mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 14:51:10 +00:00
Oleksandr Bezdieniezhnykh
1e1ded73f5
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.
- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
azaion-mfa-step2) when the user has MFA enabled; real access+refresh
pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
(purpose=Azaion.Mfa.Secret.v1; key folder configurable via
DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
avoid LinqToDB null-literal type-inference on jsonb columns.
E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.
Co-authored-by: Cursor <cursoragent@cursor.com>
88 lines
2.5 KiB
C#
88 lines
2.5 KiB
C#
using System.ComponentModel;
|
|
using Azaion.Common.Extensions;
|
|
|
|
namespace Azaion.Common;
|
|
|
|
public class BusinessException(ExceptionEnum exEnum) : Exception(GetMessage(exEnum))
|
|
{
|
|
private static readonly Dictionary<ExceptionEnum, string> ExceptionDescriptions;
|
|
|
|
static BusinessException()
|
|
{
|
|
ExceptionDescriptions = EnumExtensions.GetDescriptions<ExceptionEnum>();
|
|
}
|
|
|
|
public ExceptionEnum ExceptionEnum { get; set; } = exEnum;
|
|
|
|
/// <summary>
|
|
/// Optional cooldown hint surfaced as a Retry-After response header by the exception
|
|
/// handler. Used by AccountLocked and LoginRateLimited (AZ-537).
|
|
/// </summary>
|
|
public int? RetryAfterSeconds { get; init; }
|
|
|
|
public BusinessException(ExceptionEnum exEnum, int retryAfterSeconds) : this(exEnum)
|
|
{
|
|
RetryAfterSeconds = retryAfterSeconds;
|
|
}
|
|
|
|
public static string GetMessage(ExceptionEnum exEnum) => ExceptionDescriptions.GetValueOrDefault(exEnum) ?? exEnum.ToString();
|
|
}
|
|
|
|
public enum ExceptionEnum
|
|
{
|
|
[Description("No such email found.")]
|
|
NoEmailFound = 10,
|
|
|
|
[Description("Email already exists.")]
|
|
EmailExists = 20,
|
|
|
|
[Description("Passwords do not match.")]
|
|
WrongPassword = 30,
|
|
|
|
[Description("Password should be at least 12 characters.")]
|
|
PasswordLengthIncorrect = 32,
|
|
|
|
[Description("Email is empty or invalid.")]
|
|
EmailLengthIncorrect = 35,
|
|
|
|
WrongEmail = 37,
|
|
|
|
[Description("User account is disabled.")]
|
|
UserDisabled = 38,
|
|
|
|
[Description("Account is temporarily locked due to too many failed login attempts.")]
|
|
AccountLocked = 50,
|
|
|
|
[Description("Too many login attempts. Try again later.")]
|
|
LoginRateLimited = 51,
|
|
|
|
[Description("Refresh token is invalid, expired, or has been revoked.")]
|
|
InvalidRefreshToken = 52,
|
|
|
|
[Description("Session not found.")]
|
|
SessionNotFound = 53,
|
|
|
|
[Description("Mission token request is invalid.")]
|
|
InvalidMissionRequest = 54,
|
|
|
|
[Description("Aircraft not found or wrong role.")]
|
|
AircraftNotFound = 55,
|
|
|
|
[Description("MFA is already enabled for this user.")]
|
|
MfaAlreadyEnabled = 56,
|
|
|
|
[Description("MFA enrollment is not in progress for this user.")]
|
|
MfaNotEnrolling = 57,
|
|
|
|
[Description("MFA is not enabled for this user.")]
|
|
MfaNotEnabled = 58,
|
|
|
|
[Description("Invalid MFA code or recovery code.")]
|
|
InvalidMfaCode = 59,
|
|
|
|
[Description("MFA token is invalid or expired.")]
|
|
InvalidMfaToken = 61,
|
|
|
|
[Description("No file provided.")]
|
|
NoFileProvided = 60,
|
|
} |