mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 19:41:10 +00:00
Oleksandr Bezdieniezhnykh
1e1ded73f5
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.
- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
azaion-mfa-step2) when the user has MFA enabled; real access+refresh
pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
(purpose=Azaion.Mfa.Secret.v1; key folder configurable via
DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
avoid LinqToDB null-literal type-inference on jsonb columns.
E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.
Co-authored-by: Cursor <cursoragent@cursor.com>
64 lines
2.2 KiB
C#
64 lines
2.2 KiB
C#
using Azaion.Common.Entities;
|
|
using Azaion.Common.Extensions;
|
|
using LinqToDB;
|
|
using LinqToDB.Mapping;
|
|
using Newtonsoft.Json;
|
|
|
|
namespace Azaion.Common.Database;
|
|
|
|
public static class AzaionDbSchemaHolder
|
|
{
|
|
public static readonly MappingSchema MappingSchema;
|
|
|
|
static AzaionDbSchemaHolder()
|
|
{
|
|
MappingSchema = new MappingSchema();
|
|
|
|
MappingSchema.EntityDescriptorCreatedCallback = (_, entityDescriptor) =>
|
|
{
|
|
foreach (var entityDescriptorColumn in entityDescriptor.Columns)
|
|
entityDescriptorColumn.ColumnName = entityDescriptorColumn.ColumnName.ToSnakeCase();
|
|
};
|
|
|
|
var builder = new FluentMappingBuilder(MappingSchema);
|
|
|
|
builder.Entity<User>()
|
|
.HasTableName("users")
|
|
.Property(x => x.Id)
|
|
.IsPrimaryKey()
|
|
.HasDataType(DataType.Guid)
|
|
.Property(x => x.Role)
|
|
.HasDataType(DataType.Text)
|
|
.HasConversion(v => v.ToString(), v => (RoleEnum)Enum.Parse(typeof(RoleEnum), v))
|
|
.Property(x => x.UserConfig)
|
|
.HasConversion(
|
|
v => v == null ? null : JsonConvert.SerializeObject(v),
|
|
p => string.IsNullOrEmpty(p) ? new UserConfig() : JsonConvert.DeserializeObject<UserConfig>(p))
|
|
.IsNullable()
|
|
// AZ-534 — mfa_recovery_codes is JSONB; tell the provider so Npgsql sends
|
|
// the JSON type oid instead of text (otherwise inserts fail with
|
|
// "column is of type jsonb but expression is of type text").
|
|
.Property(x => x.MfaRecoveryCodes)
|
|
.HasDataType(DataType.BinaryJson);
|
|
|
|
builder.Entity<DetectionClass>()
|
|
.HasTableName("detection_classes")
|
|
.Property(x => x.Id)
|
|
.IsPrimaryKey()
|
|
.IsIdentity();
|
|
|
|
builder.Entity<AuditEvent>()
|
|
.HasTableName("audit_events")
|
|
.Property(x => x.Id)
|
|
.IsPrimaryKey()
|
|
.IsIdentity();
|
|
|
|
builder.Entity<Session>()
|
|
.HasTableName("sessions")
|
|
.Property(x => x.Id)
|
|
.IsPrimaryKey()
|
|
.HasDataType(DataType.Guid);
|
|
|
|
builder.Build();
|
|
}
|
|
} |