using asp net core identity - when user provides password and username to get a jwt token they post credentials to /api/token
should my token controller method be using usermanager to check the password using the CheckPasswordAsync and if this passes return the token or should i use the signinmanager and call PasswordSignInAsync and then return token based on that result?
I have seen examples of both and wondered what is benefit of each, is one way better than the other?
Currently someone in my team has written the following:
[AllowAnonymous]
[HttpPost]
public async Task<ActionResult<User>> Post([FromBody]User model)
{
try
{
var user = await _userManager.FindByNameAsync(model.Username);
if (user == null)
return StatusCode(StatusCodes.Status401Unauthorized, "Incorrect username or password");
var passwordOK = await _userManager.CheckPasswordAsync(user, model.Password);
if (!passwordOK)
return StatusCode(StatusCodes.Status401Unauthorized, "Incorrect username or password");
model.Id = user.Id;
model.Name = user.DisplayName;
model.Password = "";
int expiresIn;
long expiresOn;
model.Token = _authorisationService.GetJWTToken(model.Username, user.Id, out expiresIn, out expiresOn);
model.ExpiresIn = expiresIn;
model.ExpiresOn = expiresOn;
return model;
}
catch (Exception)
{
// log the exception
return StatusCode(StatusCodes.Status500InternalServerError);
}
}
but i think there are things in that that are not necessary.
The two methods you've mentioned serve different purposes:
This method hashes the provided password and compares it against the existing password hash (stored in the database, for example).
This method does a lot more. Here's a rough breakdown:
SignInResult.Failed
.UserManager.CheckPasswordAsync
to check that the password is correct (as detailed above).
SignInResult.TwoFactorRequired
.ClaimsPrincipal
and persisting it via a cookie.If you are not interested in requiring confirmed emails, lockout, etc, then using UserManager.CheckPasswordAsync
as in your question will suffice.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With