do sessions in memory and also fix glaring security hole

2025-06-01 23:28:00 +02:00 · 2025-06-01 23:28:00 +02:00 · f48b421500
commit f48b421500
parent 7b6c155a73
31 changed files with 441 additions and 440 deletions
--- a/Femto.Modules.Auth/Application/Interface/Register/RegisterCommandHandler.cs
+++ b/Femto.Modules.Auth/Application/Interface/Register/RegisterCommandHandler.cs
@ -7,16 +7,12 @@ using Microsoft.EntityFrameworkCore;
 namespace Femto.Modules.Auth.Application.Interface.Register;

 internal class RegisterCommandHandler(AuthContext context)
-    : ICommandHandler<RegisterCommand, RegisterResult>
+    : ICommandHandler<RegisterCommand, UserInfo>
 {
-    public async Task<RegisterResult> Handle(
-        RegisterCommand request,
-        CancellationToken cancellationToken
-    )
+    public async Task<UserInfo> Handle(RegisterCommand request, CancellationToken cancellationToken)
    {
-        
        var now = DateTimeOffset.UtcNow;
-     
+
        var code = await context
            .SignupCodes.Where(c => c.Code == request.SignupCode)
            .Where(c => c.ExpiresAt == null || c.ExpiresAt > now)
@ -26,18 +22,22 @@ internal class RegisterCommandHandler(AuthContext context)
        if (code is null)
            throw new DomainError("invalid signup code");

+        var usernameTaken = await context.Users.AnyAsync(
+            u => u.Username == request.Username,
+            cancellationToken
+        );
+
+        if (usernameTaken)
+            throw new DomainError("username taken");
+        
        var user = new UserIdentity(request.Username);

        await context.AddAsync(user, cancellationToken);
-        
+
        user.SetPassword(request.Password);

-        var session = Session.Strong(user.Id);
-        
-        await context.AddAsync(session, cancellationToken);
-        
        code.Redeem(user.Id);

-        return new(new SessionDto(session), new UserInfo(user));
+        return new UserInfo(user);
    }
 }