Chris Chen
2aa095c158
TokenService.GenerateRefreshToken():
- Switched to URL-safe Base64 (RFC 4648 §5): +→-, /→_, no = padding.
- Characters are unreserved per RFC 6265, so Response.Cookies.Append
does NOT percent-encode the value. Request.Cookies reads back exact value.
AuthController:
- CookieOptions.Secure = !env.IsDevelopment()
Plain HTTP in local dev works; HTTPS-only in staging/production.
- Inject IWebHostEnvironment for environment-aware Secure flag.
TokenServiceTests:
- Updated GenerateRefreshToken test: 86-char URL-safe Base64 instead
of 64-byte standard Base64. 16/16 tests pass.
Smoke test results (http://localhost:5209):
1. POST /api/auth/login → 200 + rolac_rt cookie + JWT
2. POST /api/auth/refresh → 200 + new token (rotation)
3. POST /api/auth/logout → 204 + cookie cleared
4. Refresh with revoked token → 401
5. Wrong password → 401
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
74 lines
2.5 KiB
C#
74 lines
2.5 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Security.Claims;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using ROLAC.API.Entities;
|
|
|
|
namespace ROLAC.API.Services;
|
|
|
|
public class TokenService : ITokenService
|
|
{
|
|
private readonly IConfiguration _config;
|
|
|
|
public TokenService(IConfiguration config)
|
|
{
|
|
_config = config;
|
|
}
|
|
|
|
public string GenerateAccessToken(AppUser user, IList<string> roles)
|
|
{
|
|
var secretKey = _config["Jwt:SecretKey"]!;
|
|
var issuer = _config["Jwt:Issuer"]!;
|
|
var audience = _config["Jwt:Audience"]!;
|
|
var expiryMin = int.Parse(_config["Jwt:AccessTokenExpiryMinutes"]!);
|
|
|
|
var claims = new List<Claim>
|
|
{
|
|
new(JwtRegisteredClaimNames.Sub, user.Id),
|
|
new(JwtRegisteredClaimNames.Email, user.Email!),
|
|
new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
|
|
};
|
|
|
|
// Use the short JWT claim name "role" so the payload is clean and
|
|
// JsonWebTokenHandler (the v7.x default validator) can read it without
|
|
// needing an inbound claim-type map applied.
|
|
foreach (var role in roles)
|
|
claims.Add(new Claim("role", role));
|
|
|
|
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey));
|
|
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
|
|
|
|
var token = new JwtSecurityToken(
|
|
issuer: issuer,
|
|
audience: audience,
|
|
claims: claims,
|
|
expires: DateTime.UtcNow.AddMinutes(expiryMin),
|
|
signingCredentials: creds);
|
|
|
|
return new JwtSecurityTokenHandler().WriteToken(token);
|
|
}
|
|
|
|
public string GenerateRefreshToken()
|
|
{
|
|
var bytes = new byte[64];
|
|
using var rng = RandomNumberGenerator.Create();
|
|
rng.GetBytes(bytes);
|
|
// Use URL-safe Base64 (RFC 4648 §5) with no padding.
|
|
// Standard Base64 '+' → '-', '/' → '_', '=' stripped.
|
|
// All resulting characters are unreserved in RFC 6265 cookie-values,
|
|
// so Response.Cookies.Append will NOT percent-encode the token —
|
|
// meaning Request.Cookies[name] returns the exact string we stored.
|
|
return Convert.ToBase64String(bytes)
|
|
.Replace('+', '-')
|
|
.Replace('/', '_')
|
|
.TrimEnd('=');
|
|
}
|
|
|
|
public string HashToken(string rawToken)
|
|
{
|
|
var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(rawToken));
|
|
return Convert.ToHexString(bytes).ToLower();
|
|
}
|
|
}
|