PharmaVault handles authentication entirely server-side using ASP.NET Core’s cookie authentication middleware. There are no third-party identity providers or JWTs — instead, a user’s identity is established at login, serialised into a signed and encrypted cookie namedDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JReyna217/PharmaVault/llms.txt
Use this file to discover all available pages before exploring further.
PharmaVaultSession, and validated on every subsequent request. Passwords are never stored in plaintext; only BCrypt hashes are written to the database, and verification always happens through the BCrypt library at login time.
User Model
TheUser entity represents a registered account and maps directly to the users table in PostgreSQL.
Auto-generated primary key. Also stored as the
ClaimTypes.NameIdentifier claim in the authentication cookie so the server can identify the user on subsequent requests.The user’s unique email address. Used as the login identifier and stored as the
ClaimTypes.Email claim.BCrypt hash of the user’s password. Never sent to the client or included in UI-facing objects.
The user’s display name. Stored as the
ClaimTypes.Name claim and shown in the dashboard header.Timestamp set by the database when the account was created.
Registration Flow
New accounts are created by callingIAuthService.RegisterAsync(User user, string plainPassword). The service hashes the plaintext password with BCrypt before the User object is handed to IUserDao.CreateAsync, so the raw password never touches the database layer.
int primary key (user_id) of the newly created account.
The registration form (Register.razor) validates three fields before calling HandleRegisterAsync:
| Field | Rules |
|---|---|
FullName | Required |
Email | Required, valid email format |
Password | Required, minimum 6 characters |
catch block in Register.razor.cs surfaces the message: “An error occurred during registration. The email might already be in use.”
After successful registration the user is redirected to / (the login page) to sign in with their new credentials.
Passwords are never stored in plaintext. Only the BCrypt hash computed by
BCrypt.Net.BCrypt.HashPassword(plainPassword) is persisted to the database.Login Flow
Authentication is handled byIAuthService.LoginAsync(string email, string plainPassword). The service looks up the account by email, then uses BCrypt’s Verify method to compare the submitted password against the stored hash.
User object, or null if the email was not found or the password did not match.
When LoginAsync returns a non-null user, Login.razor.cs builds a ClaimsPrincipal from three claims and signs it in via HttpContext.SignInAsync:
ErrorMessage is set to "Invalid email or password." and no cookie is issued.
Cookie-Based Sessions
Session state is managed by ASP.NET Core’s cookie authentication. The cookie is configured inProgram.cs as follows:
Cookie name
PharmaVaultSession — identifies the authentication cookie in the browser.Session duration
1 hour (
TimeSpan.FromHours(1)). The session expires after one hour of being issued, regardless of activity.Login redirect
Unauthenticated requests to protected routes are redirected to
/ — the login page.AddCascadingAuthenticationState() is also registered, which makes the AuthenticationState available as a cascading parameter throughout the Blazor component tree.
Logout
PharmaVault registers a minimal APIPOST /logout endpoint in Program.cs that signs out the current cookie session and redirects the browser back to the login page:
SignOutAsync removes the PharmaVaultSession cookie from the browser. The Results.Redirect("/") response then sends the user back to /, where the login form is rendered.
The logout endpoint uses
POST (not GET) to comply with standard security practices that prevent logout via link prefetching or cross-site GET requests.IUserDao Interface
The IUserDao interface abstracts the two database operations needed by the authentication layer:
Queries the
users table for a row matching the provided email address. Returns the fully populated User object (including PasswordHash) if found, or null if no account exists for that email. Called by AuthService.LoginAsync to retrieve the stored hash for BCrypt verification.Inserts a new user row (with the pre-hashed
PasswordHash) and returns the generated user_id. Called by AuthService.RegisterAsync after the password has been hashed.