Chris Chen
8b86bd573e
Task 7 – AuthController (POST /api/auth/login|refresh|logout)
- Refresh token in HttpOnly; Secure; SameSite=Strict cookie (rolac_rt)
- Cookie Path scoped to /api/auth; cleared on logout/invalid refresh
Task 8 – appsettings.json (non-secret JWT values + CORS origins)
- appsettings.Development.json carries connection string + JWT secret
(file is gitignored)
Task 9 – Program.cs wiring
- EF Core + Npgsql, ASP.NET Core Identity, JWT Bearer auth
- RoleClaimType=role matches the short JWT claim name written by TokenService
- CORS: AllowCredentials for Angular app
- Swagger UI with Bearer security definition
- Startup: MigrateAsync + DbSeeder.SeedAsync (roles + dev admin)
- DbSeeder: added SeedAsync(IServiceProvider) entry point
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
118 lines
4.0 KiB
C#
118 lines
4.0 KiB
C#
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using ROLAC.API.DTOs.Auth;
|
|
using ROLAC.API.Services;
|
|
|
|
namespace ROLAC.API.Controllers;
|
|
|
|
[ApiController]
|
|
[Route("api/auth")]
|
|
public class AuthController : ControllerBase
|
|
{
|
|
private const string CookieName = "rolac_rt";
|
|
private const int CookieMaxAge = 30 * 24 * 60 * 60; // 30 days in seconds
|
|
|
|
private readonly IAuthService _authService;
|
|
|
|
public AuthController(IAuthService authService)
|
|
=> _authService = authService;
|
|
|
|
// -------------------------------------------------------------------------
|
|
// POST /api/auth/login
|
|
// -------------------------------------------------------------------------
|
|
|
|
/// <summary>Authenticates a user and returns an access token.</summary>
|
|
[HttpPost("login")]
|
|
[AllowAnonymous]
|
|
[ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
|
|
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
|
public async Task<IActionResult> Login([FromBody] LoginRequest request)
|
|
{
|
|
try
|
|
{
|
|
var ip = HttpContext.Connection.RemoteIpAddress?.ToString();
|
|
var device = Request.Headers.UserAgent.FirstOrDefault();
|
|
var (response, raw) = await _authService.LoginAsync(request, ip, device);
|
|
SetRefreshCookie(raw);
|
|
return Ok(response);
|
|
}
|
|
catch (UnauthorizedAccessException ex)
|
|
{
|
|
return Unauthorized(new { message = ex.Message });
|
|
}
|
|
}
|
|
|
|
// -------------------------------------------------------------------------
|
|
// POST /api/auth/refresh
|
|
// -------------------------------------------------------------------------
|
|
|
|
/// <summary>
|
|
/// Rotates the refresh token (read from the HttpOnly cookie) and returns a
|
|
/// new access token.
|
|
/// </summary>
|
|
[HttpPost("refresh")]
|
|
[AllowAnonymous]
|
|
[ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
|
|
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
|
public async Task<IActionResult> Refresh()
|
|
{
|
|
var raw = Request.Cookies[CookieName];
|
|
if (string.IsNullOrEmpty(raw))
|
|
return Unauthorized(new { message = "Refresh token not found." });
|
|
|
|
try
|
|
{
|
|
var ip = HttpContext.Connection.RemoteIpAddress?.ToString();
|
|
var (response, newRaw) = await _authService.RefreshAsync(raw, ip);
|
|
SetRefreshCookie(newRaw);
|
|
return Ok(response);
|
|
}
|
|
catch (UnauthorizedAccessException ex)
|
|
{
|
|
ClearRefreshCookie();
|
|
return Unauthorized(new { message = ex.Message });
|
|
}
|
|
}
|
|
|
|
// -------------------------------------------------------------------------
|
|
// POST /api/auth/logout
|
|
// -------------------------------------------------------------------------
|
|
|
|
/// <summary>Revokes the current refresh token and clears the cookie.</summary>
|
|
[HttpPost("logout")]
|
|
[AllowAnonymous]
|
|
[ProducesResponseType(StatusCodes.Status204NoContent)]
|
|
public async Task<IActionResult> Logout()
|
|
{
|
|
var raw = Request.Cookies[CookieName];
|
|
if (!string.IsNullOrEmpty(raw))
|
|
await _authService.LogoutAsync(raw);
|
|
|
|
ClearRefreshCookie();
|
|
return NoContent();
|
|
}
|
|
|
|
// -------------------------------------------------------------------------
|
|
// Private helpers
|
|
// -------------------------------------------------------------------------
|
|
|
|
private void SetRefreshCookie(string rawToken)
|
|
=> Response.Cookies.Append(CookieName, rawToken, new CookieOptions
|
|
{
|
|
HttpOnly = true,
|
|
Secure = true,
|
|
SameSite = SameSiteMode.Strict,
|
|
MaxAge = TimeSpan.FromSeconds(CookieMaxAge),
|
|
Path = "/api/auth",
|
|
});
|
|
|
|
private void ClearRefreshCookie()
|
|
=> Response.Cookies.Delete(CookieName, new CookieOptions
|
|
{
|
|
HttpOnly = true,
|
|
Secure = true,
|
|
SameSite = SameSiteMode.Strict,
|
|
Path = "/api/auth",
|
|
});
|
|
}
|