azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 06:51:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
51a293dbcc8e374699cbe83976710d3dbc5c29d3
admin/Azaion.Common/BusinessException.cs
T
Oleksandr Bezdieniezhnykh 51a293dbcc
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS 
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 05:30:03 +03:00

64 lines
1.8 KiB
C#
Raw Blame History

using System.ComponentModel;
using Azaion.Common.Extensions;
namespace Azaion.Common;
public class BusinessException(ExceptionEnum exEnum) : Exception(GetMessage(exEnum))
{
private static readonly Dictionary<ExceptionEnum, string> ExceptionDescriptions;
static BusinessException()
{
ExceptionDescriptions = EnumExtensions.GetDescriptions<ExceptionEnum>();
}
public ExceptionEnum ExceptionEnum { get; set; } = exEnum;
/// <summary>
/// Optional cooldown hint surfaced as a Retry-After response header by the exception
/// handler. Used by AccountLocked and LoginRateLimited (AZ-537).
/// </summary>
public int? RetryAfterSeconds { get; init; }
public BusinessException(ExceptionEnum exEnum, int retryAfterSeconds) : this(exEnum)
{
RetryAfterSeconds = retryAfterSeconds;
}
public static string GetMessage(ExceptionEnum exEnum) => ExceptionDescriptions.GetValueOrDefault(exEnum) ?? exEnum.ToString();
}
public enum ExceptionEnum
{
[Description("No such email found.")]
NoEmailFound = 10,
[Description("Email already exists.")]
EmailExists = 20,
[Description("Passwords do not match.")]
WrongPassword = 30,
[Description("Password should be at least 12 characters.")]
PasswordLengthIncorrect = 32,
[Description("Email is empty or invalid.")]
EmailLengthIncorrect = 35,
WrongEmail = 37,
[Description("User account is disabled.")]
UserDisabled = 38,
[Description("Account is temporarily locked due to too many failed login attempts.")]
AccountLocked = 50,
[Description("Too many login attempts. Try again later.")]
LoginRateLimited = 51,
[Description("Refresh token is invalid, expired, or has been revoked.")]
InvalidRefreshToken = 52,
[Description("No file provided.")]
NoFileProvided = 60,
}
Reference in New Issue View Git Blame Copy Permalink