littleshop/LittleShop/Areas/Admin/Controllers/AccountController.cs

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Security.Claims;
using LittleShop.Services;
using LittleShop.DTOs;

namespace LittleShop.Areas.Admin.Controllers;

[Area("Admin")]
public class AccountController : Controller
{
    private readonly IAuthService _authService;

    public AccountController(IAuthService authService)
    {
        _authService = authService;
    }

    [HttpGet]
    public IActionResult Login()
    {
        if (User.Identity?.IsAuthenticated == true)
        {
            return RedirectToAction("Index", "Dashboard");
        }
        return View();
    }

    [HttpPost]
    // [ValidateAntiForgeryToken] // Temporarily disabled for HTTPS proxy issue
    public async Task<IActionResult> Login(string username, string password)
    {
        Console.WriteLine($"Received Username: '{username}', Password: '{password}'");
        
        if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
        {
            ModelState.AddModelError("", "Username and password are required");
            return View();
        }

        // Use AuthService to validate against database users
        var loginDto = new LoginDto { Username = username, Password = password };
        var authResponse = await _authService.LoginAsync(loginDto);
        
        if (authResponse != null)
        {
            // Get the actual user from database to get correct ID
            var user = await _authService.GetUserByUsernameAsync(username);
            if (user != null)
            {
                var claims = new List<Claim>
                {
                    new(ClaimTypes.Name, user.Username),
                    new(ClaimTypes.NameIdentifier, user.Id.ToString()), // Use real database ID
                    new(ClaimTypes.Role, "Admin") // All users in admin system are admins
                };

                var identity = new ClaimsIdentity(claims, "Cookies");
                var principal = new ClaimsPrincipal(identity);

                await HttpContext.SignInAsync("Cookies", principal);
                return RedirectToAction("Index", "Dashboard");
            }
        }
        
        ModelState.AddModelError("", "Invalid username or password");
        return View();
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    [Authorize]
    public async Task<IActionResult> Logout()
    {
        await HttpContext.SignOutAsync("Cookies");
        return RedirectToAction("Login");
    }

    public IActionResult AccessDenied()
    {
        return View();
    }
}