…

10 files changed, 251 insertions, 271 deletions

diff --git a/BackEnd/Timeline/Controllers/BookmarkTimelineController.cs b/BackEnd/Timeline/Controllers/BookmarkTimelineController.cs
index 551a41e2..a1fa511c 100644
--- a/BackEnd/Timeline/Controllers/BookmarkTimelineController.cs
+++ b/BackEnd/Timeline/Controllers/BookmarkTimelineController.cs
@@ -44,7 +44,7 @@ namespace Timeline.Controllers
         [ProducesResponseType(401)]

         public async Task<ActionResult<List<HttpTimeline>>> List()

         {

-            var ids = await _service.GetBookmarksAsync(GetUserId());

+            var ids = await _service.GetBookmarksAsync(GetAuthUserId());

             var timelines = await _timelineService.GetTimelineList(ids);

             return await Map(timelines);

         }

@@ -61,7 +61,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult<CommonPutResponse>> Put([GeneralTimelineName] string timeline)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

-            var create = await _service.AddBookmarkAsync(GetUserId(), timelineId);

+            var create = await _service.AddBookmarkAsync(GetAuthUserId(), timelineId);

             return CommonPutResponse.Create(create);

         }

 

@@ -77,7 +77,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult<CommonDeleteResponse>> Delete([GeneralTimelineName] string timeline)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

-            var delete = await _service.RemoveBookmarkAsync(GetUserId(), timelineId);

+            var delete = await _service.RemoveBookmarkAsync(GetAuthUserId(), timelineId);

             return CommonDeleteResponse.Create(delete);

         }

 

@@ -93,7 +93,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult> Move([FromBody] HttpBookmarkTimelineMoveRequest request)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(request.Timeline);

-            await _service.MoveBookmarkAsync(GetUserId(), timelineId, request.NewPosition!.Value);

+            await _service.MoveBookmarkAsync(GetAuthUserId(), timelineId, request.NewPosition!.Value);

             return OkWithCommonResponse();

         }

     }

diff --git a/BackEnd/Timeline/Controllers/HighlightTimelineController.cs b/BackEnd/Timeline/Controllers/HighlightTimelineController.cs
index 127392db..e30cf720 100644
--- a/BackEnd/Timeline/Controllers/HighlightTimelineController.cs
+++ b/BackEnd/Timeline/Controllers/HighlightTimelineController.cs
@@ -61,7 +61,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult<CommonPutResponse>> Put([GeneralTimelineName] string timeline)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

-            var create = await _service.AddHighlightTimelineAsync(timelineId, GetUserId());

+            var create = await _service.AddHighlightTimelineAsync(timelineId, GetAuthUserId());

             return CommonPutResponse.Create(create);

         }

 

@@ -78,7 +78,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult<CommonDeleteResponse>> Delete([GeneralTimelineName] string timeline)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

-            var delete = await _service.RemoveHighlightTimelineAsync(timelineId, GetUserId());

+            var delete = await _service.RemoveHighlightTimelineAsync(timelineId, GetAuthUserId());

             return CommonDeleteResponse.Create(delete);

         }

 

diff --git a/BackEnd/Timeline/Controllers/MyControllerBase.cs b/BackEnd/Timeline/Controllers/MyControllerBase.cs
index d4ee9d3e..b74193f4 100644
--- a/BackEnd/Timeline/Controllers/MyControllerBase.cs
+++ b/BackEnd/Timeline/Controllers/MyControllerBase.cs
@@ -1,8 +1,11 @@
 using Microsoft.AspNetCore.Http;

 using Microsoft.AspNetCore.Mvc;

+using Microsoft.Extensions.DependencyInjection;
 using System;

+using System.Threading.Tasks;
 using Timeline.Auth;

 using Timeline.Models.Http;

+using Timeline.Services;
 using Timeline.Services.User;

 

 namespace Timeline.Controllers

@@ -15,24 +18,30 @@ namespace Timeline.Controllers
             return User.HasPermission(permission);

         }

 

-        protected string? GetOptionalUsername()

+        protected long? GetOptionalAuthUserId()

         {

-            return User.GetOptionalName();

-        }

-

-        protected string GetUsername()

-        {

-            return GetOptionalUsername() ?? throw new InvalidOperationException(Resource.ExceptionNoUsername);

+            return User.GetOptionalUserId();

         }

 

-        protected long? GetOptionalUserId()

+        protected long GetAuthUserId()

         {

-            return User.GetOptionalUserId();

+            return GetOptionalAuthUserId() ?? throw new InvalidOperationException(Resource.ExceptionNoUserId);

         }

 

-        protected long GetUserId()

-        {

-            return GetOptionalUserId() ?? throw new InvalidOperationException(Resource.ExceptionNoUserId);

+        protected async Task<bool> CheckIsSelf(string username)
+        {
+            var authUserId = GetOptionalAuthUserId();
+            if (!authUserId.HasValue) return false;
+            try
+            {
+                var userService = HttpContext.RequestServices.GetRequiredService<IUserService>();
+                var id = await userService.GetUserIdByUsernameAsync(username);
+                return authUserId == id;
+            }
+            catch (EntityNotExistException)
+            {
+                return false;
+            }
         }

         #endregion auth

 

diff --git a/BackEnd/Timeline/Controllers/Resource.Designer.cs b/BackEnd/Timeline/Controllers/Resource.Designer.cs
index a647558a..eeb2f0fa 100644
--- a/BackEnd/Timeline/Controllers/Resource.Designer.cs
+++ b/BackEnd/Timeline/Controllers/Resource.Designer.cs
@@ -1,207 +1,186 @@
-//------------------------------------------------------------------------------

-// <auto-generated>

-//     This code was generated by a tool.

-//     Runtime Version:4.0.30319.42000

-//

-//     Changes to this file may cause incorrect behavior and will be lost if

-//     the code is regenerated.

-// </auto-generated>

-//------------------------------------------------------------------------------

-

-namespace Timeline.Controllers {

-    using System;

-    

-    

-    /// <summary>

-    ///   A strongly-typed resource class, for looking up localized strings, etc.

-    /// </summary>

-    // This class was auto-generated by the StronglyTypedResourceBuilder

-    // class via a tool like ResGen or Visual Studio.

-    // To add or remove a member, edit your .ResX file then rerun ResGen

-    // with the /str option, or rebuild your VS project.

-    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]

-    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]

-    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]

-    internal class Resource {

-        

-        private static global::System.Resources.ResourceManager resourceMan;

-        

-        private static global::System.Globalization.CultureInfo resourceCulture;

-        

-        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]

-        internal Resource() {

-        }

-        

-        /// <summary>

-        ///   Returns the cached ResourceManager instance used by this class.

-        /// </summary>

-        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]

-        internal static global::System.Resources.ResourceManager ResourceManager {

-            get {

-                if (object.ReferenceEquals(resourceMan, null)) {

-                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Timeline.Controllers.Resource", typeof(Resource).Assembly);

-                    resourceMan = temp;

-                }

-                return resourceMan;

-            }

-        }

-        

-        /// <summary>

-        ///   Overrides the current thread's CurrentUICulture property for all

-        ///   resource lookups using this strongly typed resource class.

-        /// </summary>

-        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]

-        internal static global::System.Globalization.CultureInfo Culture {

-            get {

-                return resourceCulture;

-            }

-            set {

-                resourceCulture = value;

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to Can&apos;t get user id..

-        /// </summary>

-        internal static string ExceptionNoUserId {

-            get {

-                return ResourceManager.GetString("ExceptionNoUserId", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to Can&apos;t get username..

-        /// </summary>

-        internal static string ExceptionNoUsername {

-            get {

-                return ResourceManager.GetString("ExceptionNoUsername", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to You have no permission to access this..

-        /// </summary>

-        internal static string MessageForbid {

-            get {

-                return ResourceManager.GetString("MessageForbid", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to You can&apos;t do this unless you are administrator..

-        /// </summary>

-        internal static string MessageForbidNotAdministrator {

-            get {

-                return ResourceManager.GetString("MessageForbidNotAdministrator", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to You can&apos;t do this unless you are administrator or resource owner..

-        /// </summary>

-        internal static string MessageForbidNotAdministratorOrOwner {

-            get {

-                return ResourceManager.GetString("MessageForbidNotAdministratorOrOwner", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to You can&apos;t do this because it is the root user..

-        /// </summary>

-        internal static string MessageInvalidOperationOnRootUser {

-            get {

-                return ResourceManager.GetString("MessageInvalidOperationOnRootUser", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to The old password is wrong..

-        /// </summary>

-        internal static string MessageOldPasswordWrong {

-            get {

-                return ResourceManager.GetString("MessageOldPasswordWrong", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to Operation succeeded..

-        /// </summary>

-        internal static string MessageOperationSucceeded {

-            get {

-                return ResourceManager.GetString("MessageOperationSucceeded", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to The user specified by query param &quot;relate&quot; does not exist..

-        /// </summary>

-        internal static string MessageTimelineListQueryRelateNotExist {

-            get {

-                return ResourceManager.GetString("MessageTimelineListQueryRelateNotExist", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to &apos;{0}&apos; is an unkown visibility in the query parameter &apos;visibility&apos;. .

-        /// </summary>

-        internal static string MessageTimelineListQueryVisibilityUnknown {

-            get {

-                return ResourceManager.GetString("MessageTimelineListQueryVisibilityUnknown", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to Username or password is invalid..

-        /// </summary>

-        internal static string MessageTokenCreateBadCredential {

-            get {

-                return ResourceManager.GetString("MessageTokenCreateBadCredential", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to The token is of bad format. It might not be created by the server..

-        /// </summary>

-        internal static string MessageTokenVerifyBadFormat {

-            get {

-                return ResourceManager.GetString("MessageTokenVerifyBadFormat", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to Token has an old version. User might have update some info..

-        /// </summary>

-        internal static string MessageTokenVerifyOldVersion {

-            get {

-                return ResourceManager.GetString("MessageTokenVerifyOldVersion", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to The token is expired..

-        /// </summary>

-        internal static string MessageTokenVerifyTimeExpired {

-            get {

-                return ResourceManager.GetString("MessageTokenVerifyTimeExpired", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to User does not exist. Administrator might have deleted this user..

-        /// </summary>

-        internal static string MessageTokenVerifyUserNotExist {

-            get {

-                return ResourceManager.GetString("MessageTokenVerifyUserNotExist", resourceCulture);

-            }

-        }

-        

-        /// <summary>

-        ///   Looks up a localized string similar to A user with given username already exists..

-        /// </summary>

-        internal static string MessageUsernameConflict {

-            get {

-                return ResourceManager.GetString("MessageUsernameConflict", resourceCulture);

-            }

-        }

-    }

-}

+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Timeline.Controllers {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    ///   This class was generated by MSBuild using the GenerateResource task.
+    ///   To add or remove a member, edit your .resx file then rerun MSBuild.
+    /// </summary>
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.Build.Tasks.StronglyTypedResourceBuilder", "15.1.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Resource {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Resource() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Timeline.Controllers.Resource", typeof(Resource).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Can&apos;t get user id..
+        /// </summary>
+        internal static string ExceptionNoUserId {
+            get {
+                return ResourceManager.GetString("ExceptionNoUserId", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Can&apos;t get username..
+        /// </summary>
+        internal static string ExceptionNoUsername {
+            get {
+                return ResourceManager.GetString("ExceptionNoUsername", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to You have no permission to access this..
+        /// </summary>
+        internal static string MessageForbid {
+            get {
+                return ResourceManager.GetString("MessageForbid", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to You can&apos;t do this unless you are administrator..
+        /// </summary>
+        internal static string MessageForbidNotAdministrator {
+            get {
+                return ResourceManager.GetString("MessageForbidNotAdministrator", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to You can&apos;t do this unless you are administrator or resource owner..
+        /// </summary>
+        internal static string MessageForbidNotAdministratorOrOwner {
+            get {
+                return ResourceManager.GetString("MessageForbidNotAdministratorOrOwner", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to You can&apos;t do this because it is the root user..
+        /// </summary>
+        internal static string MessageInvalidOperationOnRootUser {
+            get {
+                return ResourceManager.GetString("MessageInvalidOperationOnRootUser", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The old password is wrong..
+        /// </summary>
+        internal static string MessageOldPasswordWrong {
+            get {
+                return ResourceManager.GetString("MessageOldPasswordWrong", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Operation succeeded..
+        /// </summary>
+        internal static string MessageOperationSucceeded {
+            get {
+                return ResourceManager.GetString("MessageOperationSucceeded", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The user specified by query param &quot;relate&quot; does not exist..
+        /// </summary>
+        internal static string MessageTimelineListQueryRelateNotExist {
+            get {
+                return ResourceManager.GetString("MessageTimelineListQueryRelateNotExist", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to &apos;{0}&apos; is an unkown visibility in the query parameter &apos;visibility&apos;. .
+        /// </summary>
+        internal static string MessageTimelineListQueryVisibilityUnknown {
+            get {
+                return ResourceManager.GetString("MessageTimelineListQueryVisibilityUnknown", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Username or password is invalid..
+        /// </summary>
+        internal static string MessageTokenCreateBadCredential {
+            get {
+                return ResourceManager.GetString("MessageTokenCreateBadCredential", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The token is expired. Please create a new one..
+        /// </summary>
+        internal static string MessageTokenVerifyExpired {
+            get {
+                return ResourceManager.GetString("MessageTokenVerifyExpired", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The token is invalid..
+        /// </summary>
+        internal static string MessageTokenVerifyInvalid {
+            get {
+                return ResourceManager.GetString("MessageTokenVerifyInvalid", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to A user with given username already exists..
+        /// </summary>
+        internal static string MessageUsernameConflict {
+            get {
+                return ResourceManager.GetString("MessageUsernameConflict", resourceCulture);
+            }
+        }
+    }
+}
diff --git a/BackEnd/Timeline/Controllers/Resource.resx b/BackEnd/Timeline/Controllers/Resource.resx
index 47b7a329..b70e5230 100644
--- a/BackEnd/Timeline/Controllers/Resource.resx
+++ b/BackEnd/Timeline/Controllers/Resource.resx
@@ -150,17 +150,11 @@
   <data name="MessageTokenCreateBadCredential" xml:space="preserve">

     <value>Username or password is invalid.</value>

   </data>

-  <data name="MessageTokenVerifyBadFormat" xml:space="preserve">

-    <value>The token is of bad format. It might not be created by the server.</value>

+  <data name="MessageTokenVerifyInvalid" xml:space="preserve">

+    <value>The token is invalid.</value>

   </data>

-  <data name="MessageTokenVerifyOldVersion" xml:space="preserve">

-    <value>Token has an old version. User might have update some info.</value>

-  </data>

-  <data name="MessageTokenVerifyTimeExpired" xml:space="preserve">

-    <value>The token is expired.</value>

-  </data>

-  <data name="MessageTokenVerifyUserNotExist" xml:space="preserve">

-    <value>User does not exist. Administrator might have deleted this user.</value>

+  <data name="MessageTokenVerifyExpired" xml:space="preserve">

+    <value>The token is expired. Please create a new one.</value>

   </data>

   <data name="MessageUsernameConflict" xml:space="preserve">

     <value>A user with given username already exists.</value>

diff --git a/BackEnd/Timeline/Controllers/TimelineController.cs b/BackEnd/Timeline/Controllers/TimelineController.cs
index f98ff3e0..42b8f210 100644
--- a/BackEnd/Timeline/Controllers/TimelineController.cs
+++ b/BackEnd/Timeline/Controllers/TimelineController.cs
@@ -142,7 +142,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _service.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _service.HasManagePermissionAsync(timelineId, GetUserId()))

+            if (!UserHasAllTimelineManagementPermission && !await _service.HasManagePermissionAsync(timelineId, GetAuthUserId()))

             {

                 return ForbidWithCommonResponse();

             }

@@ -168,7 +168,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _service.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetUserId())))

+            if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetAuthUserId())))

             {

                 return ForbidWithCommonResponse();

             }

@@ -194,7 +194,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _service.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetUserId())))

+            if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetAuthUserId())))

             {

                 return ForbidWithCommonResponse();

             }

@@ -216,7 +216,7 @@ namespace Timeline.Controllers
         [ProducesResponseType(StatusCodes.Status401Unauthorized)]

         public async Task<ActionResult<HttpTimeline>> TimelineCreate([FromBody] HttpTimelineCreateRequest body)

         {

-            var userId = GetUserId();

+            var userId = GetAuthUserId();

 

             var timeline = await _service.CreateTimelineAsync(body.Name, userId);

             var result = await Map(timeline);

@@ -240,7 +240,7 @@ namespace Timeline.Controllers
             {

                 var timelineId = await _service.GetTimelineIdByNameAsync(timeline);

 

-                if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetUserId())))

+                if (!UserHasAllTimelineManagementPermission && !(await _service.HasManagePermissionAsync(timelineId, GetAuthUserId())))

                 {

                     return ForbidWithCommonResponse();

                 }

diff --git a/BackEnd/Timeline/Controllers/TimelinePostController.cs b/BackEnd/Timeline/Controllers/TimelinePostController.cs
index f00a689c..c49c95fc 100644
--- a/BackEnd/Timeline/Controllers/TimelinePostController.cs
+++ b/BackEnd/Timeline/Controllers/TimelinePostController.cs
@@ -77,7 +77,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalUserId()))

+            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalAuthUserId()))

             {

                 return ForbidWithCommonResponse();

             }

@@ -102,7 +102,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalUserId()))

+            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalAuthUserId()))

             {

                 return ForbidWithCommonResponse();

             }

@@ -148,7 +148,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalUserId()))

+            if (!UserHasAllTimelineManagementPermission && !await _timelineService.HasReadPermissionAsync(timelineId, GetOptionalAuthUserId()))

             {

                 return ForbidWithCommonResponse();

             }

@@ -182,7 +182,7 @@ namespace Timeline.Controllers
         public async Task<ActionResult<HttpTimelinePost>> Post([FromRoute][GeneralTimelineName] string timeline, [FromBody] HttpTimelinePostCreateRequest body)

         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

-            var userId = GetUserId();

+            var userId = GetAuthUserId();

 

             if (!UserHasAllTimelineManagementPermission && !await _timelineService.IsMemberOfAsync(timelineId, userId))

             {

@@ -247,7 +247,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _postService.HasPostModifyPermissionAsync(timelineId, post, GetUserId(), true))

+            if (!UserHasAllTimelineManagementPermission && !await _postService.HasPostModifyPermissionAsync(timelineId, post, GetAuthUserId(), true))

             {

                 return ForbidWithCommonResponse();

             }

@@ -274,7 +274,7 @@ namespace Timeline.Controllers
         {

             var timelineId = await _timelineService.GetTimelineIdByNameAsync(timeline);

 

-            if (!UserHasAllTimelineManagementPermission && !await _postService.HasPostModifyPermissionAsync(timelineId, post, GetUserId(), true))

+            if (!UserHasAllTimelineManagementPermission && !await _postService.HasPostModifyPermissionAsync(timelineId, post, GetAuthUserId(), true))

             {

                 return ForbidWithCommonResponse();

             }

diff --git a/BackEnd/Timeline/Controllers/TokenController.cs b/BackEnd/Timeline/Controllers/TokenController.cs
index ae3e1b94..9ee5a09f 100644
--- a/BackEnd/Timeline/Controllers/TokenController.cs
+++ b/BackEnd/Timeline/Controllers/TokenController.cs
@@ -19,13 +19,15 @@ namespace Timeline.Controllers
     [ProducesErrorResponseType(typeof(CommonResponse))]

     public class TokenController : MyControllerBase

     {

-        private readonly IUserTokenManager _userTokenManager;

+        private readonly IUserService _userService;

+        private readonly IUserTokenService _userTokenService;

         private readonly IGenericMapper _mapper;

         private readonly IClock _clock;

 

-        public TokenController(IUserTokenManager userTokenManager, IGenericMapper mapper, IClock clock)

+        public TokenController(IUserService userService, IUserTokenService userTokenService, IGenericMapper mapper, IClock clock)

         {

-            _userTokenManager = userTokenManager;

+            _userService = userService;

+            _userTokenService = userTokenService;

             _mapper = mapper;

             _clock = clock;

         }

@@ -47,12 +49,14 @@ namespace Timeline.Controllers
                 if (request.Expire is not null)

                     expireTime = _clock.GetCurrentTime().AddDays(request.Expire.Value);

 

-                var result = await _userTokenManager.CreateTokenAsync(request.Username, request.Password, expireTime);

+                var userId = await _userService.VerifyCredential(request.Username, request.Password);

+                var token = await _userTokenService.CreateTokenAsync(userId, expireTime);

+                var user = await _userService.GetUserAsync(userId);

 

                 return new HttpCreateTokenResponse

                 {

-                    Token = result.Token,

-                    User = await _mapper.MapAsync<HttpUser>(result.User, Url, User)

+                    Token = token,

+                    User = await _mapper.MapAsync<HttpUser>(user, Url, User)

                 };

             }

             catch (EntityNotExistException)

@@ -77,27 +81,20 @@ namespace Timeline.Controllers
         {

             try

             {

-                var result = await _userTokenManager.VerifyTokenAsync(request.Token);

+                var tokenInfo = await _userTokenService.ValidateTokenAsync(request.Token);

+                var user = await _userService.GetUserAsync(tokenInfo.UserId);

                 return new HttpVerifyTokenResponse

                 {

-                    User = await _mapper.MapAsync<HttpUser>(result, Url, User)

+                    User = await _mapper.MapAsync<HttpUser>(user, Url, User)

                 };

             }

-            catch (UserTokenTimeExpiredException)

+            catch (UserTokenExpiredException)

             {

-                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyTimeExpired, Resource.MessageTokenVerifyTimeExpired);

+                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyExpired, Resource.MessageTokenVerifyExpired);

             }

-            catch (UserTokenVersionExpiredException)

+            catch (UserTokenException)

             {

-                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyOldVersion, Resource.MessageTokenVerifyOldVersion);

-            }

-            catch (UserTokenBadFormatException)

-            {

-                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyBadFormat, Resource.MessageTokenVerifyBadFormat);

-            }

-            catch (UserTokenUserNotExistException)

-            {

-                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyUserNotExist, Resource.MessageTokenVerifyUserNotExist);

+                return BadRequestWithCommonResponse(ErrorCodes.TokenController.VerifyInvalid, Resource.MessageTokenVerifyInvalid);

             }

         }

     }

diff --git a/BackEnd/Timeline/Controllers/UserAvatarController.cs b/BackEnd/Timeline/Controllers/UserAvatarController.cs
index 5b8c5cdf..072ab621 100644
--- a/BackEnd/Timeline/Controllers/UserAvatarController.cs
+++ b/BackEnd/Timeline/Controllers/UserAvatarController.cs
@@ -61,7 +61,7 @@ namespace Timeline.Controllers
         [ProducesResponseType(StatusCodes.Status403Forbidden)]

         public async Task<IActionResult> Put([FromRoute][Username] string username, [FromBody] ByteData body)

         {

-            if (!UserHasPermission(UserPermission.UserManagement) && GetUsername() != username)

+            if (!UserHasPermission(UserPermission.UserManagement) && !await CheckIsSelf(username))

             {

                 return ForbidWithCommonResponse(Resource.MessageForbidNotAdministratorOrOwner);

             }

@@ -91,7 +91,7 @@ namespace Timeline.Controllers
         [ProducesResponseType(StatusCodes.Status403Forbidden)]

         public async Task<IActionResult> Delete([FromRoute][Username] string username)

         {

-            if (!UserHasPermission(UserPermission.UserManagement) && User.Identity!.Name != username)

+            if (!UserHasPermission(UserPermission.UserManagement) && !await CheckIsSelf(username))

             {

                 return ForbidWithCommonResponse(Resource.MessageForbidNotAdministratorOrOwner);

             }

diff --git a/BackEnd/Timeline/Controllers/UserController.cs b/BackEnd/Timeline/Controllers/UserController.cs
index 740bd0ed..95a99a03 100644
--- a/BackEnd/Timeline/Controllers/UserController.cs
+++ b/BackEnd/Timeline/Controllers/UserController.cs
@@ -7,6 +7,7 @@ using Timeline.Auth;
 using Timeline.Filters;

 using Timeline.Models.Http;

 using Timeline.Models.Validation;

+using Timeline.Services;
 using Timeline.Services.Mapper;

 using Timeline.Services.User;

 

@@ -103,7 +104,7 @@ namespace Timeline.Controllers
             }

             else

             {

-                if (GetUsername() != username)

+                if (!await CheckIsSelf(username))

                     return ForbidWithCommonResponse(Resource.MessageForbidNotAdministratorOrOwner);

 

                 if (body.Username is not null)

@@ -112,7 +113,7 @@ namespace Timeline.Controllers
                 if (body.Password is not null)

                     return ForbidWithCommonResponse(Resource.MessageForbidNotAdministrator);

 

-                var user = await _userService.ModifyUserAsync(GetUserId(), _mapper.AutoMapperMap<ModifyUserParams>(body));

+                var user = await _userService.ModifyUserAsync(GetAuthUserId(), _mapper.AutoMapperMap<ModifyUserParams>(body));

                 return await _mapper.MapAsync<HttpUser>(user, Url, User);

             }

         }

@@ -152,7 +153,7 @@ namespace Timeline.Controllers
         {

             try

             {

-                await _userService.ChangePassword(GetUserId(), request.OldPassword, request.NewPassword);

+                await _userService.ChangePassword(GetAuthUserId(), request.OldPassword, request.NewPassword);

                 return OkWithCommonResponse();

             }

             catch (BadPasswordException)