ROLAC

ChrisChen/ROLAC

Fork 0

Commit Graph

Author	SHA1	Message	Date
Chris Chen	2aa095c158	Task 11: Smoke test fixes (all 5 scenarios pass) TokenService.GenerateRefreshToken(): - Switched to URL-safe Base64 (RFC 4648 §5): +→-, /→_, no = padding. - Characters are unreserved per RFC 6265, so Response.Cookies.Append does NOT percent-encode the value. Request.Cookies reads back exact value. AuthController: - CookieOptions.Secure = !env.IsDevelopment() Plain HTTP in local dev works; HTTPS-only in staging/production. - Inject IWebHostEnvironment for environment-aware Secure flag. TokenServiceTests: - Updated GenerateRefreshToken test: 86-char URL-safe Base64 instead of 64-byte standard Base64. 16/16 tests pass. Smoke test results (http://localhost:5209): 1. POST /api/auth/login → 200 + rolac_rt cookie + JWT 2. POST /api/auth/refresh → 200 + new token (rotation) 3. POST /api/auth/logout → 204 + cookie cleared 4. Refresh with revoked token → 401 5. Wrong password → 401 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-26 19:28:20 -07:00
Chris Chen	f74563bb36	Task 5: TokenService + unit tests (7/7 pass) - ITokenService: GenerateAccessToken / GenerateRefreshToken / HashToken - TokenService: JWT (HS256, 15-min), 64-byte CSPRNG refresh, SHA-256 hex hash - Role claims use short JWT name role (v7.x JsonWebTokenHandler compatible) - TokenServiceTests: 7 xUnit tests, payload decoded via Base64Url+System.Text.Json to avoid Microsoft.IdentityModel 7.1.2/7.5.2 version-mismatch issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-26 17:34:56 -07:00

Author

SHA1

Message

Date

Chris Chen

2aa095c158

Task 11: Smoke test fixes (all 5 scenarios pass)

TokenService.GenerateRefreshToken():
  - Switched to URL-safe Base64 (RFC 4648 §5): +→-, /→_, no = padding.
  - Characters are unreserved per RFC 6265, so Response.Cookies.Append
    does NOT percent-encode the value.  Request.Cookies reads back exact value.

AuthController:
  - CookieOptions.Secure = !env.IsDevelopment()
    Plain HTTP in local dev works; HTTPS-only in staging/production.
  - Inject IWebHostEnvironment for environment-aware Secure flag.

TokenServiceTests:
  - Updated GenerateRefreshToken test: 86-char URL-safe Base64 instead
    of 64-byte standard Base64.  16/16 tests pass.

Smoke test results (http://localhost:5209):
  1. POST /api/auth/login       → 200 + rolac_rt cookie + JWT
  2. POST /api/auth/refresh     → 200 + new token (rotation)
  3. POST /api/auth/logout      → 204 + cookie cleared
  4. Refresh with revoked token → 401
  5. Wrong password             → 401

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-26 19:28:20 -07:00

Chris Chen

f74563bb36

Task 5: TokenService + unit tests (7/7 pass)

- ITokenService: GenerateAccessToken / GenerateRefreshToken / HashToken
- TokenService: JWT (HS256, 15-min), 64-byte CSPRNG refresh, SHA-256 hex hash
  - Role claims use short JWT name role (v7.x JsonWebTokenHandler compatible)
- TokenServiceTests: 7 xUnit tests, payload decoded via Base64Url+System.Text.Json
  to avoid Microsoft.IdentityModel 7.1.2/7.5.2 version-mismatch issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-26 17:34:56 -07:00

2 Commits