Add auth service

API/API.Core/Controllers/AuthController.cs

@@ -0,0 +1,47 @@
+using BusinessLayer.Services;
+using DataAccessLayer.Entities;
+using Microsoft.AspNetCore.Mvc;
+
+namespace WebAPI.Controllers
+{
+    [ApiController]
+    [Route("api/[controller]")]
+    public class AuthController(IAuthService auth) : ControllerBase
+    {
+        public record RegisterRequest(
+            string Username,
+            string FirstName,
+            string LastName,
+            string Email,
+            DateTime DateOfBirth,
+            string Password
+        );
+
+        public record LoginRequest(string UsernameOrEmail, string Password);
+
+        [HttpPost("register")]
+        public async Task<ActionResult<UserAccount>> Register([FromBody] RegisterRequest req)
+        {
+            var user = new UserAccount
+            {
+                UserAccountId = Guid.Empty,
+                Username = req.Username,
+                FirstName = req.FirstName,
+                LastName = req.LastName,
+                Email = req.Email,
+                DateOfBirth = req.DateOfBirth
+            };
+
+            var created = await auth.RegisterAsync(user, req.Password);
+            return CreatedAtAction(nameof(Register), new { id = created.UserAccountId }, created);
+        }
+
+        [HttpPost("login")]
+        public async Task<ActionResult> Login([FromBody] LoginRequest req)
+        {
+            var ok = await auth.LoginAsync(req.UsernameOrEmail, req.Password);
+            if (!ok) return Unauthorized();
+            return Ok(new { success = true });
+        }
+    }
+}

API/API.Core/Program.cs

@@ -1,6 +1,6 @@
 using BusinessLayer.Services;
-using DataAccessLayer.Repositories;
 using DataAccessLayer.Repositories.UserAccount;
+using DataAccessLayer.Repositories.UserCredential;
 using DataAccessLayer.Sql;
 
 var builder = WebApplication.CreateBuilder(args);
@@ -14,6 +14,8 @@ builder.Services.AddOpenApi();
 builder.Services.AddSingleton<ISqlConnectionFactory, DefaultSqlConnectionFactory>();
 builder.Services.AddScoped<IUserAccountRepository, UserAccountRepository>();
 builder.Services.AddScoped<IUserService, UserService>();
+builder.Services.AddScoped<IUserCredentialRepository, UserCredentialRepository>();
+builder.Services.AddScoped<IAuthService, AuthService>();
 var app = builder.Build();
 
 app.UseSwagger();

Service/Service.Core/Service.Core.csproj

@@ -6,6 +6,10 @@
     <RootNamespace>BusinessLayer</RootNamespace>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\..\Repository\Repository.Core\Repository.Core.csproj" />
   </ItemGroup>

Service/Service.Core/Services/AuthService.cs

@@ -0,0 +1,48 @@
+using DataAccessLayer.Entities;
+using DataAccessLayer.Repositories.UserAccount;
+using DataAccessLayer.Repositories.UserCredential;
+
+namespace BusinessLayer.Services
+{
+    public class AuthService(IUserAccountRepository userRepo, IUserCredentialRepository credRepo) : IAuthService
+    {
+        public async Task<UserAccount> RegisterAsync(UserAccount userAccount, string password)
+        {
+            if (userAccount.UserAccountId == Guid.Empty)
+            {
+                userAccount.UserAccountId = Guid.NewGuid();
+            }
+
+            await userRepo.AddAsync(userAccount);
+
+            var credential = new UserCredential
+            {
+                UserAccountId = userAccount.UserAccountId,
+                Hash = PasswordHasher.Hash(password)
+            };
+
+            await credRepo.RotateCredentialAsync(userAccount.UserAccountId, credential);
+
+            return userAccount;
+        }
+
+        public async Task<bool> LoginAsync(string usernameOrEmail, string password)
+        {
+            // Attempt lookup by username, then email
+            var user = await userRepo.GetByUsernameAsync(usernameOrEmail) 
+                       ?? await userRepo.GetByEmailAsync(usernameOrEmail);
+
+            if (user is null) return false;
+
+            var activeCred = await credRepo.GetActiveCredentialByUserAccountIdAsync(user.UserAccountId);
+            if (activeCred is null) return false;
+
+            return PasswordHasher.Verify(password, activeCred.Hash);
+        }
+
+        public async Task InvalidateAsync(Guid userAccountId)
+        {
+            await credRepo.InvalidateCredentialsByUserAccountIdAsync(userAccountId);
+        }
+    }
+}

Service/Service.Core/Services/IAuthService.cs

@@ -0,0 +1,11 @@
+using DataAccessLayer.Entities;
+
+namespace BusinessLayer.Services
+{
+    public interface IAuthService
+    {
+        Task<UserAccount> RegisterAsync(UserAccount userAccount, string password);
+        Task<bool> LoginAsync(string usernameOrEmail, string password);
+        Task InvalidateAsync(Guid userAccountId);
+    }
+}

Service/Service.Core/Services/IUserService.cs

@@ -6,5 +6,9 @@ namespace BusinessLayer.Services
     {
         Task<IEnumerable<UserAccount>> GetAllAsync(int? limit = null, int? offset = null);
         Task<UserAccount?> GetByIdAsync(Guid id);
+
+        Task AddAsync(UserAccount userAccount);
+
+        Task UpdateAsync(UserAccount userAccount);
     }
 }

Service/Service.Core/Services/PasswordHasher.cs

@@ -0,0 +1,56 @@
+using System.Security.Cryptography;
+using System.Text;
+using Konscious.Security.Cryptography;
+
+namespace BusinessLayer.Services
+{
+    public static class PasswordHasher
+    {
+        private const int SaltSize = 16; // 128-bit
+        private const int HashSize = 32; // 256-bit
+        private const int ArgonIterations = 4;
+        private const int ArgonMemoryKb = 65536; // 64MB
+
+        public static string Hash(string password)
+        {
+            var salt = RandomNumberGenerator.GetBytes(SaltSize);
+            var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
+            {
+                Salt = salt,
+                DegreeOfParallelism = Math.Max(Environment.ProcessorCount, 1),
+                MemorySize = ArgonMemoryKb,
+                Iterations = ArgonIterations
+            };
+
+            var hash = argon2.GetBytes(HashSize);
+            return $"{Convert.ToBase64String(salt)}:{Convert.ToBase64String(hash)}";
+        }
+
+        public static bool Verify(string password, string stored)
+        {
+            try
+            {
+                var parts = stored.Split(':', StringSplitOptions.RemoveEmptyEntries);
+                if (parts.Length != 2) return false;
+
+                var salt = Convert.FromBase64String(parts[0]);
+                var expected = Convert.FromBase64String(parts[1]);
+
+                var argon2 = new Argon2id(Encoding.UTF8.GetBytes(password))
+                {
+                    Salt = salt,
+                    DegreeOfParallelism = Math.Max(Environment.ProcessorCount, 1),
+                    MemorySize = ArgonMemoryKb,
+                    Iterations = ArgonIterations
+                };
+
+                var actual = argon2.GetBytes(expected.Length);
+                return CryptographicOperations.FixedTimeEquals(actual, expected);
+            }
+            catch
+            {
+                return false;
+            }
+        }
+    }
+}

Service/Service.Core/Services/UserService.cs

@@ -15,5 +15,15 @@ namespace BusinessLayer.Services
         {
             return await repository.GetByIdAsync(id);
         }
+
+        public async Task AddAsync(UserAccount userAccount)
+        {
+            await repository.AddAsync(userAccount);
+        }
+
+        public async Task UpdateAsync(UserAccount userAccount)
+        {
+            await repository.UpdateAsync(userAccount);
+        }
     }
 }