azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 09:41:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details

Browse Source 
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-14 05:30:03 +03:00
parent 491993f9c1
commit 51a293dbcc
39 changed files with 1326 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+14 -3
View File
@@ -14,11 +14,22 @@ ASPNETCORE_URLS=http://+:8080 # Kestrel bind address inside the
ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;Username=azaion_reader;Password=CHANGE_ME
ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME
# ---------- JWT (HMAC-SHA256, 4 h TTL) --------------------------------------
ASPNETCORE_JwtConfig__Secret=CHANGE_ME_TO_A_RANDOM_STRING_AT_LEAST_32_BYTES
# ---------- JWT (ES256, 15 min access, 8/12 h refresh — AZ-531/AZ-532) ------
# AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in
# JwtConfig__KeysFolder (the kid is the filename without `.pem`); generate with
# scripts/generate-jwt-key.sh. JwtConfig__Secret is gone — verifiers fetch the
# public key from /.well-known/jwks.json instead.
ASPNETCORE_JwtConfig__Issuer=AzaionApi
ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
ASPNETCORE_JwtConfig__TokenLifetimeHours=4
ASPNETCORE_JwtConfig__KeysFolder=secrets/jwt-keys
# ActiveKid optional — defaults to the lexicographically first PEM in the folder.
# ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000
ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15
# AZ-531 — refresh-token windows. Sliding extends on every rotation; absolute
# caps the family lifetime regardless of activity.
ASPNETCORE_SessionConfig__RefreshSlidingHours=8
ASPNETCORE_SessionConfig__RefreshAbsoluteHours=12
# ---------- Resource storage (filesystem) -----------------------------------
ASPNETCORE_ResourcesConfig__ResourcesFolder=Content