mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 16:11:09 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
108 lines
4.5 KiB
C#
108 lines
4.5 KiB
C#
using System.Net.Http.Headers;
|
|
using System.Net.Http.Json;
|
|
using System.Text;
|
|
using System.Text.Json;
|
|
|
|
namespace Azaion.E2E.Helpers;
|
|
|
|
public sealed class ApiClient : IDisposable
|
|
{
|
|
private static readonly JsonSerializerOptions JsonOptions = new()
|
|
{
|
|
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
|
PropertyNameCaseInsensitive = true
|
|
};
|
|
|
|
private readonly HttpClient _httpClient;
|
|
private readonly bool _disposeClient;
|
|
|
|
public ApiClient(HttpClient httpClient, bool disposeClient = false)
|
|
{
|
|
_httpClient = httpClient;
|
|
_disposeClient = disposeClient;
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
if (_disposeClient)
|
|
_httpClient.Dispose();
|
|
}
|
|
|
|
public void SetAuthToken(string token)
|
|
{
|
|
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
}
|
|
|
|
public async Task<LoginResponse> LoginFullAsync(string email, string password, CancellationToken cancellationToken = default)
|
|
{
|
|
using var response = await PostAsync("/login", new { email, password }, cancellationToken).ConfigureAwait(false);
|
|
response.EnsureSuccessStatusCode();
|
|
var body = await response.Content.ReadFromJsonAsync<LoginResponse>(JsonOptions, cancellationToken)
|
|
.ConfigureAwait(false);
|
|
if (body?.AccessToken is not { Length: > 0 })
|
|
throw new InvalidOperationException("Login response did not contain an access token.");
|
|
if (body.RefreshToken is not { Length: > 0 })
|
|
throw new InvalidOperationException("Login response did not contain a refresh token.");
|
|
return body;
|
|
}
|
|
|
|
public async Task<string> LoginAsync(string email, string password, CancellationToken cancellationToken = default)
|
|
{
|
|
using var response = await PostAsync("/login", new { email, password }, cancellationToken).ConfigureAwait(false);
|
|
response.EnsureSuccessStatusCode();
|
|
var body = await response.Content.ReadFromJsonAsync<LoginResponse>(JsonOptions, cancellationToken)
|
|
.ConfigureAwait(false);
|
|
if (body?.AccessToken is not { Length: > 0 } t)
|
|
throw new InvalidOperationException("Login response did not contain an access token.");
|
|
return t;
|
|
}
|
|
|
|
public Task<HttpResponseMessage> PostAsync<T>(string url, T body, CancellationToken cancellationToken = default)
|
|
{
|
|
var json = JsonSerializer.Serialize(body, JsonOptions);
|
|
var content = new StringContent(json, Encoding.UTF8, "application/json");
|
|
return _httpClient.PostAsync(url, content, cancellationToken);
|
|
}
|
|
|
|
public Task<HttpResponseMessage> GetAsync(string url, CancellationToken cancellationToken = default) =>
|
|
_httpClient.GetAsync(url, cancellationToken);
|
|
|
|
public Task<HttpResponseMessage> PutAsync(string url, CancellationToken cancellationToken = default) =>
|
|
_httpClient.PutAsync(url, null, cancellationToken);
|
|
|
|
public Task<HttpResponseMessage> PutAsync<T>(string url, T body, CancellationToken cancellationToken = default)
|
|
{
|
|
var json = JsonSerializer.Serialize(body, JsonOptions);
|
|
var content = new StringContent(json, Encoding.UTF8, "application/json");
|
|
return _httpClient.PutAsync(url, content, cancellationToken);
|
|
}
|
|
|
|
public Task<HttpResponseMessage> PatchAsync<T>(string url, T body, CancellationToken cancellationToken = default)
|
|
{
|
|
var json = JsonSerializer.Serialize(body, JsonOptions);
|
|
var content = new StringContent(json, Encoding.UTF8, "application/json");
|
|
return _httpClient.PatchAsync(url, content, cancellationToken);
|
|
}
|
|
|
|
public Task<HttpResponseMessage> DeleteAsync(string url, CancellationToken cancellationToken = default) =>
|
|
_httpClient.DeleteAsync(url, cancellationToken);
|
|
|
|
public Task<HttpResponseMessage> UploadFileAsync(string url, byte[] fileContent, string fileName,
|
|
string formFieldName = "data", CancellationToken cancellationToken = default)
|
|
{
|
|
var content = new MultipartFormDataContent();
|
|
var fileContentBytes = new ByteArrayContent(fileContent);
|
|
fileContentBytes.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");
|
|
content.Add(fileContentBytes, formFieldName, fileName);
|
|
return _httpClient.PostAsync(url, content, cancellationToken);
|
|
}
|
|
|
|
public sealed class LoginResponse
|
|
{
|
|
public string AccessToken { get; init; } = "";
|
|
public DateTime AccessExp { get; init; }
|
|
public string RefreshToken { get; init; } = "";
|
|
public DateTime RefreshExp { get; init; }
|
|
}
|
|
}
|