1 files changed, 41 insertions, 0 deletions

diff --git a/src/server/Api/Internal/Account/CreateSessionRoute.cs b/src/server/Api/Internal/Account/CreateSessionRoute.cs
new file mode 100644
index 0000000..09e05b6
--- /dev/null
+++ b/src/server/Api/Internal/Account/CreateSessionRoute.cs
@@ -0,0 +1,41 @@
+namespace IOL.BookmarkThing.Server.Api.Internal.Account;
+
+public class CreateSessionRoute : RouteBaseInternalAsync.WithRequest<CreateSessionRequest>.WithActionResult
+{
+	private readonly AppDbContext _context;
+
+	public CreateSessionRoute(AppDbContext context) {
+		_context = context;
+	}
+
+	[AllowAnonymous]
+	[ApiVersionNeutral]
+	[ApiExplorerSettings(IgnoreApi = true)]
+	[HttpPost("~/v{version:apiVersion}/account/create-session")]
+	public override async Task<ActionResult> HandleAsync(CreateSessionRequest payload, CancellationToken cancellationToken = default) {
+		var user = _context.Users.SingleOrDefault(u => u.Username == payload.Username);
+		if (user == default || !user.VerifyPassword(payload.Password)) {
+			return BadRequest(new ErrorResult("Invalid username or password"));
+		}
+
+		var claims = user.DefaultClaims();
+		var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+		var principal = new ClaimsPrincipal(identity);
+		var authenticationProperties = new AuthenticationProperties {
+				AllowRefresh = true,
+				IssuedUtc = DateTimeOffset.UtcNow,
+		};
+
+		if (payload.Persist) {
+			authenticationProperties.ExpiresUtc = DateTimeOffset.UtcNow.AddYears(100);
+			authenticationProperties.IsPersistent = true;
+		}
+
+		await HttpContext.SignInAsync(principal, authenticationProperties);
+		// Return new LoggedInInternalUser here, because it is not materialised in AppControllerBase yet.
+		return Ok(new LoggedInInternalUser {
+				Id = user.Id,
+				Username = user.Username
+		});
+	}
+}