do sessions in memory and also fix glaring security hole
This commit is contained in:
parent
7b6c155a73
commit
f48b421500
31 changed files with 441 additions and 440 deletions
|
|
@ -1,15 +1,11 @@
|
|||
using System.Security.Claims;
|
||||
using System.Text.Encodings.Web;
|
||||
using System.Text.Json;
|
||||
using Femto.Api.Sessions;
|
||||
using Femto.Common;
|
||||
using Femto.Modules.Auth.Application;
|
||||
using Femto.Modules.Auth.Application.Dto;
|
||||
using Femto.Modules.Auth.Application.Interface.ValidateSession;
|
||||
using Femto.Modules.Auth.Errors;
|
||||
using Femto.Modules.Auth.Application.Services;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Microsoft.OpenApi.Extensions;
|
||||
|
||||
namespace Femto.Api.Auth;
|
||||
|
||||
|
|
@ -17,61 +13,84 @@ internal class SessionAuthenticationHandler(
|
|||
IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||
ILoggerFactory logger,
|
||||
UrlEncoder encoder,
|
||||
IAuthModule authModule,
|
||||
IAuthService authService,
|
||||
CurrentUserContext currentUserContext
|
||||
) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
|
||||
{
|
||||
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||
{
|
||||
var sessionId = this.Request.Cookies["session"];
|
||||
if (string.IsNullOrWhiteSpace(sessionId))
|
||||
Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
|
||||
|
||||
var (sessionId, maybeUserId) = this.Context.GetSessionInfo();
|
||||
|
||||
|
||||
if (sessionId is null)
|
||||
{
|
||||
Logger.LogDebug("{TraceId} SessionId was null ", this.Context.TraceIdentifier);
|
||||
return AuthenticateResult.NoResult();
|
||||
|
||||
var userJson = this.Request.Cookies["user"];
|
||||
if (string.IsNullOrWhiteSpace(userJson))
|
||||
return AuthenticateResult.Fail("Invalid user");
|
||||
|
||||
var user = JsonSerializer.Deserialize<UserInfo>(userJson);
|
||||
|
||||
if (user is null)
|
||||
return AuthenticateResult.Fail("Invalid user");
|
||||
|
||||
var rememberMe = this.Request.Cookies["rememberme"];
|
||||
|
||||
try
|
||||
{
|
||||
var result = await authModule.Command(
|
||||
new ValidateSessionCommand(sessionId, user, rememberMe)
|
||||
);
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
new(ClaimTypes.Name, user.Username),
|
||||
new("sub", user.Id.ToString()),
|
||||
new("user_id", user.Id.ToString()),
|
||||
};
|
||||
|
||||
claims.AddRange(user.Roles.Select(role => new Claim(ClaimTypes.Role, role.ToString())));
|
||||
|
||||
var identity = new ClaimsIdentity(claims, this.Scheme.Name);
|
||||
var principal = new ClaimsPrincipal(identity);
|
||||
|
||||
this.Context.SetSession(result.SessionDto, user, Logger);
|
||||
|
||||
currentUserContext.CurrentUser = new CurrentUser(
|
||||
user.Id,
|
||||
user.Username,
|
||||
result.SessionDto.SessionId,
|
||||
rememberMe
|
||||
);
|
||||
|
||||
return AuthenticateResult.Success(
|
||||
new AuthenticationTicket(principal, this.Scheme.Name)
|
||||
);
|
||||
}
|
||||
catch (InvalidSessionError)
|
||||
|
||||
var session = await authService.GetSession(sessionId);
|
||||
|
||||
if (session is null)
|
||||
{
|
||||
return AuthenticateResult.Fail("Invalid session");
|
||||
Logger.LogDebug("{TraceId} Loaded session was null ", this.Context.TraceIdentifier);
|
||||
return await FailAndDeleteSession(sessionId);
|
||||
}
|
||||
|
||||
if (session.IsExpired)
|
||||
{
|
||||
Logger.LogDebug("{TraceId} Loaded session was expired ", this.Context.TraceIdentifier);
|
||||
return await FailAndDeleteSession(sessionId);
|
||||
}
|
||||
|
||||
if (maybeUserId is not { } userId)
|
||||
{
|
||||
Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
|
||||
return await FailAndDeleteSession(sessionId);
|
||||
}
|
||||
|
||||
if (session.UserId != userId)
|
||||
{
|
||||
Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
|
||||
return await FailAndDeleteSession(sessionId);
|
||||
}
|
||||
|
||||
var user = await authService.GetUserWithId(userId);
|
||||
|
||||
if (user is null)
|
||||
{
|
||||
await authService.DeleteSession(sessionId);
|
||||
this.Context.DeleteSession();
|
||||
return AuthenticateResult.Fail("invalid session");
|
||||
}
|
||||
|
||||
if (session.ExpiresSoon)
|
||||
{
|
||||
session = await authService.CreateWeakSession(userId);
|
||||
this.Context.SetSession(session, user);
|
||||
}
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
new(ClaimTypes.Name, user.Username),
|
||||
new("sub", user.Id.ToString()),
|
||||
new("user_id", user.Id.ToString()),
|
||||
};
|
||||
|
||||
claims.AddRange(user.Roles.Select(role => new Claim(ClaimTypes.Role, role.ToString())));
|
||||
|
||||
var identity = new ClaimsIdentity(claims, this.Scheme.Name);
|
||||
var principal = new ClaimsPrincipal(identity);
|
||||
currentUserContext.CurrentUser = new CurrentUser(user.Id, user.Username);
|
||||
|
||||
return AuthenticateResult.Success(new AuthenticationTicket(principal, this.Scheme.Name));
|
||||
}
|
||||
|
||||
private async Task<AuthenticateResult> FailAndDeleteSession(string sessionId)
|
||||
{
|
||||
await authService.DeleteSession(sessionId);
|
||||
this.Context.DeleteSession();
|
||||
return AuthenticateResult.Fail("invalid session");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue