mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 06:51:08 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
35 lines
719 B
JSON
35 lines
719 B
JSON
{
|
|
"Logging": {
|
|
"LogLevel": {
|
|
"Default": "Information",
|
|
"Microsoft.AspNetCore": "Warning"
|
|
}
|
|
},
|
|
"AllowedHosts": "*",
|
|
"ResourcesConfig": {
|
|
"ResourcesFolder": "Content"
|
|
},
|
|
"JwtConfig": {
|
|
"Issuer": "AzaionApi",
|
|
"Audience": "Annotators/OrangePi/Admins",
|
|
"KeysFolder": "secrets/jwt-keys",
|
|
"AccessTokenLifetimeMinutes": 15
|
|
},
|
|
"SessionConfig": {
|
|
"RefreshSlidingHours": 8,
|
|
"RefreshAbsoluteHours": 12
|
|
},
|
|
"AuthConfig": {
|
|
"RateLimit": {
|
|
"PerIpPermitLimit": 10,
|
|
"PerIpWindowSeconds": 60,
|
|
"PerAccountPermitLimit": 5,
|
|
"PerAccountWindowSeconds": 300
|
|
},
|
|
"Lockout": {
|
|
"MaxAttempts": 10,
|
|
"DurationSeconds": 900
|
|
}
|
|
}
|
|
}
|