azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 11:51:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e3b0fe6582f35aa71c25544133dab60d226f7d57
admin/_docs/02_document/modules/common_requests_login_response.md
T
Oleksandr Bezdieniezhnykh a77b3f8a59 [AZ-529] [AZ-530] Cycle-2 documentation refresh 
Refreshes _docs/02_document/ to reflect the cycle-2 auth-modernization
+ CMMC hardening landings (AZ-531..AZ-538). Authoritative source for
the ripple set is ripple_log_cycle2.md.

Covered:
- architecture.md (section 1 rewritten, ADRs 6-9 added)
- data_model.md (sessions, audit_events, user columns, migrations)
- system-flows.md (F1 rewritten; F11-F17 added; F2/F7/F9 minor)
- module-layout.md (cycle-2 sub-component table)
- diagrams/flows/flow_login.md (dual-token + MFA)
- components/{01_data_layer,03_auth_and_security,05_admin_api}
- modules/ (12 new, 8 modified — full Argon2id/ES256/MFA/refresh
  /mission/session/audit/jwks rollup)
- tests/{blackbox,security,traceability-matrix}

Step 13 (Update Docs) output for cycle 2.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 09:22:53 +03:00

2.8 KiB
Raw Blame History

Module: Azaion.Common.Requests.LoginResponse + RefreshTokenRequest

Purpose

Response DTO for /login, /login/mfa, and /token/refresh (dual-token shape), plus the request DTO for /token/refresh.

Added in cycle 2 (2026-05-14) by AZ-531 (Epic AZ-529, Refresh-token Flow). The pre-AZ-531 single-token { token } shape is preserved via the Token accessor for backward compatibility — pre-AZ-531 clients see the same value via Token even though new clients consume AccessToken / RefreshToken.

Public Interface

LoginResponse

Property Type Description
AccessToken string The 15-min ES256 JWT to be sent as Authorization: Bearer <…> on subsequent requests.
AccessExp DateTime Absolute expiry of AccessToken (UTC).
RefreshToken string Opaque base64url string (43 chars). Send to /token/refresh to rotate. NEVER decode — it is not a JWT.
RefreshExp DateTime Sliding expiry of the refresh token (UTC).
Token (read-only) string Backward-compat accessor returning AccessToken. Pre-AZ-531 clients that read Token keep working.

RefreshTokenRequest

Property Type Description
RefreshToken string The opaque token returned in the previous LoginResponse.RefreshToken (or in the previous successful /token/refresh response).

Internal Logic

None — pure data classes. The Token getter is a read-only alias.

Dependencies

None.

Consumers

  • Program.cs /login — returns LoginResponse (when MFA is not required) via the shared IssueDualTokens helper.
  • Program.cs /login/mfa — returns LoginResponse via IssueDualTokens after second-factor success.
  • Program.cs /token/refresh — accepts RefreshTokenRequest, returns LoginResponse.
  • RefreshTokenService.IssueForNewLogin / Rotate — supplies the values that populate LoginResponse.

Data Models

None.

Configuration

None.

External Integrations

None.

Security

  • RefreshToken is high-entropy (256 bits) and opaque. It is never logged and only ever returned in this response shape (HTTPS is mandatory in Production — see AZ-538 HSTS / HTTPS-redirect).
  • AccessToken is a JWT carrying sid, jti, amr, role and email claims. Validation is configured in Program.cs (ValidateIssuer, ValidateAudience, ValidateLifetime, ValidateIssuerSigningKey, ValidAlgorithms = [ES256]).
  • Backward-compat note — the Token accessor exists so pre-AZ-531 UI builds keep working during the transition. New clients should use AccessToken so they can also pick up AccessExp for proactive refresh scheduling.

Tests

  • e2e/Azaion.E2E/Tests/RefreshTokenTests.cs — assertions on the shape (AC-1) and on rotation behaviour (AC-2..AC-5).
Reference in New Issue View Git Blame Copy Permalink