mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 17:41:09 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
108 lines
4.0 KiB
C#
108 lines
4.0 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Net;
|
|
using System.Net.Http.Json;
|
|
using System.Text.Json;
|
|
using Azaion.E2E.Helpers;
|
|
using FluentAssertions;
|
|
using Xunit;
|
|
|
|
namespace Azaion.E2E.Tests;
|
|
|
|
[Collection("E2E")]
|
|
public sealed class AuthTests
|
|
{
|
|
private static readonly JsonSerializerOptions ResponseJsonOptions = new()
|
|
{
|
|
PropertyNameCaseInsensitive = true
|
|
};
|
|
|
|
private sealed record ErrorResponse(int ErrorCode, string Message);
|
|
private sealed record LoginOkResponse(string Token);
|
|
|
|
private readonly TestFixture _fixture;
|
|
|
|
public AuthTests(TestFixture fixture) => _fixture = fixture;
|
|
|
|
[Fact]
|
|
public async Task Login_with_valid_admin_credentials_returns_200_and_token()
|
|
{
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
|
|
// Act
|
|
using var response = await client.PostAsync("/login",
|
|
new { email = _fixture.AdminEmail, password = _fixture.AdminPassword });
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.OK);
|
|
var body = await response.Content.ReadFromJsonAsync<LoginOkResponse>(ResponseJsonOptions);
|
|
body.Should().NotBeNull();
|
|
body!.Token.Should().NotBeNullOrWhiteSpace();
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Jwt_contains_expected_claims_and_lifetime()
|
|
{
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
|
|
// Act
|
|
using var loginResponse = await client.PostAsync("/login",
|
|
new { email = _fixture.AdminEmail, password = _fixture.AdminPassword });
|
|
var loginBody = await loginResponse.Content.ReadFromJsonAsync<LoginOkResponse>(ResponseJsonOptions);
|
|
var jwt = new JwtSecurityTokenHandler().ReadJwtToken(loginBody!.Token);
|
|
|
|
// Assert
|
|
loginResponse.StatusCode.Should().Be(HttpStatusCode.OK);
|
|
jwt.Issuer.Should().Be("AzaionApi");
|
|
jwt.Audiences.Should().Contain("Annotators/OrangePi/Admins");
|
|
var iatSeconds = long.Parse(
|
|
jwt.Claims.Single(c => c.Type == JwtRegisteredClaimNames.Iat).Value,
|
|
System.Globalization.CultureInfo.InvariantCulture);
|
|
var expSeconds = long.Parse(
|
|
jwt.Claims.Single(c => c.Type == JwtRegisteredClaimNames.Exp).Value,
|
|
System.Globalization.CultureInfo.InvariantCulture);
|
|
// AZ-531 — access tokens are now 15-min (refresh-flow shortened from 4h).
|
|
TimeSpan.FromSeconds(expSeconds - iatSeconds)
|
|
.Should().BeCloseTo(TimeSpan.FromMinutes(15), TimeSpan.FromSeconds(60));
|
|
jwt.Claims.Should().Contain(c => c.Type == "role");
|
|
// AZ-531 / AZ-535 — sid and jti claims are needed for logout + per-token denylist.
|
|
jwt.Claims.Should().Contain(c => c.Type == JwtRegisteredClaimNames.Sid);
|
|
jwt.Claims.Should().Contain(c => c.Type == JwtRegisteredClaimNames.Jti);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Login_with_unknown_email_returns_409_with_error_code_10()
|
|
{
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
|
|
// Act
|
|
using var response = await client.PostAsync("/login",
|
|
new { email = "nonexistent@example.com", password = "irrelevant" });
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Conflict);
|
|
var err = await response.Content.ReadFromJsonAsync<ErrorResponse>(ResponseJsonOptions);
|
|
err.Should().NotBeNull();
|
|
err!.ErrorCode.Should().Be(10);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Login_with_wrong_password_returns_409_with_error_code_30()
|
|
{
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
|
|
// Act
|
|
using var response = await client.PostAsync("/login",
|
|
new { email = _fixture.AdminEmail, password = "DefinitelyWrongPassword" });
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Conflict);
|
|
var err = await response.Content.ReadFromJsonAsync<ErrorResponse>(ResponseJsonOptions);
|
|
err.Should().NotBeNull();
|
|
err!.ErrorCode.Should().Be(30);
|
|
}
|
|
}
|