do sessions in memory and also fix glaring security hole

This commit is contained in:
john 2025-06-01 23:28:00 +02:00
parent 7b6c155a73
commit f48b421500
31 changed files with 441 additions and 440 deletions

View file

@ -1,15 +1,11 @@
using System.Security.Claims; using System.Security.Claims;
using System.Text.Encodings.Web; using System.Text.Encodings.Web;
using System.Text.Json;
using Femto.Api.Sessions; using Femto.Api.Sessions;
using Femto.Common; using Femto.Common;
using Femto.Modules.Auth.Application; using Femto.Modules.Auth.Application;
using Femto.Modules.Auth.Application.Dto; using Femto.Modules.Auth.Application.Services;
using Femto.Modules.Auth.Application.Interface.ValidateSession;
using Femto.Modules.Auth.Errors;
using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
using Microsoft.OpenApi.Extensions;
namespace Femto.Api.Auth; namespace Femto.Api.Auth;
@ -17,61 +13,84 @@ internal class SessionAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options, IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger, ILoggerFactory logger,
UrlEncoder encoder, UrlEncoder encoder,
IAuthModule authModule, IAuthService authService,
CurrentUserContext currentUserContext CurrentUserContext currentUserContext
) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder) ) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
{ {
protected override async Task<AuthenticateResult> HandleAuthenticateAsync() protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{ {
var sessionId = this.Request.Cookies["session"]; Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
if (string.IsNullOrWhiteSpace(sessionId))
var (sessionId, maybeUserId) = this.Context.GetSessionInfo();
if (sessionId is null)
{
Logger.LogDebug("{TraceId} SessionId was null ", this.Context.TraceIdentifier);
return AuthenticateResult.NoResult(); return AuthenticateResult.NoResult();
}
var userJson = this.Request.Cookies["user"]; var session = await authService.GetSession(sessionId);
if (string.IsNullOrWhiteSpace(userJson))
return AuthenticateResult.Fail("Invalid user");
var user = JsonSerializer.Deserialize<UserInfo>(userJson); if (session is null)
{
Logger.LogDebug("{TraceId} Loaded session was null ", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (session.IsExpired)
{
Logger.LogDebug("{TraceId} Loaded session was expired ", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (maybeUserId is not { } userId)
{
Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (session.UserId != userId)
{
Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
var user = await authService.GetUserWithId(userId);
if (user is null) if (user is null)
return AuthenticateResult.Fail("Invalid user");
var rememberMe = this.Request.Cookies["rememberme"];
try
{ {
var result = await authModule.Command( await authService.DeleteSession(sessionId);
new ValidateSessionCommand(sessionId, user, rememberMe) this.Context.DeleteSession();
); return AuthenticateResult.Fail("invalid session");
var claims = new List<Claim>
{
new(ClaimTypes.Name, user.Username),
new("sub", user.Id.ToString()),
new("user_id", user.Id.ToString()),
};
claims.AddRange(user.Roles.Select(role => new Claim(ClaimTypes.Role, role.ToString())));
var identity = new ClaimsIdentity(claims, this.Scheme.Name);
var principal = new ClaimsPrincipal(identity);
this.Context.SetSession(result.SessionDto, user, Logger);
currentUserContext.CurrentUser = new CurrentUser(
user.Id,
user.Username,
result.SessionDto.SessionId,
rememberMe
);
return AuthenticateResult.Success(
new AuthenticationTicket(principal, this.Scheme.Name)
);
} }
catch (InvalidSessionError)
if (session.ExpiresSoon)
{ {
return AuthenticateResult.Fail("Invalid session"); session = await authService.CreateWeakSession(userId);
this.Context.SetSession(session, user);
} }
var claims = new List<Claim>
{
new(ClaimTypes.Name, user.Username),
new("sub", user.Id.ToString()),
new("user_id", user.Id.ToString()),
};
claims.AddRange(user.Roles.Select(role => new Claim(ClaimTypes.Role, role.ToString())));
var identity = new ClaimsIdentity(claims, this.Scheme.Name);
var principal = new ClaimsPrincipal(identity);
currentUserContext.CurrentUser = new CurrentUser(user.Id, user.Username);
return AuthenticateResult.Success(new AuthenticationTicket(principal, this.Scheme.Name));
}
private async Task<AuthenticateResult> FailAndDeleteSession(string sessionId)
{
await authService.DeleteSession(sessionId);
this.Context.DeleteSession();
return AuthenticateResult.Fail("invalid session");
} }
} }

View file

@ -1,13 +1,10 @@
using Femto.Api.Auth; using Femto.Api.Auth;
using Femto.Api.Sessions; using Femto.Api.Sessions;
using Femto.Common; using Femto.Common;
using Femto.Modules.Auth.Application;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Application.Interface.CreateSignupCode; using Femto.Modules.Auth.Application.Interface.CreateSignupCode;
using Femto.Modules.Auth.Application.Interface.GetSignupCodesQuery; using Femto.Modules.Auth.Application.Interface.GetSignupCodesQuery;
using Femto.Modules.Auth.Application.Interface.Login;
using Femto.Modules.Auth.Application.Interface.RefreshUserSession;
using Femto.Modules.Auth.Application.Interface.Register; using Femto.Modules.Auth.Application.Interface.Register;
using Femto.Modules.Auth.Application.Services;
using Femto.Modules.Auth.Contracts; using Femto.Modules.Auth.Contracts;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
@ -21,79 +18,85 @@ public class AuthController(
IAuthModule authModule, IAuthModule authModule,
IOptions<CookieSettings> cookieSettings, IOptions<CookieSettings> cookieSettings,
ICurrentUserContext currentUserContext, ICurrentUserContext currentUserContext,
ILogger<AuthController> logger ILogger<AuthController> logger,
IAuthService authService
) : ControllerBase ) : ControllerBase
{ {
[HttpPost("login")] [HttpPost("login")]
public async Task<ActionResult<LoginResponse>> Login([FromBody] LoginRequest request) public async Task<ActionResult<LoginResponse>> Login(
[FromBody] LoginRequest request,
CancellationToken cancellationToken
)
{ {
var result = await authModule.Command(new LoginCommand(request.Username, request.Password)); var user = await authService.GetUserWithCredentials(
request.Username,
HttpContext.SetSession(result.SessionDto, result.User, logger); request.Password,
cancellationToken
return new LoginResponse(
result.User.Id,
result.User.Username,
result.User.Roles.Any(r => r == Role.SuperUser)
); );
if (user is null)
return Forbid();
var session = await authService.CreateStrongSession(user.Id);
HttpContext.SetSession(session, user);
return new LoginResponse(user.Id, user.Username, user.Roles.Any(r => r == Role.SuperUser));
} }
[HttpPost("register")] [HttpPost("register")]
public async Task<ActionResult<RegisterResponse>> Register([FromBody] RegisterRequest request) public async Task<ActionResult<RegisterResponse>> Register([FromBody] RegisterRequest request)
{ {
var result = await authModule.Command( var user = await authModule.Command(
new RegisterCommand(request.Username, request.Password, request.SignupCode) new RegisterCommand(request.Username, request.Password, request.SignupCode)
); );
HttpContext.SetSession(result.SessionDto, result.User, logger); var session = await authService.CreateStrongSession(user.Id);
HttpContext.SetSession(session, user);
return new RegisterResponse( return new RegisterResponse(
result.User.Id, user.Id,
result.User.Username, user.Username,
result.User.Roles.Any(r => r == Role.SuperUser) user.Roles.Any(r => r == Role.SuperUser)
); );
} }
[HttpDelete("session")] [HttpDelete("session")]
public async Task<ActionResult> DeleteSession() public async Task<ActionResult> DeleteSession()
{ {
var currentUser = currentUserContext.CurrentUser; var (sessionId, userId) = HttpContext.GetSessionInfo();
if (currentUser != null) if (sessionId is not null)
await authModule.Command(new DeauthenticateCommand(currentUser.Id, currentUser.SessionId, currentUser.RememberMeToken)); {
await authService.DeleteSession(sessionId);
HttpContext.DeleteSession(); HttpContext.DeleteSession();
}
return Ok(new { }); return Ok(new { });
} }
[HttpGet("user/{userId}")] [HttpGet("user/{userId}")]
[Authorize] [Authorize]
public async Task<ActionResult<RefreshUserResult>> RefreshUser( public async Task<ActionResult<GetUserInfoResult>> GetUserInfo(
Guid userId, Guid userId,
CancellationToken cancellationToken CancellationToken cancellationToken
) )
{ {
var currentUser = currentUserContext.CurrentUser!; var currentUser = currentUserContext.CurrentUser;
try if (currentUser is null || currentUser.Id != userId)
{ return this.BadRequest();
var result = await authModule.Command(
new RefreshUserCommand(userId, currentUser),
cancellationToken
);
return new RefreshUserResult( var user = await authService.GetUserWithId(userId, cancellationToken);
result.User.Id,
result.User.Username, if (user is null)
result.User.Roles.Any(r => r == Role.SuperUser) return this.BadRequest();
);
} return new GetUserInfoResult(
catch (Exception) user.Id,
{ user.Username,
HttpContext.DeleteSession(); user.Roles.Any(r => r == Role.SuperUser)
return this.Forbid(); );
}
} }
[HttpPost("signup-codes")] [HttpPost("signup-codes")]

View file

@ -0,0 +1,3 @@
namespace Femto.Api.Controllers.Auth;
public record GetUserInfoResult(Guid UserId, string Username, bool IsSuperUser);

View file

@ -1,3 +0,0 @@
namespace Femto.Api.Controllers.Auth;
public record RefreshUserResult(Guid UserId, string Username, bool IsSuperUser);

View file

@ -1,89 +1,102 @@
using System.Text.Json; using System.Text.Json;
using System.Text.Json.Serialization;
using Femto.Api.Auth; using Femto.Api.Auth;
using Femto.Modules.Auth.Application.Dto; using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Models;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
namespace Femto.Api.Sessions; namespace Femto.Api.Sessions;
internal record SessionInfo(string? SessionId, Guid? UserId);
internal static class HttpContextSessionExtensions internal static class HttpContextSessionExtensions
{ {
public static void SetSession(this HttpContext httpContext, SessionDto sessionDto, UserInfo user, ILogger logger) private static readonly JsonSerializerOptions JsonOptions = new()
{ {
var cookieSettings = httpContext.RequestServices.GetService<IOptions<CookieSettings>>(); PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
};
var secure = cookieSettings?.Value.Secure ?? true; public static SessionInfo GetSessionInfo(this HttpContext httpContext)
var sameSite = cookieSettings?.Value.SameSite ?? SameSiteMode.Strict; {
var domain = cookieSettings?.Value.Domain; var sessionId = httpContext.Request.Cookies["sid"];
var expires = sessionDto.Expires;
logger.LogInformation( var userJson = httpContext.Request.Cookies["user"];
"cookie settings: Secure={Secure}, SameSite={SameSite}, domain={Domain}, Expires={Expires}",
secure,
sameSite,
domain,
expires
);
httpContext.Response.Cookies.Append( UserInfo? user = null;
"session", if (userJson is not null)
sessionDto.SessionId, {
user = JsonSerializer.Deserialize<UserInfo>(userJson, JsonOptions);
}
return new SessionInfo(sessionId, user?.Id);
}
public static void SetSession(this HttpContext context, Session session, UserInfo user)
{
var cookieSettings = context.RequestServices.GetRequiredService<
IOptions<CookieSettings>
>();
context.Response.Cookies.Append(
"sid",
session.Id,
new CookieOptions new CookieOptions
{ {
Path = "/",
IsEssential = true, IsEssential = true,
Domain = domain, Domain = cookieSettings.Value.Domain,
HttpOnly = true, HttpOnly = true,
Secure = secure, Secure = cookieSettings.Value.Secure,
SameSite = sameSite, SameSite = cookieSettings.Value.SameSite,
Expires = expires, Expires = session.Expires,
} }
); );
httpContext.Response.Cookies.Append( context.Response.Cookies.Append(
"user", "user",
JsonSerializer.Serialize( JsonSerializer.Serialize(user, JsonOptions),
user,
new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
Converters = { new JsonStringEnumConverter() },
}
),
new CookieOptions new CookieOptions
{ {
Domain = domain, Path = "/",
Domain = cookieSettings.Value.Domain,
IsEssential = true, IsEssential = true,
Secure = secure, Secure = cookieSettings.Value.Secure,
SameSite = sameSite, SameSite = cookieSettings.Value.SameSite,
Expires = sessionDto.Expires, Expires = session.Expires,
} }
); );
} }
public static void DeleteSession(this HttpContext httpContext) public static void DeleteSession(this HttpContext httpContext)
{ {
var cookieSettings = httpContext.RequestServices.GetService<IOptions<CookieSettings>>(); var cookieSettings = httpContext.RequestServices.GetRequiredService<
IOptions<CookieSettings>
>();
var secure = cookieSettings?.Value.Secure ?? true; httpContext.Response.Cookies.Delete(
var sameSite = secure ? SameSiteMode.None : SameSiteMode.Unspecified; "sid",
var domain = cookieSettings?.Value.Domain; new CookieOptions
{
Path = "/",
HttpOnly = true,
Domain = cookieSettings.Value.Domain,
IsEssential = true,
Secure = cookieSettings.Value.Secure,
SameSite = cookieSettings.Value.SameSite,
Expires = DateTimeOffset.UtcNow.AddDays(-1),
}
);
httpContext.Response.Cookies.Delete("session", new CookieOptions httpContext.Response.Cookies.Delete(
{ "user",
HttpOnly = true, new CookieOptions
Domain = domain, {
IsEssential = true, Path = "/",
Secure = secure, Domain = cookieSettings.Value.Domain,
SameSite = sameSite, IsEssential = true,
Expires = DateTimeOffset.UtcNow.AddDays(-1), Secure = cookieSettings.Value.Secure,
}); SameSite = cookieSettings.Value.SameSite,
httpContext.Response.Cookies.Delete("user", new CookieOptions Expires = DateTimeOffset.UtcNow.AddDays(-1),
{ }
Domain = domain, );
IsEssential = true,
Secure = secure,
SameSite = sameSite,
Expires = DateTimeOffset.UtcNow.AddDays(-1),
});
} }
} }

View file

@ -5,4 +5,4 @@ public interface ICurrentUserContext
CurrentUser? CurrentUser { get; } CurrentUser? CurrentUser { get; }
} }
public record CurrentUser(Guid Id, string Username, string SessionId, string? RememberMeToken); public record CurrentUser(Guid Id, string Username);

View file

@ -18,7 +18,12 @@ public class SaveChangesPipelineBehaviour<TRequest, TResponse>(
CancellationToken cancellationToken CancellationToken cancellationToken
) )
{ {
logger.LogDebug("handling request {Type}", typeof(TRequest).Name);
var response = await next(cancellationToken); var response = await next(cancellationToken);
var hasChanges = context.ChangeTracker.HasChanges();
logger.LogDebug("request handled. Changes? {HasChanges}", hasChanges);
if (context.ChangeTracker.HasChanges()) if (context.ChangeTracker.HasChanges())
{ {
await context.EmitDomainEvents(logger, publisher, cancellationToken); await context.EmitDomainEvents(logger, publisher, cancellationToken);

View file

@ -3,19 +3,24 @@ using Microsoft.Extensions.Logging;
namespace Femto.Common; namespace Femto.Common;
/// <summary> /// <summary>
/// We use this to bind a scope to the request scope in the composition root /// We use this to bind a scope to the request scope in the composition root
/// Any scoped services provided by this subcontainer should be accessed via a ScopeBinding injected in the host /// Any scoped services provided by this subcontainer should be accessed via a ScopeBinding injected in the host
/// </summary> /// </summary>
/// <param name="scope"></param> /// <param name="scope"></param>
public class ScopeBinding<T>(IServiceScope scope) : IDisposable public class ScopeBinding(IServiceScope scope) : IDisposable
where T : notnull
{ {
public T GetService() { private IServiceScope Scope { get; } = scope;
return scope.ServiceProvider.GetRequiredService<T>();
public T GetService<T>()
where T : notnull
{
return this.Scope.ServiceProvider.GetRequiredService<T>();
} }
public void Dispose() { public virtual void Dispose()
scope.Dispose(); {
this.Scope.Dispose();
} }
} }

View file

@ -0,0 +1,13 @@
-- Migration: addLongTermSessions
-- Created at: 29/05/2025 10:13:46
DROP TABLE authn.user_session;
CREATE TABLE authn.long_term_session
(
id serial PRIMARY KEY,
selector varchar(16) NOT NULL,
hashed_verifier bytea NOT NULL,
expires timestamptz not null,
user_id uuid REFERENCES authn.user_identity (id)
);

View file

@ -3,6 +3,7 @@ using Femto.Common.Infrastructure;
using Femto.Common.Infrastructure.DbConnection; using Femto.Common.Infrastructure.DbConnection;
using Femto.Common.Infrastructure.Outbox; using Femto.Common.Infrastructure.Outbox;
using Femto.Common.Integration; using Femto.Common.Integration;
using Femto.Modules.Auth.Application.Services;
using Femto.Modules.Auth.Data; using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Infrastructure; using Femto.Modules.Auth.Infrastructure;
using MediatR; using MediatR;
@ -24,16 +25,25 @@ public static class AuthStartup
) )
{ {
var hostBuilder = Host.CreateDefaultBuilder(); var hostBuilder = Host.CreateDefaultBuilder();
hostBuilder.ConfigureServices(services => hostBuilder.ConfigureServices(services =>
ConfigureServices(services, connectionString, eventBus, loggerFactory) ConfigureServices(services, connectionString, eventBus, loggerFactory)
); );
var host = hostBuilder.Build(); var host = hostBuilder.Build();
rootContainer.AddScoped(_ => new ScopeBinding<IAuthModule>(host.Services.CreateScope())); rootContainer.AddKeyedScoped<ScopeBinding>(
rootContainer.AddScoped(services => "AuthServiceScope",
services.GetRequiredService<ScopeBinding<IAuthModule>>().GetService() (s, o) =>
{
var scope = host.Services.CreateScope();
return new ScopeBinding(scope);
}
); );
rootContainer.ExposeScopedService<IAuthModule>();
rootContainer.ExposeScopedService<IAuthService>();
rootContainer.AddHostedService(services => new AuthApplication(host)); rootContainer.AddHostedService(services => new AuthApplication(host));
eventBus.Subscribe( eventBus.Subscribe(
(evt, cancellationToken) => EventSubscriber(evt, host.Services, cancellationToken) (evt, cancellationToken) => EventSubscriber(evt, host.Services, cancellationToken)
@ -66,7 +76,7 @@ public static class AuthStartup
{ {
options.WaitForJobsToComplete = true; options.WaitForJobsToComplete = true;
}); });
// #endif
services.AddOutbox<AuthContext, OutboxMessageHandler>(); services.AddOutbox<AuthContext, OutboxMessageHandler>();
services.AddMediatR(c => c.RegisterServicesFromAssembly(typeof(AuthStartup).Assembly)); services.AddMediatR(c => c.RegisterServicesFromAssembly(typeof(AuthStartup).Assembly));
@ -74,8 +84,10 @@ public static class AuthStartup
services.ConfigureDomainServices<AuthContext>(); services.ConfigureDomainServices<AuthContext>();
services.AddSingleton(publisher); services.AddSingleton(publisher);
services.AddSingleton<SessionStorage>();
services.AddScoped<IAuthModule, AuthModule>(); services.AddScoped<IAuthModule, AuthModule>();
services.AddScoped<IAuthService, AuthService>();
} }
private static async Task EventSubscriber( private static async Task EventSubscriber(
@ -107,3 +119,14 @@ public static class AuthStartup
} }
} }
} }
internal static class AuthServiceCollectionExtensions
{
public static void ExposeScopedService<T>(this IServiceCollection container)
where T : class
{
container.AddScoped<T>(services =>
services.GetRequiredKeyedService<ScopeBinding>("AuthServiceScope").GetService<T>()
);
}
}

View file

@ -0,0 +1,6 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.GetUserInfo;
public record GetUserInfoCommand(Guid ForUser) : ICommand<UserInfo?>;

View file

@ -0,0 +1,27 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.GetUserInfo;
internal class GetUserInfoCommandHandler(AuthContext context)
: ICommandHandler<GetUserInfoCommand, UserInfo?>
{
public async Task<UserInfo?> Handle(
GetUserInfoCommand request,
CancellationToken cancellationToken
)
{
var user = await context.Users.SingleOrDefaultAsync(
u => u.Id == request.ForUser,
cancellationToken
);
if (user is null)
return null;
return new UserInfo(user);
}
}

View file

@ -1,6 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.Login;
public record LoginCommand(string Username, string Password) : ICommand<LoginResult>;

View file

@ -1,31 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.Login;
internal class LoginCommandHandler(AuthContext context)
: ICommandHandler<LoginCommand, LoginResult>
{
public async Task<LoginResult> Handle(LoginCommand request, CancellationToken cancellationToken)
{
var user = await context.Users.SingleOrDefaultAsync(
u => u.Username == request.Username,
cancellationToken
);
if (user is null)
throw new DomainError("invalid credentials");
if (!user.HasPassword(request.Password))
throw new DomainError("invalid credentials");
var session = Session.Strong(user.Id);
await context.AddAsync(session, cancellationToken);
return new(new SessionDto(session), new UserInfo(user));
}
}

View file

@ -1,7 +0,0 @@
using Femto.Common;
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.RefreshUserSession;
public record RefreshUserCommand(Guid ForUser, CurrentUser CurrentUser) : ICommand<RefreshUserSessionResult>;

View file

@ -1,46 +0,0 @@
using Femto.Common.Domain;
using Femto.Common.Infrastructure.DbConnection;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Errors;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.RefreshUserSession;
internal class RefreshUserSessionCommandHandler(AuthContext context)
: ICommandHandler<RefreshUserCommand, RefreshUserSessionResult>
{
public async Task<RefreshUserSessionResult> Handle(
RefreshUserCommand request,
CancellationToken cancellationToken
)
{
if (request.CurrentUser.Id != request.ForUser)
throw new DomainError("invalid request");
var user = await context.Users.SingleOrDefaultAsync(
u => u.Id == request.ForUser,
cancellationToken
);
if (user is null)
throw new DomainError("invalid request");
var session = await context.Sessions.SingleOrDefaultAsync(
s => s.Id == request.CurrentUser.SessionId && s.Expires > DateTimeOffset.UtcNow,
cancellationToken
);
if (session is null)
throw new InvalidSessionError();
if (session.ShouldRefresh)
{
session = Session.Weak(user.Id);
await context.AddAsync(session, cancellationToken);
}
return new(new SessionDto(session), new UserInfo(user));
}
}

View file

@ -3,4 +3,4 @@ using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.Register; namespace Femto.Modules.Auth.Application.Interface.Register;
public record RegisterCommand(string Username, string Password, string SignupCode) : ICommand<RegisterResult>; public record RegisterCommand(string Username, string Password, string SignupCode) : ICommand<UserInfo>;

View file

@ -7,14 +7,10 @@ using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.Register; namespace Femto.Modules.Auth.Application.Interface.Register;
internal class RegisterCommandHandler(AuthContext context) internal class RegisterCommandHandler(AuthContext context)
: ICommandHandler<RegisterCommand, RegisterResult> : ICommandHandler<RegisterCommand, UserInfo>
{ {
public async Task<RegisterResult> Handle( public async Task<UserInfo> Handle(RegisterCommand request, CancellationToken cancellationToken)
RegisterCommand request,
CancellationToken cancellationToken
)
{ {
var now = DateTimeOffset.UtcNow; var now = DateTimeOffset.UtcNow;
var code = await context var code = await context
@ -26,18 +22,22 @@ internal class RegisterCommandHandler(AuthContext context)
if (code is null) if (code is null)
throw new DomainError("invalid signup code"); throw new DomainError("invalid signup code");
var usernameTaken = await context.Users.AnyAsync(
u => u.Username == request.Username,
cancellationToken
);
if (usernameTaken)
throw new DomainError("username taken");
var user = new UserIdentity(request.Username); var user = new UserIdentity(request.Username);
await context.AddAsync(user, cancellationToken); await context.AddAsync(user, cancellationToken);
user.SetPassword(request.Password); user.SetPassword(request.Password);
var session = Session.Strong(user.Id);
await context.AddAsync(session, cancellationToken);
code.Redeem(user.Id); code.Redeem(user.Id);
return new(new SessionDto(session), new UserInfo(user)); return new UserInfo(user);
} }
} }

View file

@ -1,10 +0,0 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
namespace Femto.Modules.Auth.Application.Interface.ValidateSession;
/// <summary>
/// Validate an existing session, and then return either the current session, or a new one in case the expiry is further in the future
/// </summary>
/// <param name="SessionId"></param>
public record ValidateSessionCommand(string SessionId, UserInfo User, string? RememberMe) : ICommand<ValidateSessionResult>;

View file

@ -1,111 +0,0 @@
using Femto.Common.Domain;
using Femto.Common.Infrastructure.DbConnection;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Errors;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Interface.ValidateSession;
internal class ValidateSessionCommandHandler(AuthContext context)
: ICommandHandler<ValidateSessionCommand, ValidateSessionResult>
{
public async Task<ValidateSessionResult> Handle(
ValidateSessionCommand request,
CancellationToken cancellationToken
)
{
try
{
return new ValidateSessionResult(await DoSessionValidation(request, cancellationToken));
}
finally
{
await context.SaveChangesAsync(cancellationToken);
}
}
private async Task<SessionDto> DoSessionValidation(
ValidateSessionCommand request,
CancellationToken cancellationToken
)
{
var now = DateTimeOffset.UtcNow;
var session = await context.Sessions.SingleOrDefaultAsync(
s => s.Id == request.SessionId,
cancellationToken
);
var rememberMe = request.RememberMe;
if (session is null)
{
(session, rememberMe) = await this.TryAuthenticateWithRememberMeToken(
request.User,
request.RememberMe,
cancellationToken
);
}
if (session.UserId != request.User.Id)
{
context.Remove(session);
throw new InvalidSessionError();
}
if (session.Expires < now)
{
context.Remove(session);
throw new InvalidSessionError();
}
if (session.ShouldRefresh)
{
context.Remove(session);
session = Session.Weak(session.UserId);
await context.AddAsync(session, cancellationToken);
}
return new SessionDto(session, rememberMe);
}
private async Task<(Session, string)> TryAuthenticateWithRememberMeToken(
UserInfo user,
string? rememberMeToken,
CancellationToken cancellationToken
)
{
if (rememberMeToken is null)
throw new InvalidSessionError();
var parts = rememberMeToken.Split('.');
if (parts.Length != 2)
throw new InvalidSessionError();
var selector = parts[0];
var verifier = parts[1];
var longTermSession = await context.LongTermSessions.SingleOrDefaultAsync(
s => s.Selector == selector,
cancellationToken
);
if (longTermSession is null)
throw new InvalidSessionError();
context.Remove(longTermSession);
if (!longTermSession.Validate(verifier))
throw new InvalidSessionError();
var session = Session.Weak(user.Id);
await context.AddAsync(session, cancellationToken);
(longTermSession, rememberMeToken) = LongTermSession.Create(user.Id);
await context.AddAsync(longTermSession, cancellationToken);
return (session, rememberMeToken);
}
}

View file

@ -1,9 +1,7 @@
using Femto.Common.Domain; using Femto.Common.Domain;
using MediatR; using MediatR;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace Femto.Modules.Auth.Application; namespace Femto.Modules.Auth.Application.Services;
internal class AuthModule(IMediator mediator) : IAuthModule internal class AuthModule(IMediator mediator) : IAuthModule
{ {

View file

@ -0,0 +1,79 @@
using Femto.Common.Domain;
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Data;
using Femto.Modules.Auth.Infrastructure;
using Femto.Modules.Auth.Models;
using Microsoft.EntityFrameworkCore;
namespace Femto.Modules.Auth.Application.Services;
internal class AuthService(AuthContext context, SessionStorage storage) : IAuthService
{
public async Task<UserInfo?> GetUserWithCredentials(
string username,
string password,
CancellationToken cancellationToken = default
)
{
return await context
.Users.Where(u => u.Username == username)
.Select(u => new UserInfo(u.Id, u.Username, u.Roles.Select(r => r.Role).ToList()))
.SingleOrDefaultAsync(cancellationToken);
}
public Task<UserInfo?> GetUserWithId(Guid? userId, CancellationToken cancellationToken)
{
return context
.Users.Where(u => u.Id == userId)
.Select(u => new UserInfo(u.Id, u.Username, u.Roles.Select(r => r.Role).ToList()))
.SingleOrDefaultAsync(cancellationToken);
}
public async Task<Session> CreateStrongSession(Guid userId)
{
var session = new Session(userId, true);
await storage.AddSession(session);
return session;
}
public async Task<Session> CreateWeakSession(Guid userId)
{
var session = new Session(userId, false);
await storage.AddSession(session);
return session;
}
public Task<Session?> GetSession(string sessionId)
{
return storage.GetSession(sessionId);
}
public async Task DeleteSession(string sessionId)
{
await storage.DeleteSession(sessionId);
}
public async Task<LongTermSession> CreateLongTermSession(Guid userId, bool isStrong)
{
throw new NotImplementedException();
}
public async Task<LongTermSession> DeleteLongTermSession(string sessionId)
{
throw new NotImplementedException();
}
public async Task<LongTermSession> RefreshLongTermSession(string sessionId)
{
throw new NotImplementedException();
}
public async Task<ValidateSessionResult> ValidateLongTermSession(string sessionId)
{
throw new NotImplementedException();
}
}

View file

@ -1,6 +1,6 @@
using Femto.Common.Domain; using Femto.Common.Domain;
namespace Femto.Modules.Auth.Application; namespace Femto.Modules.Auth.Application.Services;
public interface IAuthModule public interface IAuthModule
{ {

View file

@ -0,0 +1,14 @@
using Femto.Modules.Auth.Application.Dto;
using Femto.Modules.Auth.Models;
namespace Femto.Modules.Auth.Application.Services;
public interface IAuthService
{
public Task<UserInfo?> GetUserWithCredentials(string username, string password, CancellationToken cancellationToken = default);
public Task<UserInfo?> GetUserWithId(Guid? userId, CancellationToken cancellationToken = default);
public Task<Session> CreateStrongSession(Guid userId);
public Task<Session> CreateWeakSession(Guid userId);
public Task<Session?> GetSession(string sessionId);
public Task DeleteSession(string sessionId);
}

View file

@ -7,7 +7,6 @@ namespace Femto.Modules.Auth.Data;
internal class AuthContext(DbContextOptions<AuthContext> options) : DbContext(options), IOutboxContext internal class AuthContext(DbContextOptions<AuthContext> options) : DbContext(options), IOutboxContext
{ {
public virtual DbSet<UserIdentity> Users { get; set; } public virtual DbSet<UserIdentity> Users { get; set; }
public virtual DbSet<Session> Sessions { get; set; }
public virtual DbSet<SignupCode> SignupCodes { get; set; } public virtual DbSet<SignupCode> SignupCodes { get; set; }
public virtual DbSet<LongTermSession> LongTermSessions { get; set; } public virtual DbSet<LongTermSession> LongTermSessions { get; set; }
public virtual DbSet<OutboxEntry> Outbox { get; set; } public virtual DbSet<OutboxEntry> Outbox { get; set; }

View file

@ -19,8 +19,6 @@ internal class UserIdentityTypeConfiguration : IEntityTypeConfiguration<UserIden
} }
); );
builder.OwnsMany(u => u.Sessions).WithOwner().HasForeignKey("user_id");
builder builder
.OwnsMany(u => u.Roles, entity => .OwnsMany(u => u.Roles, entity =>
{ {

View file

@ -0,0 +1,30 @@
using Femto.Modules.Auth.Models;
using Microsoft.Extensions.Caching.Memory;
namespace Femto.Modules.Auth.Infrastructure;
internal class SessionStorage(MemoryCacheOptions? options = null)
{
private readonly IMemoryCache _storage = new MemoryCache(options ?? new MemoryCacheOptions());
public Task<Session?> GetSession(string id)
{
return Task.FromResult(this._storage.Get<Session>(id));
}
public Task AddSession(Session session)
{
using var entry = this._storage.CreateEntry(session.Id);
entry.Value = session;
entry.SetAbsoluteExpiration(session.Expires);
return Task.CompletedTask;
}
public Task DeleteSession(string id)
{
this._storage.Remove(id);
return Task.CompletedTask;
}
}

View file

@ -0,0 +1,14 @@
using static System.Security.Cryptography.RandomNumberGenerator;
namespace Femto.Modules.Auth.Models;
public class Session(Guid userId, bool isStrong)
{
public string Id { get; } = Convert.ToBase64String(GetBytes(32));
public Guid UserId { get; } = userId;
public DateTimeOffset Expires { get; } = DateTimeOffset.UtcNow + TimeSpan.FromMinutes(15);
public bool ExpiresSoon => this.Expires < DateTimeOffset.UtcNow + TimeSpan.FromMinutes(5);
public bool IsStronglyAuthenticated { get; } = isStrong;
public bool IsExpired => this.Expires < DateTimeOffset.UtcNow;
}

View file

@ -1,9 +1,6 @@
using System.Text;
using System.Text.Unicode;
using Femto.Common.Domain; using Femto.Common.Domain;
using Femto.Modules.Auth.Contracts; using Femto.Modules.Auth.Contracts;
using Femto.Modules.Auth.Models.Events; using Femto.Modules.Auth.Models.Events;
using Geralt;
namespace Femto.Modules.Auth.Models; namespace Femto.Modules.Auth.Models;
@ -15,8 +12,6 @@ internal class UserIdentity : Entity
public Password? Password { get; private set; } public Password? Password { get; private set; }
public ICollection<Session> Sessions { get; private set; } = [];
public ICollection<UserRole> Roles { get; private set; } = []; public ICollection<UserRole> Roles { get; private set; } = [];
private UserIdentity() { } private UserIdentity() { }

View file

@ -1,33 +0,0 @@
using static System.Security.Cryptography.RandomNumberGenerator;
namespace Femto.Modules.Auth.Models;
internal class Session
{
private static TimeSpan SessionTimeout { get; } = TimeSpan.FromMinutes(30);
private static TimeSpan ExpiryBuffer { get; } = TimeSpan.FromMinutes(5);
public string Id { get; private set; }
public Guid UserId { get; private set; }
public DateTimeOffset Expires { get; private set; }
public bool ExpiresSoon => Expires < DateTimeOffset.UtcNow + ExpiryBuffer;
// true if this session was created with remember me token
// otherwise false
// required to be true to do things like change password etc.
public bool IsStronglyAuthenticated { get; private set; }
public bool ShouldRefresh => this.Expires < DateTimeOffset.UtcNow + ExpiryBuffer;
private Session() { }
public static Session Strong(Guid userId) => new(userId, true);
public static Session Weak(Guid userId) => new(userId, false);
private Session(Guid userId, bool isStrong)
{
this.Id = Convert.ToBase64String(GetBytes(32));
this.UserId = userId;
this.Expires = DateTimeOffset.UtcNow + SessionTimeout;
this.IsStronglyAuthenticated = isStrong;
}
}

View file

@ -35,9 +35,13 @@ public static class BlogStartup
rootContainer.AddHostedService(_ => new BlogApplication(host)); rootContainer.AddHostedService(_ => new BlogApplication(host));
rootContainer.AddScoped(_ => new ScopeBinding<IBlogModule>(host.Services.CreateScope())); rootContainer.AddKeyedScoped<ScopeBinding>(
"BlogService",
(_, o) => new ScopeBinding(host.Services.CreateScope())
);
rootContainer.AddScoped(services => rootContainer.AddScoped(services =>
services.GetRequiredService<ScopeBinding<IBlogModule>>().GetService() services.GetRequiredKeyedService<ScopeBinding>("BlogService").GetService<IBlogModule>()
); );
bus.Subscribe( bus.Subscribe(