mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 18:21:09 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
43 lines
1.5 KiB
C#
43 lines
1.5 KiB
C#
namespace Azaion.Common.Configs;
|
|
|
|
public class JwtConfig
|
|
{
|
|
public string Issuer { get; set; } = null!;
|
|
public string Audience { get; set; } = null!;
|
|
|
|
/// <summary>
|
|
/// AZ-532 — directory containing ES256 private keys (PEM, *.pem). The kid is
|
|
/// the filename without extension. Production: <c>secrets/jwt-keys</c>.
|
|
/// </summary>
|
|
public string KeysFolder { get; set; } = "secrets/jwt-keys";
|
|
|
|
/// <summary>
|
|
/// AZ-532 — kid of the key currently used to SIGN new tokens. Other keys in
|
|
/// <see cref="KeysFolder"/> remain in JWKS for the rotation overlap window so
|
|
/// in-flight tokens still verify.
|
|
/// </summary>
|
|
public string? ActiveKid { get; set; }
|
|
|
|
/// <summary>
|
|
/// AZ-531 — access-token TTL in minutes (default 15). Refresh-token TTLs live
|
|
/// on <see cref="SessionConfig"/>.
|
|
/// </summary>
|
|
public int AccessTokenLifetimeMinutes { get; set; } = 15;
|
|
}
|
|
|
|
public class SessionConfig
|
|
{
|
|
/// <summary>
|
|
/// AZ-531 — sliding window. Each refresh extends expires_at by this many
|
|
/// hours from "now"; family-level absolute cap below.
|
|
/// </summary>
|
|
public int RefreshSlidingHours { get; set; } = 8;
|
|
|
|
/// <summary>
|
|
/// AZ-531 — absolute cap. A session family older than this many hours since
|
|
/// the family's first issue is rejected even if every individual rotation
|
|
/// stayed within the sliding window.
|
|
/// </summary>
|
|
public int RefreshAbsoluteHours { get; set; } = 12;
|
|
}
|