mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 13:31:08 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
71 lines
2.5 KiB
C#
71 lines
2.5 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Security.Claims;
|
|
using Azaion.Common.Configs;
|
|
using Azaion.Common.Entities;
|
|
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.Extensions.Options;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
namespace Azaion.Services;
|
|
|
|
public interface IAuthService
|
|
{
|
|
Task<User?> GetCurrentUser();
|
|
|
|
/// <summary>
|
|
/// AZ-531 / AZ-532 — mint a 15-minute ES256 access token. <paramref name="sessionId"/>
|
|
/// is stamped as the <c>sid</c> claim (logout / family-revocation key in AZ-535)
|
|
/// and <paramref name="jti"/> is the per-token unique id (AZ-535 access denylist).
|
|
/// </summary>
|
|
AccessToken CreateToken(User user, Guid sessionId, Guid jti);
|
|
}
|
|
|
|
public sealed record AccessToken(string Jwt, DateTime ExpiresAt);
|
|
|
|
public class AuthService(
|
|
IHttpContextAccessor httpContextAccessor,
|
|
IOptions<JwtConfig> jwtConfig,
|
|
IJwtSigningKeyProvider signingKeys,
|
|
IUserService userService) : IAuthService
|
|
{
|
|
private readonly JwtConfig _jwt = jwtConfig.Value;
|
|
|
|
private string? GetCurrentUserEmail()
|
|
{
|
|
var claims = httpContextAccessor.HttpContext?.User.Claims.ToDictionary(x => x.Type);
|
|
return claims?[ClaimTypes.Name].Value;
|
|
}
|
|
|
|
public async Task<User?> GetCurrentUser()
|
|
{
|
|
var email = GetCurrentUserEmail();
|
|
return await userService.GetByEmail(email);
|
|
}
|
|
|
|
public AccessToken CreateToken(User user, Guid sessionId, Guid jti)
|
|
{
|
|
var active = signingKeys.Active;
|
|
var signingCredentials = new SigningCredentials(active.SecurityKey, SecurityAlgorithms.EcdsaSha256);
|
|
|
|
var expires = DateTime.UtcNow.AddMinutes(_jwt.AccessTokenLifetimeMinutes);
|
|
var tokenHandler = new JwtSecurityTokenHandler();
|
|
var tokenDescriptor = new SecurityTokenDescriptor
|
|
{
|
|
Subject = new ClaimsIdentity([
|
|
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
|
|
new Claim(ClaimTypes.Name, user.Email),
|
|
new Claim(ClaimTypes.Role, user.Role.ToString()),
|
|
new Claim(JwtRegisteredClaimNames.Sid, sessionId.ToString()),
|
|
new Claim(JwtRegisteredClaimNames.Jti, jti.ToString())
|
|
]),
|
|
Expires = expires,
|
|
Issuer = _jwt.Issuer,
|
|
Audience = _jwt.Audience,
|
|
SigningCredentials = signingCredentials
|
|
};
|
|
|
|
var token = tokenHandler.CreateToken(tokenDescriptor);
|
|
return new AccessToken(tokenHandler.WriteToken(token), expires);
|
|
}
|
|
}
|