timelog/backendCS/routes/Register.cs

using System.Net;
using System.Security.Cryptography;
using MySql.Data.MySqlClient;
using Newtonsoft.Json.Linq;

namespace TimelogBackend;

public class Register : Route
{
    private static string HashPassword(string password)
    {
        byte[] salt = new byte[16];
        RandomNumberGenerator.Fill(salt);

        using var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 10000, HashAlgorithmName.SHA256);
        byte[] hash = pbkdf2.GetBytes(32);

        byte[] hashBytes = new byte[48]; // 16 (salt) + 32 (hash)
        Array.Copy(salt, 0, hashBytes, 0, 16);
        Array.Copy(hash, 0, hashBytes, 16, 32);

        return Convert.ToBase64String(hashBytes);
    }

    public static void HandleRequest(HttpListenerRequest request, HttpListenerResponse response)
    {
        MySqlTransaction? transaction = null;
        try
        {
            // extract parameters from req body
            string body;
            using (StreamReader bodyReader = new(request.InputStream, request.ContentEncoding))
            {
                body = bodyReader.ReadToEnd();
            }
            JObject jsonObject = JObject.Parse(body);
            string f_name = jsonObject["f_name"]?.ToString() ?? "";
            string l_name = jsonObject["l_name"]?.ToString() ?? "";
            string password = jsonObject["password"]?.ToString() ?? "";
            string mail = jsonObject["mail"]?.ToString() ?? "";

            // validate parameters
            if (
                string.IsNullOrEmpty(f_name)
                || f_name.Length > 30
                || f_name.Length < 2
                || string.IsNullOrEmpty(l_name)
                || l_name.Length > 30
                || l_name.Length < 2
                || string.IsNullOrEmpty(mail)
                || mail.Length > 50
                || mail.Length < 6
                || string.IsNullOrEmpty(password)
                || password.Length > 30
                || password.Length < 10
            )
            {
                throw new Exception("Wrong parameters");
            }
            // TODO Validate dupes of email
            string query = "INSERT INTO User(f_name,l_name,mail) VALUES(@f_name,@l_name,@mail)";
            MySqlCommand cmd = new(query);
            cmd.Parameters.AddWithValue("@f_name", f_name);
            cmd.Parameters.AddWithValue("@l_name", l_name);
            cmd.Parameters.AddWithValue("@mail", mail);

            using MySqlConnection conn = new(connectionString);
            conn.Open();
            transaction = conn.BeginTransaction();
            cmd.Connection = conn;
            cmd.ExecuteNonQuery();

            // Get user ID
            cmd.CommandText = "SELECT id FROM User WHERE mail=@mail;";
            MySqlDataReader reader = cmd.ExecuteReader();
            reader.Read();
            var id = reader["id"];
            reader.Close();

            // Insert into password
            cmd.CommandText = "INSERT INTO Password(user,password) VALUES(@id,@password)";
            cmd.Parameters.AddWithValue("@password", HashPassword(password));
            cmd.Parameters.AddWithValue("@id", id);
            cmd.ExecuteNonQuery();
            transaction.Commit();

            SendSuccess(response);
        }
        catch (Exception ex)
        {
            transaction?.Rollback();
            SendError(response, ex);
        }
    }
}