[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS

AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 17:01:09 +00:00 · 2026-05-14 05:30:03 +03:00
parent 491993f9c1
commit 51a293dbcc
39 changed files with 1326 additions and 57 deletions
@@ -17,6 +17,7 @@ public interface IUserService
    Task<RegisterDeviceResponse> RegisterDevice(CancellationToken ct = default);
    Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default);
    Task<User?> GetByEmail(string? email, CancellationToken ct = default);
+    Task<User?> GetById(Guid userId, CancellationToken ct = default);
    Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default);
    Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken ct = default);
    Task ChangeRole(string email, RoleEnum newRole, CancellationToken ct = default);
@@ -112,6 +113,9 @@ public class UserService(
                await db.Users.FirstOrDefaultAsync(x => x.Email == email, ct)));
    }

+    public async Task<User?> GetById(Guid userId, CancellationToken ct = default) =>
+        await dbFactory.Run(async db => await db.Users.FirstOrDefaultAsync(x => x.Id == userId, token: ct));
+

    public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default)
    {