azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 16:41:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1bdbe8c96d2d909897ef08db94847c628938c310
admin/Azaion.Common/Entities/Session.cs
T
Oleksandr Bezdieniezhnykh 1e1ded73f5
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-534] TOTP-based 2FA at credential login 
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.

- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
  azaion-mfa-step2) when the user has MFA enabled; real access+refresh
  pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
  (purpose=Azaion.Mfa.Secret.v1; key folder configurable via
  DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
  SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
  amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
  recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
  sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
  in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
  avoid LinqToDB null-literal type-inference on jsonb columns.

E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 06:21:28 +03:00

71 lines
2.9 KiB
C#
Raw Blame History

namespace Azaion.Common.Entities;
/// <summary>
/// AZ-531 — refresh-token session row. One row per issued refresh token. A
/// "session family" is the chain of rotated sessions that all share the same
/// <see cref="FamilyId"/>; reuse-detection keys off it.
/// </summary>
public class Session
{
public Guid Id { get; set; }
public Guid UserId { get; set; }
/// <summary>
/// AZ-531 — sha256(opaque refresh) for interactive sessions. AZ-533 mission
/// sessions have no refresh value and store NULL here.
/// </summary>
public string? RefreshHash { get; set; }
public Guid FamilyId { get; set; }
public DateTime IssuedAt { get; set; }
public DateTime LastUsedAt { get; set; }
public DateTime ExpiresAt { get; set; }
public DateTime? RevokedAt { get; set; }
public string? RevokedReason { get; set; }
public Guid? ParentSessionId { get; set; }
public DateTime FamilyStartedAt { get; set; }
/// <summary>
/// AZ-535 — audit trail for who revoked the session (user id of the admin or
/// the user themselves on /logout). Null for system revocations (rotation,
/// reuse detection, post-flight reconnect).
/// </summary>
public Guid? RevokedByUserId { get; set; }
/// <summary>
/// AZ-533 — session class. <see cref="SessionClasses.Interactive"/> is the
/// default refresh-backed interactive session (AZ-531); <see cref="SessionClasses.Mission"/>
/// is a long-lived no-refresh token issued for a single UAV mission.
/// </summary>
public string Class { get; set; } = SessionClasses.Interactive;
/// <summary>
/// AZ-533 — for mission sessions: the aircraft (CompanionPC user) the mission
/// token belongs to. Used by the auto-revoke-on-reconnect middleware. Null for
/// interactive sessions.
/// </summary>
public Guid? AircraftId { get; set; }
/// <summary>
/// AZ-534 — true iff the session was created via an MFA-validated /login/mfa
/// call. Refresh-token rotation reads this to keep the AMR claim stable across
/// the session lifetime.
/// </summary>
public bool MfaAuthenticated { get; set; }
}
public static class SessionRevokedReasons
{
public const string Rotated = "rotated";
public const string ReuseDetected = "reuse_detected";
public const string LoggedOut = "logged_out";
public const string LoggedOutAll = "logged_out_all";
public const string AdminRevoked = "admin_revoked";
public const string PostFlightReconnect = "post_flight_reconnect";
public const string FamilyRevoked = "family_revoked";
}
public static class SessionClasses
{
public const string Interactive = "interactive";
public const string Mission = "mission";
}
Reference in New Issue View Git Blame Copy Permalink