mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 08:31:09 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
64 lines
1.8 KiB
C#
64 lines
1.8 KiB
C#
using System.ComponentModel;
|
|
using Azaion.Common.Extensions;
|
|
|
|
namespace Azaion.Common;
|
|
|
|
public class BusinessException(ExceptionEnum exEnum) : Exception(GetMessage(exEnum))
|
|
{
|
|
private static readonly Dictionary<ExceptionEnum, string> ExceptionDescriptions;
|
|
|
|
static BusinessException()
|
|
{
|
|
ExceptionDescriptions = EnumExtensions.GetDescriptions<ExceptionEnum>();
|
|
}
|
|
|
|
public ExceptionEnum ExceptionEnum { get; set; } = exEnum;
|
|
|
|
/// <summary>
|
|
/// Optional cooldown hint surfaced as a Retry-After response header by the exception
|
|
/// handler. Used by AccountLocked and LoginRateLimited (AZ-537).
|
|
/// </summary>
|
|
public int? RetryAfterSeconds { get; init; }
|
|
|
|
public BusinessException(ExceptionEnum exEnum, int retryAfterSeconds) : this(exEnum)
|
|
{
|
|
RetryAfterSeconds = retryAfterSeconds;
|
|
}
|
|
|
|
public static string GetMessage(ExceptionEnum exEnum) => ExceptionDescriptions.GetValueOrDefault(exEnum) ?? exEnum.ToString();
|
|
}
|
|
|
|
public enum ExceptionEnum
|
|
{
|
|
[Description("No such email found.")]
|
|
NoEmailFound = 10,
|
|
|
|
[Description("Email already exists.")]
|
|
EmailExists = 20,
|
|
|
|
[Description("Passwords do not match.")]
|
|
WrongPassword = 30,
|
|
|
|
[Description("Password should be at least 12 characters.")]
|
|
PasswordLengthIncorrect = 32,
|
|
|
|
[Description("Email is empty or invalid.")]
|
|
EmailLengthIncorrect = 35,
|
|
|
|
WrongEmail = 37,
|
|
|
|
[Description("User account is disabled.")]
|
|
UserDisabled = 38,
|
|
|
|
[Description("Account is temporarily locked due to too many failed login attempts.")]
|
|
AccountLocked = 50,
|
|
|
|
[Description("Too many login attempts. Try again later.")]
|
|
LoginRateLimited = 51,
|
|
|
|
[Description("Refresh token is invalid, expired, or has been revoked.")]
|
|
InvalidRefreshToken = 52,
|
|
|
|
[Description("No file provided.")]
|
|
NoFileProvided = 60,
|
|
} |