Porfolio & Blog CMS authenticates users with ASP.NET Core cookie authentication (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Andrespeerez/porfolio-blog/llms.txt
Use this file to discover all available pages before exploring further.
CookieAuthenticationDefaults.AuthenticationScheme). Passwords are hashed and verified using the battle-tested IPasswordHasher<T> implementation from Microsoft.Extensions.Identity.Core — without pulling in the full ASP.NET Core Identity stack. After a successful login, the server issues a signed authentication cookie that the browser automatically attaches to every subsequent request.
Authentication flow
Submit credentials
The user submits their email address and password to
POST /api/auth/login. The request body is deserialized into a LoginRequest(string Email, string Password, bool RememberMe) DTO by the MapLogin Minimal API endpoint.Fetch user record
The Api layer delegates to
AuthenticateUser.ExecuteAsync(email, password). The use case calls IUserRepository.GetByEmailAsync(email), which runs a SELECT against the SQLite Users table via EF Core. If no matching record is found, AuthResult.Fail("Credenciales incorrectas.") is returned immediately and the request ends with 400 Bad Request.Verify password
IPasswordHasher.Verify(user.PasswordHash, password) is called. The concrete IdentityPasswordHasher adapter delegates to ASP.NET Core Identity’s IPasswordHasher<User>.VerifyHashedPassword. If the hash does not match, AuthResult.Fail("Credenciales incorrectas.") is returned.Issue authentication cookie
On a successful verification,
ISessionManager.SignInAsync(user) is called. CookieSessionManager builds a ClaimsPrincipal containing ClaimTypes.NameIdentifier (the user’s integer Id) and ClaimTypes.Email, then calls HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal). ASP.NET Core serialises, encrypts, and signs the claims into a cookie and appends it to the response.Authenticated session
The browser stores the cookie and attaches it to every subsequent request. ASP.NET Core’s authentication middleware decrypts and validates the cookie on each request, populating
HttpContext.User with the stored claims so that [Authorize] attributes and <AuthorizeView> components work without any additional round-trips.Password hashing
IdentityPasswordHasher is a thin adapter that satisfies the Application-layer IPasswordHasher interface by wrapping the IPasswordHasher<User> service registered from Microsoft.AspNetCore.Identity. This design keeps the Application project free from any Identity package reference — only Infrastructure knows about it.
Infrastructure/Auth/IdentityPasswordHasher.cs
IPasswordHasher<User>.HashPassword uses PBKDF2 with a random salt and a high iteration count by default — the same algorithm used by ASP.NET Core Identity when managing user stores. Verify returns true only when VerifyHashedPassword yields PasswordVerificationResult.Success.
The concrete hasher is registered in Program.cs before the adapter:
Program.cs
Session management
CookieSessionManager implements ISessionManager and is the only class in the project that directly calls ASP.NET Core’s SignInAsync / SignOutAsync methods. It obtains the current HttpContext through the injected IHttpContextAccessor.
Infrastructure/Auth/CookieSessionManager.cs
SignOutAsync with the same scheme:
Infrastructure/Auth/CookieSessionManager.cs
| Claim | Value | Usage |
|---|---|---|
ClaimTypes.NameIdentifier | user.Id.ToString() | Uniquely identifies the authenticated user |
ClaimTypes.Email | user.Email | Displayed in the admin UI header |
Protecting Blazor pages
Admin pages use the standard ASP.NET Core authorization primitives. The[Authorize] attribute applied to a Razor component ensures that unauthenticated requests are redirected to the login page before the component renders:
Components/Pages/Admin.razor
<AuthorizeView> component selectively renders content based on authentication state:
Components/Shared/NavMenu.razor
<AuthorizeView> to work in Blazor Server, authentication state must be supplied as a cascading parameter. This is enabled in Program.cs:
Program.cs
Cookie configuration
The cookie authentication scheme is configured inProgram.cs with a single option:
Program.cs
Any request to a route protected by
[Authorize] that arrives without a valid authentication cookie is automatically redirected to /login. After a successful sign-in the middleware redirects back to the originally requested URL via a ReturnUrl query parameter.Program.cs already handles:
Program.cs