mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 12:11:09 +00:00
Oleksandr Bezdieniezhnykh
1e1ded73f5
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.
- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
azaion-mfa-step2) when the user has MFA enabled; real access+refresh
pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
(purpose=Azaion.Mfa.Secret.v1; key folder configurable via
DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
avoid LinqToDB null-literal type-inference on jsonb columns.
E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.
Co-authored-by: Cursor <cursoragent@cursor.com>
152 lines
6.4 KiB
C#
152 lines
6.4 KiB
C#
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using Azaion.Common;
|
|
using Azaion.Common.Configs;
|
|
using Azaion.Common.Database;
|
|
using Azaion.Common.Entities;
|
|
using LinqToDB;
|
|
using Microsoft.Extensions.Options;
|
|
|
|
namespace Azaion.Services;
|
|
|
|
/// <summary>
|
|
/// AZ-531 — issues, rotates, and validates opaque refresh tokens. Reuse-detection
|
|
/// kills the entire session family per OAuth 2.1 §6.1.
|
|
/// </summary>
|
|
public interface IRefreshTokenService
|
|
{
|
|
/// <summary>
|
|
/// Mint a fresh refresh token at login; starts a new session family. Returns
|
|
/// the opaque token (NEVER persisted; only its sha256 lands in the DB) and
|
|
/// the session row that backs it. <paramref name="mfaAuthenticated"/> is pinned
|
|
/// to the session so refresh-token rotation inherits the original AMR strength.
|
|
/// </summary>
|
|
Task<(string OpaqueToken, Session Session)> IssueForNewLogin(Guid userId, bool mfaAuthenticated = false, CancellationToken ct = default);
|
|
|
|
/// <summary>
|
|
/// Rotate <paramref name="opaqueToken"/>. On success returns the new token +
|
|
/// the new session row. On reuse-detection or invalid token throws
|
|
/// <see cref="BusinessException"/> with <see cref="ExceptionEnum.InvalidRefreshToken"/>;
|
|
/// reuse also revokes every active row in the same family.
|
|
/// </summary>
|
|
Task<(string OpaqueToken, Session Session)> Rotate(string opaqueToken, CancellationToken ct = default);
|
|
}
|
|
|
|
public class RefreshTokenService(IDbFactory dbFactory, IOptions<SessionConfig> sessionConfig) : IRefreshTokenService
|
|
{
|
|
private const int OpaqueTokenBytes = 32; // 256 bits → 43-char base64url string.
|
|
|
|
private readonly SessionConfig _cfg = sessionConfig.Value;
|
|
|
|
public async Task<(string OpaqueToken, Session Session)> IssueForNewLogin(Guid userId, bool mfaAuthenticated = false, CancellationToken ct = default)
|
|
{
|
|
var (opaque, hash) = GenerateToken();
|
|
var now = DateTime.UtcNow;
|
|
var session = new Session
|
|
{
|
|
Id = Guid.NewGuid(),
|
|
UserId = userId,
|
|
RefreshHash = hash,
|
|
FamilyId = Guid.NewGuid(), // self-rooted family
|
|
IssuedAt = now,
|
|
LastUsedAt = now,
|
|
ExpiresAt = now.AddHours(_cfg.RefreshSlidingHours),
|
|
FamilyStartedAt = now,
|
|
MfaAuthenticated = mfaAuthenticated,
|
|
};
|
|
// family_id should equal id for the root row so SELECT family_id from
|
|
// any row returns a stable handle even if id is renamed later.
|
|
session.FamilyId = session.Id;
|
|
|
|
await dbFactory.RunAdmin(async db => await db.InsertAsync(session, token: ct));
|
|
return (opaque, session);
|
|
}
|
|
|
|
public async Task<(string OpaqueToken, Session Session)> Rotate(string opaqueToken, CancellationToken ct = default)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(opaqueToken))
|
|
throw new BusinessException(ExceptionEnum.InvalidRefreshToken);
|
|
|
|
var hash = HashToken(opaqueToken);
|
|
var now = DateTime.UtcNow;
|
|
|
|
return await dbFactory.RunAdmin(async db =>
|
|
{
|
|
// Use a serializable transaction so two concurrent refreshes can't both
|
|
// observe the row as un-rotated and both succeed.
|
|
await using var tx = await db.BeginTransactionAsync(System.Data.IsolationLevel.Serializable, ct);
|
|
|
|
var current = await db.Sessions.FirstOrDefaultAsync(s => s.RefreshHash == hash, token: ct);
|
|
if (current == null)
|
|
throw new BusinessException(ExceptionEnum.InvalidRefreshToken);
|
|
|
|
// Reuse detection: presenting an already-rotated token kills the family.
|
|
if (current.RevokedAt.HasValue)
|
|
{
|
|
if (current.RevokedReason == SessionRevokedReasons.Rotated)
|
|
{
|
|
await db.Sessions
|
|
.Where(s => s.FamilyId == current.FamilyId && s.RevokedAt == null)
|
|
.Set(s => s.RevokedAt, now)
|
|
.Set(s => s.RevokedReason, SessionRevokedReasons.ReuseDetected)
|
|
.UpdateAsync(token: ct);
|
|
await tx.CommitAsync(ct);
|
|
}
|
|
throw new BusinessException(ExceptionEnum.InvalidRefreshToken);
|
|
}
|
|
|
|
// Sliding expiry — each rotation restarts the window from `now`.
|
|
if (current.ExpiresAt < now)
|
|
throw new BusinessException(ExceptionEnum.InvalidRefreshToken);
|
|
|
|
// Absolute expiry — the family cannot live past this regardless of rotations.
|
|
if ((now - current.FamilyStartedAt).TotalHours > _cfg.RefreshAbsoluteHours)
|
|
throw new BusinessException(ExceptionEnum.InvalidRefreshToken);
|
|
|
|
var (newOpaque, newHash) = GenerateToken();
|
|
var newSession = new Session
|
|
{
|
|
Id = Guid.NewGuid(),
|
|
UserId = current.UserId,
|
|
RefreshHash = newHash,
|
|
FamilyId = current.FamilyId,
|
|
IssuedAt = now,
|
|
LastUsedAt = now,
|
|
ExpiresAt = now.AddHours(_cfg.RefreshSlidingHours),
|
|
FamilyStartedAt = current.FamilyStartedAt,
|
|
ParentSessionId = current.Id,
|
|
MfaAuthenticated = current.MfaAuthenticated,
|
|
};
|
|
|
|
await db.Sessions
|
|
.Where(s => s.Id == current.Id && s.RevokedAt == null)
|
|
.Set(s => s.RevokedAt, now)
|
|
.Set(s => s.RevokedReason, SessionRevokedReasons.Rotated)
|
|
.Set(s => s.LastUsedAt, now)
|
|
.UpdateAsync(token: ct);
|
|
|
|
await db.InsertAsync(newSession, token: ct);
|
|
await tx.CommitAsync(ct);
|
|
return (newOpaque, newSession);
|
|
});
|
|
}
|
|
|
|
private static (string Opaque, string Hash) GenerateToken()
|
|
{
|
|
var raw = RandomNumberGenerator.GetBytes(OpaqueTokenBytes);
|
|
var opaque = Base64Url(raw);
|
|
var hash = HashToken(opaque);
|
|
return (opaque, hash);
|
|
}
|
|
|
|
private static string HashToken(string opaque)
|
|
{
|
|
var bytes = Encoding.ASCII.GetBytes(opaque);
|
|
var digest = SHA256.HashData(bytes);
|
|
return Convert.ToHexString(digest);
|
|
}
|
|
|
|
private static string Base64Url(byte[] bytes) =>
|
|
Convert.ToBase64String(bytes).TrimEnd('=').Replace('+', '-').Replace('/', '_');
|
|
}
|