.Trim();
|
||||
|
||||
var candidates = await _db.Employees
|
||||
.Include(e => e.Cafe)
|
||||
.Where(e => e.Username == username
|
||||
&& e.PasswordHash != null
|
||||
&& e.DeletedAt == null
|
||||
&& e.Cafe.DeletedAt == null)
|
||||
.ToListAsync(cancellationToken);
|
||||
|
||||
if (candidates.Count == 0)
|
||||
return (false, null, "INVALID_CREDENTIALS", "Invalid username or password.", null);
|
||||
|
||||
// Constant-time verification (check all matches to avoid username enumeration)
|
||||
var matched = candidates.Where(e => PasswordHasher.Verify(request.Password, e.PasswordHash!)).ToList();
|
||||
|
||||
if (matched.Count == 0)
|
||||
return (false, null, "INVALID_CREDENTIALS", "Invalid username or password.", null);
|
||||
|
||||
// Scope to a specific café if requested
|
||||
if (!string.IsNullOrWhiteSpace(request.CafeId))
|
||||
{
|
||||
matched = matched.Where(e => e.CafeId == request.CafeId).ToList();
|
||||
if (matched.Count == 0)
|
||||
return (false, null, "INVALID_CREDENTIALS", "Invalid username or password.", null);
|
||||
}
|
||||
|
||||
// Multiple cafés — ask frontend to pick one
|
||||
if (matched.Count > 1)
|
||||
{
|
||||
var choices = new CafeChoicesResponse(
|
||||
matched
|
||||
.Where(e => e.Cafe is not null)
|
||||
.Select(e => new CafeMembershipDto(e.CafeId, e.Cafe!.Name, e.Role.ToString(), e.Cafe.PlanTier.ToString()))
|
||||
.ToList());
|
||||
return (false, null, "CHOOSE_CAFE", null, choices);
|
||||
}
|
||||
|
||||
var employee = matched[0];
|
||||
if (employee.Cafe is null)
|
||||
return (false, null, "INVALID_CREDENTIALS", "Invalid username or password.", null);
|
||||
|
||||
var membershipDtos = matched
|
||||
.Where(e => e.Cafe is not null)
|
||||
.Select(e => new CafeMembershipDto(e.CafeId, e.Cafe!.Name, e.Role.ToString(), e.Cafe.PlanTier.ToString()))
|
||||
.ToList();
|
||||
|
||||
var tokens = await IssueTokensAsync(employee, employee.Cafe, membershipDtos, null, cancellationToken);
|
||||
return (true, tokens, null, null, null);
|
||||
}
|
||||
|
||||
private async Task<AuthTokenResponse> IssueTokensAsync(
|
||||
Core.Entities.Employee employee,
|
||||
Core.Entities.Cafe cafe,
|
||||
|
||||
@@ -16,6 +16,10 @@ public interface IAuthService
|
||||
VerifyOtpRequest request,
|
||||
CancellationToken cancellationToken = default);
|
||||
|
||||
Task<(bool Success, AuthTokenResponse? Data, string? ErrorCode, string? ErrorMessage, CafeChoicesResponse? Choices)> LoginWithPasswordAsync(
|
||||
LoginWithPasswordRequest request,
|
||||
CancellationToken cancellationToken = default);
|
||||
|
||||
Task<(bool Success, AuthTokenResponse? Data, string? ErrorCode, string? ErrorMessage)> SwitchCafeAsync(
|
||||
string employeeId, string targetCafeId,
|
||||
CancellationToken cancellationToken = default);
|
||||
|
||||
Reference in New Issue
Block a user