do sessions in memory and also fix glaring security hole
This commit is contained in:
parent
7b6c155a73
commit
f48b421500
31 changed files with 441 additions and 440 deletions
14
Femto.Modules.Auth/Models/Session.cs
Normal file
14
Femto.Modules.Auth/Models/Session.cs
Normal file
|
@ -0,0 +1,14 @@
|
|||
using static System.Security.Cryptography.RandomNumberGenerator;
|
||||
|
||||
namespace Femto.Modules.Auth.Models;
|
||||
|
||||
public class Session(Guid userId, bool isStrong)
|
||||
{
|
||||
public string Id { get; } = Convert.ToBase64String(GetBytes(32));
|
||||
public Guid UserId { get; } = userId;
|
||||
public DateTimeOffset Expires { get; } = DateTimeOffset.UtcNow + TimeSpan.FromMinutes(15);
|
||||
|
||||
public bool ExpiresSoon => this.Expires < DateTimeOffset.UtcNow + TimeSpan.FromMinutes(5);
|
||||
public bool IsStronglyAuthenticated { get; } = isStrong;
|
||||
public bool IsExpired => this.Expires < DateTimeOffset.UtcNow;
|
||||
}
|
|
@ -1,9 +1,6 @@
|
|||
using System.Text;
|
||||
using System.Text.Unicode;
|
||||
using Femto.Common.Domain;
|
||||
using Femto.Modules.Auth.Contracts;
|
||||
using Femto.Modules.Auth.Models.Events;
|
||||
using Geralt;
|
||||
|
||||
namespace Femto.Modules.Auth.Models;
|
||||
|
||||
|
@ -15,8 +12,6 @@ internal class UserIdentity : Entity
|
|||
|
||||
public Password? Password { get; private set; }
|
||||
|
||||
public ICollection<Session> Sessions { get; private set; } = [];
|
||||
|
||||
public ICollection<UserRole> Roles { get; private set; } = [];
|
||||
|
||||
private UserIdentity() { }
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
using static System.Security.Cryptography.RandomNumberGenerator;
|
||||
|
||||
namespace Femto.Modules.Auth.Models;
|
||||
|
||||
internal class Session
|
||||
{
|
||||
private static TimeSpan SessionTimeout { get; } = TimeSpan.FromMinutes(30);
|
||||
private static TimeSpan ExpiryBuffer { get; } = TimeSpan.FromMinutes(5);
|
||||
public string Id { get; private set; }
|
||||
public Guid UserId { get; private set; }
|
||||
public DateTimeOffset Expires { get; private set; }
|
||||
public bool ExpiresSoon => Expires < DateTimeOffset.UtcNow + ExpiryBuffer;
|
||||
|
||||
// true if this session was created with remember me token
|
||||
// otherwise false
|
||||
// required to be true to do things like change password etc.
|
||||
public bool IsStronglyAuthenticated { get; private set; }
|
||||
public bool ShouldRefresh => this.Expires < DateTimeOffset.UtcNow + ExpiryBuffer;
|
||||
|
||||
private Session() { }
|
||||
|
||||
public static Session Strong(Guid userId) => new(userId, true);
|
||||
|
||||
public static Session Weak(Guid userId) => new(userId, false);
|
||||
|
||||
private Session(Guid userId, bool isStrong)
|
||||
{
|
||||
this.Id = Convert.ToBase64String(GetBytes(32));
|
||||
this.UserId = userId;
|
||||
this.Expires = DateTimeOffset.UtcNow + SessionTimeout;
|
||||
this.IsStronglyAuthenticated = isStrong;
|
||||
}
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue