botris.social/femto-backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

do sessions in memory and also fix glaring security hole

Browse source
This commit is contained in:
john 2025-06-01 23:28:00 +02:00
parent 7b6c155a73
commit f48b421500
31 changed files with 441 additions and 440 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Femto.Modules.Auth/Application/Interface/GetUserInfo/GetUserInfoCommand.cs Normal file
View file

@ -0,0 +1,6 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.GetUserInfo;
public record GetUserInfoCommand(Guid ForUser) : ICommand<UserInfo?>;

27
Femto.Modules.Auth/Application/Interface/GetUserInfo/GetUserInfoCommandHandler.cs Normal file
View file

@ -0,0 +1,27 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.GetUserInfo;
internal class GetUserInfoCommandHandler(AuthContext context)
: ICommandHandler<GetUserInfoCommand, UserInfo?>
{
public async Task<UserInfo?> Handle(
GetUserInfoCommand request,
CancellationToken cancellationToken
)
{
var user = await context.Users.SingleOrDefaultAsync(
u => u.Id == request.ForUser,
cancellationToken
);
if (user is null)
return null;
return new UserInfo(user);
}
}

6
Femto.Modules.Auth/Application/Interface/Login/LoginCommand.cs
View file

@ -1,6 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.Login;
public record LoginCommand(string Username, string Password) : ICommand<LoginResult>;

31
Femto.Modules.Auth/Application/Interface/Login/LoginCommandHandler.cs
View file

@ -1,31 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.Login;
internal class LoginCommandHandler(AuthContext context)
: ICommandHandler<LoginCommand, LoginResult>
{
public async Task<LoginResult> Handle(LoginCommand request, CancellationToken cancellationToken)
{
var user = await context.Users.SingleOrDefaultAsync(
u => u.Username == request.Username,
cancellationToken
);
if (user is null)
throw new DomainError("invalid credentials");
if (!user.HasPassword(request.Password))
throw new DomainError("invalid credentials");
var session = Session.Strong(user.Id);
await context.AddAsync(session, cancellationToken);
return new(new SessionDto(session), new UserInfo(user));
}
}

7
Femto.Modules.Auth/Application/Interface/RefreshUserSession/RefreshUserSessionCommand.cs
View file

@ -1,7 +0,0 @@
using Femto.Common;
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.RefreshUserSession;
public record RefreshUserCommand(Guid ForUser, CurrentUser CurrentUser) : ICommand<RefreshUserSessionResult>;

46
Femto.Modules.Auth/Application/Interface/RefreshUserSession/RefreshUserSessionCommandHandler.cs
View file

@ -1,46 +0,0 @@
using Femto.Common.Domain;
using Femto.Common.Infrastructure.DbConnection;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Errors;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.RefreshUserSession;
internal class RefreshUserSessionCommandHandler(AuthContext context)
: ICommandHandler<RefreshUserCommand, RefreshUserSessionResult>
{
public async Task<RefreshUserSessionResult> Handle(
RefreshUserCommand request,
CancellationToken cancellationToken
)
{
if (request.CurrentUser.Id != request.ForUser)
throw new DomainError("invalid request");
var user = await context.Users.SingleOrDefaultAsync(
u => u.Id == request.ForUser,
cancellationToken
);
if (user is null)
throw new DomainError("invalid request");
var session = await context.Sessions.SingleOrDefaultAsync(
s => s.Id == request.CurrentUser.SessionId && s.Expires > DateTimeOffset.UtcNow,
cancellationToken
);
if (session is null)
throw new InvalidSessionError();
if (session.ShouldRefresh)
{
session = Session.Weak(user.Id);
await context.AddAsync(session, cancellationToken);
}
return new(new SessionDto(session), new UserInfo(user));
}
}

2
Femto.Modules.Auth/Application/Interface/Register/RegisterCommand.cs
View file

@ -3,4 +3,4 @@ using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.Register;
public record RegisterCommand(string Username, string Password, string SignupCode) : ICommand<RegisterResult>;
public record RegisterCommand(string Username, string Password, string SignupCode) : ICommand<UserInfo>;

26
Femto.Modules.Auth/Application/Interface/Register/RegisterCommandHandler.cs
View file

@ -7,16 +7,12 @@ using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.Register;
internal class RegisterCommandHandler(AuthContext context)
: ICommandHandler<RegisterCommand, RegisterResult>
: ICommandHandler<RegisterCommand, UserInfo>
{
public async Task<RegisterResult> Handle(
RegisterCommand request,
CancellationToken cancellationToken
)
public async Task<UserInfo> Handle(RegisterCommand request, CancellationToken cancellationToken)
{
var now = DateTimeOffset.UtcNow;
var code = await context
.SignupCodes.Where(c => c.Code == request.SignupCode)
.Where(c => c.ExpiresAt == null || c.ExpiresAt > now)
@ -26,18 +22,22 @@ internal class RegisterCommandHandler(AuthContext context)
if (code is null)
throw new DomainError("invalid signup code");
var usernameTaken = await context.Users.AnyAsync(
u => u.Username == request.Username,
cancellationToken
);
if (usernameTaken)
throw new DomainError("username taken");
var user = new UserIdentity(request.Username);
await context.AddAsync(user, cancellationToken);
user.SetPassword(request.Password);
var session = Session.Strong(user.Id);
await context.AddAsync(session, cancellationToken);
code.Redeem(user.Id);
return new(new SessionDto(session), new UserInfo(user));
return new UserInfo(user);
}
}

10
Femto.Modules.Auth/Application/Interface/ValidateSession/ValidateSessionCommand.cs
View file

@ -1,10 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.ValidateSession;
/// <summary>
/// Validate an existing session, and then return either the current session, or a new one in case the expiry is further in the future
/// </summary>
/// <param name="SessionId"></param>
public record ValidateSessionCommand(string SessionId, UserInfo User, string? RememberMe) : ICommand<ValidateSessionResult>;

111
Femto.Modules.Auth/Application/Interface/ValidateSession/ValidateSessionCommandHandler.cs
View file

@ -1,111 +0,0 @@
using Femto.Common.Domain;
using Femto.Common.Infrastructure.DbConnection;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Errors;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.ValidateSession;
internal class ValidateSessionCommandHandler(AuthContext context)
: ICommandHandler<ValidateSessionCommand, ValidateSessionResult>
{
public async Task<ValidateSessionResult> Handle(
ValidateSessionCommand request,
CancellationToken cancellationToken
)
{
try
{
return new ValidateSessionResult(await DoSessionValidation(request, cancellationToken));
}
finally
{
await context.SaveChangesAsync(cancellationToken);
}
}
private async Task<SessionDto> DoSessionValidation(
ValidateSessionCommand request,
CancellationToken cancellationToken
)
{
var now = DateTimeOffset.UtcNow;
var session = await context.Sessions.SingleOrDefaultAsync(
s => s.Id == request.SessionId,
cancellationToken
);
var rememberMe = request.RememberMe;
if (session is null)
{
(session, rememberMe) = await this.TryAuthenticateWithRememberMeToken(
request.User,
request.RememberMe,
cancellationToken
);
}
if (session.UserId != request.User.Id)
{
context.Remove(session);
throw new InvalidSessionError();
}
if (session.Expires < now)
{
context.Remove(session);
throw new InvalidSessionError();
}
if (session.ShouldRefresh)
{
context.Remove(session);
session = Session.Weak(session.UserId);
await context.AddAsync(session, cancellationToken);
}
return new SessionDto(session, rememberMe);
}
private async Task<(Session, string)> TryAuthenticateWithRememberMeToken(
UserInfo user,
string? rememberMeToken,
CancellationToken cancellationToken
)
{
if (rememberMeToken is null)
throw new InvalidSessionError();
var parts = rememberMeToken.Split('.');
if (parts.Length != 2)
throw new InvalidSessionError();
var selector = parts[0];
var verifier = parts[1];
var longTermSession = await context.LongTermSessions.SingleOrDefaultAsync(
s => s.Selector == selector,
cancellationToken
);
if (longTermSession is null)
throw new InvalidSessionError();
context.Remove(longTermSession);
if (!longTermSession.Validate(verifier))
throw new InvalidSessionError();
var session = Session.Weak(user.Id);
await context.AddAsync(session, cancellationToken);
(longTermSession, rememberMeToken) = LongTermSession.Create(user.Id);
await context.AddAsync(longTermSession, cancellationToken);
return (session, rememberMeToken);
}
}