diff --git a/Femto.Api/Auth/CookieSettings.cs b/Femto.Api/Auth/CookieSettings.cs new file mode 100644 index 0000000..449a2cf --- /dev/null +++ b/Femto.Api/Auth/CookieSettings.cs @@ -0,0 +1,7 @@ +namespace Femto.Api.Auth; + +public class CookieSettings +{ + public bool SameSite { get; set; } + public bool Secure { get; set; } +} \ No newline at end of file diff --git a/Femto.Api/Auth/SessionAuthenticationHandler.cs b/Femto.Api/Auth/SessionAuthenticationHandler.cs index ce74176..08f1b11 100644 --- a/Femto.Api/Auth/SessionAuthenticationHandler.cs +++ b/Femto.Api/Auth/SessionAuthenticationHandler.cs @@ -15,7 +15,8 @@ internal class SessionAuthenticationHandler( ILoggerFactory logger, UrlEncoder encoder, IAuthModule authModule, - CurrentUserContext currentUserContext + CurrentUserContext currentUserContext, + IOptions cookieOptions ) : AuthenticationHandler(options, logger, encoder) { protected override async Task HandleAuthenticateAsync() @@ -38,7 +39,7 @@ internal class SessionAuthenticationHandler( var identity = new ClaimsIdentity(claims, this.Scheme.Name); var principal = new ClaimsPrincipal(identity); - this.Context.SetSession(result.Session); + this.Context.SetSession(result.Session, cookieOptions.Value); currentUserContext.CurrentUser = new CurrentUser(result.UserId, result.Username); return AuthenticateResult.Success( diff --git a/Femto.Api/Controllers/Auth/AuthController.cs b/Femto.Api/Controllers/Auth/AuthController.cs index 8f3c52f..4228628 100644 --- a/Femto.Api/Controllers/Auth/AuthController.cs +++ b/Femto.Api/Controllers/Auth/AuthController.cs @@ -1,14 +1,16 @@ +using Femto.Api.Auth; using Femto.Api.Sessions; using Femto.Modules.Auth.Application; using Femto.Modules.Auth.Application.Commands.Login; using Femto.Modules.Auth.Application.Commands.Register; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Options; namespace Femto.Api.Controllers.Auth; [ApiController] [Route("auth")] -public class AuthController(IAuthModule authModule) : ControllerBase +public class AuthController(IAuthModule authModule, IOptions cookieSettings) : ControllerBase { [HttpPost("login")] public async Task> Login([FromBody] LoginRequest request) @@ -17,7 +19,7 @@ public class AuthController(IAuthModule authModule) : ControllerBase new LoginCommand(request.Username, request.Password) ); - HttpContext.SetSession(result.Session); + HttpContext.SetSession(result.Session, cookieSettings.Value); return new LoginResponse(result.UserId, result.Username); } @@ -29,7 +31,7 @@ public class AuthController(IAuthModule authModule) : ControllerBase new RegisterCommand(request.Username, request.Password) ); - HttpContext.SetSession(result.Session); + HttpContext.SetSession(result.Session, cookieSettings.Value); return new RegisterResponse(result.UserId, result.Username); } diff --git a/Femto.Api/Program.cs b/Femto.Api/Program.cs index f441cbe..29b75e4 100644 --- a/Femto.Api/Program.cs +++ b/Femto.Api/Program.cs @@ -66,6 +66,9 @@ builder options.JsonSerializerOptions.NumberHandling = JsonNumberHandling.AllowReadingFromString; }); +builder.Services.Configure( + builder.Configuration.GetSection("Cookies")); + builder .Services.AddAuthentication("SessionAuth") .AddScheme( diff --git a/Femto.Api/Sessions/HttpContextSessionExtensions.cs b/Femto.Api/Sessions/HttpContextSessionExtensions.cs index 47bad20..02c06cb 100644 --- a/Femto.Api/Sessions/HttpContextSessionExtensions.cs +++ b/Femto.Api/Sessions/HttpContextSessionExtensions.cs @@ -1,10 +1,11 @@ +using Femto.Api.Auth; using Femto.Modules.Auth.Application.Dto; namespace Femto.Api.Sessions; internal static class HttpContextSessionExtensions { - public static void SetSession(this HttpContext httpContext, Session session) + public static void SetSession(this HttpContext httpContext, Session session, CookieSettings cookieSettings) { httpContext.Response.Cookies.Append( "session", @@ -12,8 +13,8 @@ internal static class HttpContextSessionExtensions new CookieOptions { HttpOnly = true, - // Secure = true, - // SameSite = SameSiteMode.Strict, + Secure = cookieSettings.Secure, + SameSite = cookieSettings.SameSite? SameSiteMode.Strict : SameSiteMode.None, Expires = session.Expires, } );