botris.social/femto-backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remember me

Browse source
This commit is contained in:
john 2025-06-21 11:41:53 +02:00
parent dac3acfecf
commit 8629883f88
10 changed files with 278 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

75
Femto.Modules.Auth/Application/Services/AuthService.cs → Femto.Modules.Auth/Application/AuthService.cs
View file

@ -7,7 +7,7 @@ using Femto.Modules.Auth.Infrastructure;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Services;
namespace Femto.Modules.Auth.Application;
internal class AuthService(
AuthContext context,
@ -15,10 +15,11 @@ internal class AuthService(
IDbConnectionFactory connectionFactory
) : IAuthService
{
public async Task<UserAndSession?> GetUserWithCredentials(string username,
public async Task<UserAndSession?> AuthenticateUserCredentials(
string username,
string password,
bool createLongTermSession,
CancellationToken cancellationToken = default)
CancellationToken cancellationToken = default
)
{
var user = await context
.Users.Where(u => u.Username == username)
@ -48,7 +49,7 @@ internal class AuthService(
.SingleOrDefaultAsync(cancellationToken);
}
public async Task<Session> CreateStrongSession(Guid userId)
public async Task<Session> CreateNewSession(Guid userId)
{
var session = new Session(userId, true);
@ -76,11 +77,12 @@ internal class AuthService(
await storage.DeleteSession(sessionId);
}
public async Task<UserAndSession> CreateUserWithCredentials(string username,
public async Task<UserAndSession> CreateUserWithCredentials(
string username,
string password,
string signupCode,
bool createLongTermSession,
CancellationToken cancellationToken = default)
CancellationToken cancellationToken = default
)
{
var now = DateTimeOffset.UtcNow;
@ -166,24 +168,61 @@ internal class AuthService(
.ToList();
}
public async Task<LongTermSession> CreateLongTermSession(Guid userId, bool isStrong)
public async Task<NewRememberMeToken> CreateRememberMeToken(Guid userId)
{
throw new NotImplementedException();
var (rememberMeToken, verifier) = LongTermSession.Create(userId);
await context.AddAsync(rememberMeToken);
await context.SaveChangesAsync();
return new(rememberMeToken.Selector, verifier, rememberMeToken.Expires);
}
public async Task<LongTermSession> DeleteLongTermSession(string sessionId)
public async Task<(UserInfo?, NewRememberMeToken?)> GetUserWithRememberMeToken(
RememberMeToken rememberMeToken
)
{
throw new NotImplementedException();
var token = await context.LongTermSessions.SingleOrDefaultAsync(t =>
t.Selector == rememberMeToken.Selector
);
if (token is null)
return (null, null);
if (!token.Validate(rememberMeToken.Verifier))
return (null, null);
var user = await context.Users.SingleOrDefaultAsync(u => u.Id == token.UserId);
if (user is null)
return (null, null);
if (token.ExpiresSoon)
{
var (newToken, verifier) = LongTermSession.Create(user.Id);
await context.AddAsync(newToken);
await context.SaveChangesAsync();
return (new(user), new(newToken.Selector, verifier, newToken.Expires));
}
return (new(user), null);
}
public async Task<LongTermSession> RefreshLongTermSession(string sessionId)
public async Task DeleteRememberMeToken(RememberMeToken rememberMeToken)
{
throw new NotImplementedException();
}
var session = await context.LongTermSessions.SingleOrDefaultAsync(s =>
s.Selector == rememberMeToken.Selector
);
public async Task<ValidateSessionResult> ValidateLongTermSession(string sessionId)
{
throw new NotImplementedException();
if (session is null)
return;
if (!session.Validate(rememberMeToken.Verifier))
return;
context.Remove(session);
await context.SaveChangesAsync();
}
private class GetSignupCodesQueryResultRow

1
Femto.Modules.Auth/Application/AuthStartup.cs
View file

@ -3,7 +3,6 @@ using Femto.Common.Infrastructure;
using Femto.Common.Infrastructure.DbConnection;
using Femto.Common.Infrastructure.Outbox;
using Femto.Common.Integration;
using Femto.Modules.Auth.Application.Services;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Infrastructure;
using MediatR;

18
Femto.Modules.Auth/Application/Dto/RememberMeToken.cs Normal file
View file

@ -0,0 +1,18 @@
using Femto.Modules.Auth.Models;
namespace Femto.Modules.Auth.Application.Dto;
public record RememberMeToken(string Selector, string Verifier)
{
public static RememberMeToken FromCode(string code)
{
var parts = code.Split('.');
return new RememberMeToken(parts[0], parts[1]);
}
};
public record NewRememberMeToken(string Selector, string Verifier, DateTimeOffset Expires)
{
public string Code => $"{Selector}.{Verifier}";
}

14
Femto.Modules.Auth/Application/Services/IAuthService.cs → Femto.Modules.Auth/Application/IAuthService.cs
View file

@ -1,7 +1,7 @@
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Models;
namespace Femto.Modules.Auth.Application.Services;
namespace Femto.Modules.Auth.Application;
/// <summary>
/// I broke off IAuthService from IAuthModule because the CQRS distinction is cumbersome when doing auth handling,
@ -11,17 +11,16 @@ namespace Femto.Modules.Auth.Application.Services;
/// </summary>
public interface IAuthService
{
public Task<UserAndSession?> GetUserWithCredentials(
public Task<UserAndSession?> AuthenticateUserCredentials(
string username,
string password,
bool createLongTermSession,
CancellationToken cancellationToken = default
);
public Task<UserInfo?> GetUserWithId(
Guid? userId,
CancellationToken cancellationToken = default
);
public Task<Session> CreateStrongSession(Guid userId);
public Task<Session> CreateNewSession(Guid userId);
public Task<Session> CreateWeakSession(Guid userId);
public Task<Session?> GetSession(string sessionId);
public Task DeleteSession(string sessionId);
@ -29,7 +28,6 @@ public interface IAuthService
public Task<UserAndSession> CreateUserWithCredentials(string username,
string password,
string signupCode,
bool createLongTermSession,
CancellationToken cancellationToken = default);
public Task AddSignupCode(
@ -41,6 +39,10 @@ public interface IAuthService
public Task<ICollection<SignupCodeDto>> GetSignupCodes(
CancellationToken cancellationToken = default
);
Task<NewRememberMeToken> CreateRememberMeToken(Guid userId);
Task<(UserInfo?, NewRememberMeToken?)> GetUserWithRememberMeToken(RememberMeToken rememberMeToken);
Task DeleteRememberMeToken(RememberMeToken rememberMeToken);
}
public record UserAndSession(UserInfo User, Session Session);
public record UserAndSession(UserInfo User, Session Session);

13
Femto.Modules.Auth/Data/Configurations/LongTermSessionConfiguration.cs Normal file
View file

@ -0,0 +1,13 @@
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;
namespace Femto.Modules.Auth.Data.Configurations;
public class LongTermSessionConfiguration : IEntityTypeConfiguration<LongTermSession>
{
public void Configure(EntityTypeBuilder<LongTermSession> builder)
{
builder.ToTable("long_term_session");
}
}

46
Femto.Modules.Auth/Models/LongTermSession.cs
View file

@ -1,3 +1,4 @@
using System.ComponentModel.DataAnnotations.Schema;
using System.Text;
using static System.Security.Cryptography.RandomNumberGenerator;
@ -6,22 +7,30 @@ namespace Femto.Modules.Auth.Models;
public class LongTermSession
{
private static TimeSpan TokenTimeout { get; } = TimeSpan.FromDays(90);
private static TimeSpan RefreshBuffer { get; } = TimeSpan.FromDays(5);
public int Id { get; private set; }
public string Selector { get; private set; }
public byte[] HashedVerifier { get; private set; }
public DateTimeOffset Expires { get; private set; }
public Guid UserId { get; private set; }
private LongTermSession() {}
[NotMapped]
public bool ExpiresSoon => this.Expires < DateTimeOffset.UtcNow + RefreshBuffer;
private LongTermSession() { }
public static (LongTermSession, string) Create(Guid userId)
{
var selector = GetString("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12);
var selector = GetString(
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
12
);
var verifier = GetString("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 32);
using var sha256 = System.Security.Cryptography.SHA256.Create();
@ -29,23 +38,26 @@ public class LongTermSession
var longTermSession = new LongTermSession
{
Selector = selector,
HashedVerifier = sha256.ComputeHash(Encoding.UTF8.GetBytes(verifier)),
HashedVerifier = ComputeHash(verifier),
UserId = userId,
Expires = DateTimeOffset.UtcNow + TokenTimeout
Expires = DateTimeOffset.UtcNow + TokenTimeout,
};
var rememberMeToken = $"{selector}.{verifier}";
return (longTermSession, rememberMeToken);
return (longTermSession, verifier);
}
public bool Validate(string verifier)
{
if (this.Expires < DateTimeOffset.UtcNow)
return false;
return ComputeHash(verifier).SequenceEqual(this.HashedVerifier);
}
private static byte[] ComputeHash(string verifier)
{
using var sha256 = System.Security.Cryptography.SHA256.Create();
var hashedVerifier = sha256.ComputeHash(Encoding.UTF8.GetBytes(verifier));
return hashedVerifier.SequenceEqual(this.HashedVerifier);
return hashedVerifier;
}
}
}

6
Femto.Modules.Auth/Models/Session.cs
View file

@ -4,11 +4,13 @@ namespace Femto.Modules.Auth.Models;
public class Session(Guid userId, bool isStrong)
{
private static readonly TimeSpan ValidityPeriod = TimeSpan.FromSeconds(5);
private static readonly TimeSpan RefreshBuffer = TimeSpan.FromMinutes(0);
public string Id { get; } = Convert.ToBase64String(GetBytes(32));
public Guid UserId { get; } = userId;
public DateTimeOffset Expires { get; } = DateTimeOffset.UtcNow + TimeSpan.FromMinutes(15);
public DateTimeOffset Expires { get; } = DateTimeOffset.UtcNow + ValidityPeriod;
public bool ExpiresSoon => this.Expires < DateTimeOffset.UtcNow + TimeSpan.FromMinutes(5);
public bool ExpiresSoon => this.Expires < DateTimeOffset.UtcNow + RefreshBuffer;
public bool IsStronglyAuthenticated { get; } = isStrong;
public bool IsExpired => this.Expires < DateTimeOffset.UtcNow;
}