mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 06:51:08 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
210 lines
9.1 KiB
C#
210 lines
9.1 KiB
C#
using System.Globalization;
|
|
using Npgsql;
|
|
|
|
namespace Azaion.E2E.Helpers;
|
|
|
|
/// <summary>
|
|
/// Thin wrapper around <see cref="NpgsqlConnection"/> for tests that must inspect
|
|
/// or seed rows directly. Used by AZ-536 (password hash format) and AZ-537
|
|
/// (lockout state, audit_events) acceptance tests.
|
|
/// </summary>
|
|
public sealed record SessionRow(
|
|
Guid Id,
|
|
Guid UserId,
|
|
Guid FamilyId,
|
|
DateTime IssuedAt,
|
|
DateTime ExpiresAt,
|
|
DateTime? RevokedAt,
|
|
string? RevokedReason,
|
|
Guid? ParentSessionId,
|
|
DateTime FamilyStartedAt);
|
|
|
|
public sealed class DbHelper
|
|
{
|
|
private readonly string _connectionString;
|
|
|
|
public DbHelper(string connectionString) => _connectionString = connectionString;
|
|
|
|
public async Task<string?> GetPasswordHash(string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"SELECT password_hash FROM public.users WHERE email = @e", conn);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
var raw = await cmd.ExecuteScalarAsync(ct);
|
|
return raw == null || raw is DBNull ? null : (string)raw;
|
|
}
|
|
|
|
public async Task<(int FailedLoginCount, DateTime? LockoutUntil)> GetLockoutState(string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"SELECT failed_login_count, lockout_until FROM public.users WHERE email = @e", conn);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
await using var rd = await cmd.ExecuteReaderAsync(ct);
|
|
if (!await rd.ReadAsync(ct))
|
|
throw new InvalidOperationException($"User {email} not found.");
|
|
var failed = rd.GetInt32(0);
|
|
DateTime? lockout = rd.IsDBNull(1) ? null : DateTime.SpecifyKind(rd.GetDateTime(1), DateTimeKind.Utc);
|
|
return (failed, lockout);
|
|
}
|
|
|
|
public async Task<int> CountAuditEvents(string eventType, string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"SELECT COUNT(*) FROM public.audit_events WHERE event_type = @t AND email = @e", conn);
|
|
cmd.Parameters.AddWithValue("t", eventType);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
var raw = await cmd.ExecuteScalarAsync(ct);
|
|
return Convert.ToInt32(raw, CultureInfo.InvariantCulture);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Inject a user with a known legacy SHA-384 hash so the lazy-migration path can be
|
|
/// exercised end-to-end without going through the Argon2id-using registration API.
|
|
/// </summary>
|
|
public async Task SeedLegacyShaUser(Guid id, string email, string sha384HashBase64, string role = "ResourceUploader", CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(@"
|
|
INSERT INTO public.users (id, email, password_hash, role, created_at, is_enabled, failed_login_count)
|
|
VALUES (@id, @email, @hash, @role, now(), true, 0)
|
|
ON CONFLICT (email) DO UPDATE
|
|
SET password_hash = excluded.password_hash,
|
|
failed_login_count = 0,
|
|
lockout_until = NULL,
|
|
is_enabled = true", conn);
|
|
cmd.Parameters.AddWithValue("id", id);
|
|
cmd.Parameters.AddWithValue("email", email);
|
|
cmd.Parameters.AddWithValue("hash", sha384HashBase64);
|
|
cmd.Parameters.AddWithValue("role", role);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
public async Task DeleteUser(string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"DELETE FROM public.users WHERE email = @e", conn);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
public async Task DeleteAuditEventsFor(string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"DELETE FROM public.audit_events WHERE email = @e", conn);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Force-set a lockout deadline so tests don't have to actually trip the threshold
|
|
/// 10 times to check expiry behavior (AZ-537 AC-5).
|
|
/// </summary>
|
|
public async Task SetLockoutUntil(string email, DateTime? lockoutUntilUtc, int failedCount, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(@"
|
|
UPDATE public.users
|
|
SET lockout_until = @until,
|
|
failed_login_count = @count
|
|
WHERE email = @e", conn);
|
|
cmd.Parameters.AddWithValue("until",
|
|
(object?)(lockoutUntilUtc?.ToUniversalTime()) ?? DBNull.Value);
|
|
cmd.Parameters.AddWithValue("count", failedCount);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
/// <summary>
|
|
/// AZ-531 — looks up a session row by the refresh token's sha256 hash. Tests
|
|
/// hash the opaque token the same way RefreshTokenService does, then assert
|
|
/// on the persisted row.
|
|
/// </summary>
|
|
public async Task<SessionRow?> GetSessionByHash(string refreshHashHex, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(@"
|
|
SELECT id, user_id, family_id, issued_at, expires_at, revoked_at,
|
|
revoked_reason, parent_session_id, family_started_at
|
|
FROM public.sessions
|
|
WHERE refresh_hash = @h", conn);
|
|
cmd.Parameters.AddWithValue("h", refreshHashHex);
|
|
await using var rd = await cmd.ExecuteReaderAsync(ct);
|
|
if (!await rd.ReadAsync(ct)) return null;
|
|
return new SessionRow(
|
|
Id: rd.GetGuid(0),
|
|
UserId: rd.GetGuid(1),
|
|
FamilyId: rd.GetGuid(2),
|
|
IssuedAt: DateTime.SpecifyKind(rd.GetDateTime(3), DateTimeKind.Utc),
|
|
ExpiresAt: DateTime.SpecifyKind(rd.GetDateTime(4), DateTimeKind.Utc),
|
|
RevokedAt: rd.IsDBNull(5) ? null : DateTime.SpecifyKind(rd.GetDateTime(5), DateTimeKind.Utc),
|
|
RevokedReason: rd.IsDBNull(6) ? null : rd.GetString(6),
|
|
ParentSessionId: rd.IsDBNull(7) ? null : rd.GetGuid(7),
|
|
FamilyStartedAt: DateTime.SpecifyKind(rd.GetDateTime(8), DateTimeKind.Utc));
|
|
}
|
|
|
|
public async Task<int> CountActiveInFamily(Guid familyId, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"SELECT COUNT(*) FROM public.sessions WHERE family_id = @f AND revoked_at IS NULL", conn);
|
|
cmd.Parameters.AddWithValue("f", familyId);
|
|
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
|
|
}
|
|
|
|
public async Task<int> CountReuseRevokedInFamily(Guid familyId, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(
|
|
"SELECT COUNT(*) FROM public.sessions WHERE family_id = @f AND revoked_reason = 'reuse_detected'", conn);
|
|
cmd.Parameters.AddWithValue("f", familyId);
|
|
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
|
|
}
|
|
|
|
/// <summary>
|
|
/// AZ-531 AC-4 — backdate a family so the absolute-expiry check fires
|
|
/// without waiting 12 hours of wall-clock time.
|
|
/// </summary>
|
|
public async Task BackdateFamily(Guid familyId, TimeSpan ageFromNow, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(@"
|
|
UPDATE public.sessions
|
|
SET family_started_at = now() - @age,
|
|
issued_at = now() - @age,
|
|
last_used_at = now() - @age
|
|
WHERE family_id = @f", conn);
|
|
cmd.Parameters.AddWithValue("age", ageFromNow);
|
|
cmd.Parameters.AddWithValue("f", familyId);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
public async Task DeleteSessionsFor(string email, CancellationToken ct = default)
|
|
{
|
|
await using var conn = await OpenAsync(ct);
|
|
await using var cmd = new NpgsqlCommand(@"
|
|
DELETE FROM public.sessions
|
|
WHERE user_id = (SELECT id FROM public.users WHERE email = @e)", conn);
|
|
cmd.Parameters.AddWithValue("e", email);
|
|
await cmd.ExecuteNonQueryAsync(ct);
|
|
}
|
|
|
|
public static string HashRefreshToken(string opaqueToken)
|
|
{
|
|
var bytes = System.Text.Encoding.ASCII.GetBytes(opaqueToken);
|
|
var digest = System.Security.Cryptography.SHA256.HashData(bytes);
|
|
return Convert.ToHexString(digest);
|
|
}
|
|
|
|
private async Task<NpgsqlConnection> OpenAsync(CancellationToken ct)
|
|
{
|
|
var conn = new NpgsqlConnection(_connectionString);
|
|
await conn.OpenAsync(ct);
|
|
return conn;
|
|
}
|
|
}
|