Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Andrespeerez/porfolio-blog/llms.txt

Use this file to discover all available pages before exploring further.

This endpoint accepts a JSON body containing email and password, delegates credential verification to AuthenticateUser.ExecuteAsync, and—on success—sets an HttpOnly authentication cookie via CookieSessionManager.SignInAsync. If the credentials are invalid (user not found or wrong password), the use case returns AuthResult.Fail("Credenciales incorrectas.") and the endpoint responds with 400 Bad Request, including the error string in the response body.

Request

Method

POST

Path

/api/auth/login
Content-Type: application/json

Body parameters

email
string
required
The user’s email address. Must match an existing account in the database.
password
string
required
The user’s plain-text password. Verified against the stored BCrypt hash via IPasswordHasher.Verify.
rememberMe
boolean
default:"false"
Extend the session duration. The field is accepted and deserialized by the LoginRequest DTO but is not yet wired to cookie persistence — the session lifetime is currently controlled solely by the cookie authentication options in Program.cs.

Request example

Request body
{
  "email": "admin@andresblog.com",
  "password": "Admin123!",
  "rememberMe": false
}
cURL
curl -c cookies.txt -X POST https://localhost:7140/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@andresblog.com","password":"Admin123!","rememberMe":false}'

Responses

200 OK

Authentication succeeded. The response includes a Set-Cookie header carrying the ASP.NET Core authentication cookie. Subsequent requests must send this cookie to access protected resources.

400 Bad Request

Authentication failed — either the email does not exist or the password does not match. The response body is the plain-text error string returned by AuthResult.Fail.

Response examples

200 OK
HTTP/1.1 200 OK
Set-Cookie: .AspNetCore.Cookies=<token>; path=/; httponly
400 Bad Request
HTTP/1.1 400 Bad Request
Content-Type: text/plain

Credenciales incorrectas.

Response fields

body (200)
empty
The 200 response has no body. Authentication state is communicated exclusively through the Set-Cookie header.
body (400)
string
A plain-text error message. The only value currently returned by the use case is "Credenciales incorrectas.", used for both unknown email and wrong password to avoid user enumeration.

Source reference

The full handler is defined in Api/Auth/Login.cs:
Login.cs
public static async Task<IResult> HandleAsync(
    LoginRequest request,
    AuthenticateUser useCase
)
{
    var result = await useCase.ExecuteAsync(request.Email, request.Password);
    return result.Success ? Results.Ok() : Results.BadRequest(result.Error);
}
The AuthenticateUser use case resolves the user by email, verifies the password hash, and calls ISessionManager.SignInAsync (implemented by CookieSessionManager) to issue the cookie:
AuthenticateUser.cs
public async Task<AuthResult> ExecuteAsync(string email, string password)
{
    User? user = await _userRepository.GetByEmailAsync(email);

    if (user == null)
        return AuthResult.Fail("Credenciales incorrectas.");

    if (!_passwordHasher.Verify(user.PasswordHash, password))
        return AuthResult.Fail("Credenciales incorrectas.");

    await _sessionManager.SignInAsync(user); // crea cookie

    return AuthResult.Ok();
}
The AuthResult DTO carries the outcome:
AuthResult.cs
public record AuthResult(bool Success, string? Error = null)
{
    public static AuthResult Ok()           => new(true);
    public static AuthResult Fail(string error) => new(false, error);
}
The endpoint is registered in Program.cs with app.MapLogin(). The middleware pipeline order is important: app.UseAuthentication() must be called before app.UseAuthorization() for the cookie to be correctly set and validated on subsequent requests.

Build docs developers (and LLMs) love