Skip to content

AccountController Class

The AccountController class is responsible for handling account-related requests.

Key Components

  • Hasher: Utilized for password hashing.
  • LinkGenerator: Generates activation and reset links.
  • VolatileTokenManager: Manages temporary tokens for actions like email verification.
  • EmailSender: Handles sending of emails for registration, password resets, etc.
  • CredentialsValidator: Validates username, password, and email.
  • JwtSettings & TwoFactorTokenSerializer: Manage JWT token serialization and settings.
  • TwoFactorCodeManager: Generates and verifies two-factor authentication codes.
  • EnforceHttps: Indicates if HTTPS is enforced for cookie security.


  • POST /create: Registers a new account with basic details and optional two-factor authentication.
  • POST /login: Authenticates a user and initiates a login session.
  • POST /login-2fa: Completes the login process with two-factor authentication.
  • GET /refresh-token: Refreshes the authentication token for an active session.
  • GET /logout: Ends the user's session and clears the authentication token.
  • POST /change-email: Enables authenticated users to update their email address. If the email has not been verified, it automatically removes the old verification code and sends a new verification code to the new email.
  • POST /change-password: Enables authenticated users to update their password.
  • POST /forgot-password: Initiates a password reset process for users.
  • GET /roles: Retrieves the roles associated with the currently logged-in user.
  • GET /user: Provides details about the currently logged-in user.

Swagger Documentation

You can also check out, or even try out all the endpoints here:

Security and Validation

  • RateLimiting: Applied to endpoints to prevent abuse.
  • Data Validation: Ensures that only valid data is processed for account creation, login, and updates.
  • HTTPS Enforcement: Optionally enforces HTTPS for cookie security, based on configuration.


This controller is automatically wired up through ASP.NET Core's MVC framework and listens for HTTP requests matching its routes. It's accessible through standard HTTP client tools or libraries from front-end applications.

For custom functionality, you have the option to extend and customize this controller through subclassing.


Remember to configure environment variables and settings appropriately to ensure the system functions securely and as intended, especially for aspects like JWT settings and HTTPS enforcement.