Tasks 7-9: AuthController, appsettings, Program.cs

Task 7 – AuthController (POST /api/auth/login|refresh|logout) - Refresh token in HttpOnly; Secure; SameSite=Strict cookie (rolac_rt) - Cookie Path scoped to /api/auth; cleared on logout/invalid refresh Task 8 – appsettings.json (non-secret JWT values + CORS origins) - appsettings.Development.json carries connection string + JWT secret (file is gitignored) Task 9 – Program.cs wiring - EF Core + Npgsql, ASP.NET Core Identity, JWT Bearer auth - RoleClaimType=role matches the short JWT claim name written by TokenService - CORS: AllowCredentials for Angular app - Swagger UI with Bearer security definition - Startup: MigrateAsync + DbSeeder.SeedAsync (roles + dev admin) - DbSeeder: added SeedAsync(IServiceProvider) entry point Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 17:40:52 -07:00
parent 9db8b34181
commit 8b86bd573e
4 changed files with 262 additions and 6 deletions
@@ -0,0 +1,117 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using ROLAC.API.DTOs.Auth;
+using ROLAC.API.Services;
+
+namespace ROLAC.API.Controllers;
+
+[ApiController]
+[Route("api/auth")]
+public class AuthController : ControllerBase
+{
+    private const string CookieName    = "rolac_rt";
+    private const int    CookieMaxAge  = 30 * 24 * 60 * 60; // 30 days in seconds
+
+    private readonly IAuthService _authService;
+
+    public AuthController(IAuthService authService)
+        => _authService = authService;
+
+    // -------------------------------------------------------------------------
+    // POST /api/auth/login
+    // -------------------------------------------------------------------------
+
+    /// <summary>Authenticates a user and returns an access token.</summary>
+    [HttpPost("login")]
+    [AllowAnonymous]
+    [ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    public async Task<IActionResult> Login([FromBody] LoginRequest request)
+    {
+        try
+        {
+            var ip     = HttpContext.Connection.RemoteIpAddress?.ToString();
+            var device = Request.Headers.UserAgent.FirstOrDefault();
+            var (response, raw) = await _authService.LoginAsync(request, ip, device);
+            SetRefreshCookie(raw);
+            return Ok(response);
+        }
+        catch (UnauthorizedAccessException ex)
+        {
+            return Unauthorized(new { message = ex.Message });
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // POST /api/auth/refresh
+    // -------------------------------------------------------------------------
+
+    /// <summary>
+    /// Rotates the refresh token (read from the HttpOnly cookie) and returns a
+    /// new access token.
+    /// </summary>
+    [HttpPost("refresh")]
+    [AllowAnonymous]
+    [ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    public async Task<IActionResult> Refresh()
+    {
+        var raw = Request.Cookies[CookieName];
+        if (string.IsNullOrEmpty(raw))
+            return Unauthorized(new { message = "Refresh token not found." });
+
+        try
+        {
+            var ip = HttpContext.Connection.RemoteIpAddress?.ToString();
+            var (response, newRaw) = await _authService.RefreshAsync(raw, ip);
+            SetRefreshCookie(newRaw);
+            return Ok(response);
+        }
+        catch (UnauthorizedAccessException ex)
+        {
+            ClearRefreshCookie();
+            return Unauthorized(new { message = ex.Message });
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // POST /api/auth/logout
+    // -------------------------------------------------------------------------
+
+    /// <summary>Revokes the current refresh token and clears the cookie.</summary>
+    [HttpPost("logout")]
+    [AllowAnonymous]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    public async Task<IActionResult> Logout()
+    {
+        var raw = Request.Cookies[CookieName];
+        if (!string.IsNullOrEmpty(raw))
+            await _authService.LogoutAsync(raw);
+
+        ClearRefreshCookie();
+        return NoContent();
+    }
+
+    // -------------------------------------------------------------------------
+    // Private helpers
+    // -------------------------------------------------------------------------
+
+    private void SetRefreshCookie(string rawToken)
+        => Response.Cookies.Append(CookieName, rawToken, new CookieOptions
+        {
+            HttpOnly = true,
+            Secure   = true,
+            SameSite = SameSiteMode.Strict,
+            MaxAge   = TimeSpan.FromSeconds(CookieMaxAge),
+            Path     = "/api/auth",
+        });
+
+    private void ClearRefreshCookie()
+        => Response.Cookies.Delete(CookieName, new CookieOptions
+        {
+            HttpOnly = true,
+            Secure   = true,
+            SameSite = SameSiteMode.Strict,
+            Path     = "/api/auth",
+        });
+}