server/AyaNova/Controllers/AuthController.cs

@@ -158,7 +158,7 @@ namespace AyaNova.Api.Controllers
 
             //Multiple users are allowed the same password and login
             //Salt will differentiate them so get all users that match login, then try to match pw             
-            var users = await ct.User.AsNoTracking().Where(m => m.Login == creds.Login).ToListAsync();
+            var users = await ct.User.Where(m => m.Login == creds.Login && m.Active == true).ToListAsync();
 
             foreach (User u in users)
             {
@@ -177,13 +177,15 @@ namespace AyaNova.Api.Controllers
                     }
 
 
-                    //If the user is inactive they may not login
-                    if (!u.Active)
-                    {
-                        //This is leaking information, instead just act like bad creds
-                        //return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated"));
-                        return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
-                    }
+                    // //If the user is inactive they may not login
+                    // if (!u.Active)
+                    // {
+                    //     //This is leaking information, instead just act like bad creds
+                    //     //return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated"));
+                    //     return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
+                    // }
+
+
 
                     //build the key (JWT set in startup.cs)
                     byte[] secretKey = System.Text.Encoding.ASCII.GetBytes(ServerBootConfig.AYANOVA_JWT_SECRET);
@@ -192,6 +194,18 @@ namespace AyaNova.Api.Controllers
                     var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime
                     var exp = new DateTimeOffset(DateTime.Now.AddDays(JWT_LIFETIME_DAYS).ToUniversalTime(), TimeSpan.Zero);
 
+
+                    //=============== download token ===================                  
+                    //Generate a download token and store it with the user account
+                    //string DownloadToken = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
+                    string DownloadToken = Hasher.GenerateSalt();
+                    DownloadToken = DownloadToken.Replace("=", "");
+                    DownloadToken = DownloadToken.Replace("+", "");
+                    u.DlKey = DownloadToken;
+                    u.DlKeyExpire = exp.DateTime;
+                    await ct.SaveChangesAsync();
+                    //=======================================================
+
                     var payload = new Dictionary<string, object>()
                         {
                             { "iat", iat.ToUnixTimeSeconds().ToString() },
@@ -200,7 +214,8 @@ namespace AyaNova.Api.Controllers
                             { "id", u.Id.ToString() },
                             { "name", u.Name},
                             { "usertype", u.UserType},
-                            { "ayanova/roles", ((int)u.Roles).ToString() }
+                            { "ayanova/roles", ((int)u.Roles).ToString()},
+                            { "dlt", DownloadToken }
                         };