Initial QMAX production app
This commit is contained in:
@@ -0,0 +1,74 @@
|
||||
using System.IdentityModel.Tokens.Jwt;
|
||||
using System.Security.Claims;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
using QMax.Api.Configuration;
|
||||
using QMax.Api.Data.Entities;
|
||||
|
||||
namespace QMax.Api.Infrastructure.Auth;
|
||||
|
||||
public interface ITokenService
|
||||
{
|
||||
string CreateAccessToken(User user, UserSession session, DateTimeOffset expiresAt);
|
||||
string CreateRefreshToken();
|
||||
string HashRefreshToken(string refreshToken);
|
||||
}
|
||||
|
||||
public sealed class TokenService(IOptions<QMaxOptions> options) : ITokenService
|
||||
{
|
||||
private readonly QMaxOptions _options = options.Value;
|
||||
|
||||
public string CreateAccessToken(User user, UserSession session, DateTimeOffset expiresAt)
|
||||
{
|
||||
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(GetJwtSecret()));
|
||||
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
|
||||
var claims = new[]
|
||||
{
|
||||
new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
|
||||
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
|
||||
new Claim("sid", session.Id.ToString()),
|
||||
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
|
||||
new Claim(ClaimTypes.Name, user.DisplayName)
|
||||
};
|
||||
|
||||
var token = new JwtSecurityToken(
|
||||
issuer: _options.JwtIssuer,
|
||||
audience: _options.JwtAudience,
|
||||
claims: claims,
|
||||
notBefore: DateTime.UtcNow,
|
||||
expires: expiresAt.UtcDateTime,
|
||||
signingCredentials: credentials);
|
||||
|
||||
return new JwtSecurityTokenHandler().WriteToken(token);
|
||||
}
|
||||
|
||||
public string CreateRefreshToken()
|
||||
{
|
||||
Span<byte> bytes = stackalloc byte[48];
|
||||
RandomNumberGenerator.Fill(bytes);
|
||||
return Convert.ToBase64String(bytes);
|
||||
}
|
||||
|
||||
public string HashRefreshToken(string refreshToken)
|
||||
{
|
||||
var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(refreshToken));
|
||||
return Convert.ToHexString(bytes);
|
||||
}
|
||||
|
||||
private string GetJwtSecret()
|
||||
{
|
||||
if (!string.IsNullOrWhiteSpace(_options.JwtSecret) && _options.JwtSecret.Length >= 32)
|
||||
{
|
||||
return _options.JwtSecret;
|
||||
}
|
||||
|
||||
if (Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Development")
|
||||
{
|
||||
return "development-only-qmax-secret-change-before-production";
|
||||
}
|
||||
|
||||
throw new InvalidOperationException("QMax:JwtSecret must be set to at least 32 characters in production.");
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
using System.Security.Claims;
|
||||
|
||||
namespace QMax.Api.Infrastructure.Auth;
|
||||
|
||||
public static class UserContext
|
||||
{
|
||||
public static Guid GetUserId(this ClaimsPrincipal principal)
|
||||
{
|
||||
var value = principal.FindFirstValue(ClaimTypes.NameIdentifier)
|
||||
?? principal.FindFirstValue("sub")
|
||||
?? throw new InvalidOperationException("Authenticated user id is missing.");
|
||||
return Guid.Parse(value);
|
||||
}
|
||||
|
||||
public static Guid? GetSessionId(this ClaimsPrincipal principal)
|
||||
{
|
||||
var value = principal.FindFirstValue("sid");
|
||||
return Guid.TryParse(value, out var id) ? id : null;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user