Merge branch 'main' of ssh://git.georesinwaybill.ru:222/espada/renis-backend

Database/Models/User.cs

@@ -13,4 +13,6 @@ public class User
     public string Phone { get; set; } = null!;
     [Required]
     public string Password { get; set; } = null!;
+    [Required]
+    public DateTime PasswordChangeDate { get; set; } = DateTime.UtcNow;
 }

Program.cs

@@ -1,5 +1,10 @@
+
 using Serilog;
 using Serilog.Exceptions;
+using System.Text;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -17,6 +22,28 @@ if (app.Environment.IsDevelopment())
     app.UseSwaggerUI();
 }
 
+// Authorization
+builder.Services.AddAuthorization();
+builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+    .AddJwtBearer(options =>
+    {
+
+        string issuer = Environment.GetEnvironmentVariable("JWT_ISSUER") ?? "renis";
+        string audience = Environment.GetEnvironmentVariable("JWT_AUDIENCE") ?? "renis";
+        string secret = Environment.GetEnvironmentVariable("JWT_SECRET") ?? "TopSecretKeyForTheProtectionOfChocolateCookiesAndOtherSweetThings";
+
+        options.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidIssuer = issuer,
+            ValidateAudience = true,
+            ValidAudience = audience,
+            ValidateLifetime = true,
+            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret)),
+            ValidateIssuerSigningKey = true
+        };
+    });
+
 app.UseHttpsRedirection();
 
 app.Run();

Services/Jwt/IJwtService.cs

@@ -0,0 +1,11 @@
+using Renis.Database.Models;
+
+namespace Renis.Services.Jwt;
+
+public interface IJwtService
+{
+    string GenerateAccessToken(User user);
+    string GenerateRefreshToken(User user);
+    Tuple<bool, string> ValidateAccessToken(string? token);
+    Task<Tuple<bool, string>> ValidateRefreshToken(string? token);
+}

Services/Jwt/JwtService.cs

@@ -0,0 +1,201 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using Renis.Database.Models;
+using Microsoft.IdentityModel.Tokens;
+using Renis.Repositories;
+
+namespace Renis.Services.Jwt;
+
+public class JwtService : IJwtService
+{
+    private readonly string _secretKey;
+    private readonly string _issuer;
+    private readonly string _audience;
+    private readonly IUserRepository _userRepo;
+    private readonly ILogger<JwtService> _logger;
+    public JwtService(ILogger<JwtService> logger, IUserRepository userRepo)
+    {
+        _logger = logger;
+        _userRepo = userRepo;
+
+        // TODO: Change issuer & audience
+        _issuer = Environment.GetEnvironmentVariable("AUTH_JWT_ISSUER") ?? "renis";
+        _audience = Environment.GetEnvironmentVariable("AUTH_JWT_AUDIENCE") ?? "renis";
+
+        _secretKey = Environment.GetEnvironmentVariable("AUTH_JWT_SECRET")!;
+        if (_secretKey == null)
+        {
+            throw new Exception("Missing AUTH_JWT_SECRET environment variable");
+        }
+    }
+
+    /// <summary>
+    /// Generates an access token for the specified user.
+    /// </summary>
+    /// <param name="user">The user for whom the access token is generated.</param>
+    /// <returns>The generated access token as a string.</returns>
+    public string GenerateAccessToken(User user)
+    {  
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var key = Convert.FromBase64String(_secretKey);
+      
+      
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Issuer = _issuer,
+            Audience = _audience,
+            Subject = new ClaimsIdentity(new[]
+            { 
+                new Claim(ClaimTypes.Name, user.Phone),
+                new Claim(ClaimsIdentity.DefaultRoleClaimType,"User"),
+                new Claim(ClaimTypes.AuthenticationMethod, "Access")
+            }),
+            Expires = DateTime.UtcNow.AddMinutes(50),
+            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+        };
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        return tokenHandler.WriteToken(token);
+    }
+
+    /// <summary>
+    /// Generates a refresh token for the specified user.
+    /// </summary>
+    /// <param name="user">The user for whom the refresh token is generated.</param>
+    /// <returns>The generated refresh token as a string.</returns>
+    public string GenerateRefreshToken(User user)
+    {
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var key = Convert.FromBase64String(_secretKey);
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Issuer = _issuer,
+            Audience = _audience,
+            Subject = new ClaimsIdentity(new[] 
+            {
+                new Claim("PasswordChangeDate", user.PasswordChangeDate.ToString()),
+                new Claim(ClaimTypes.Name, user.Phone),
+                new Claim(ClaimsIdentity.DefaultRoleClaimType,"User"),
+                new Claim(ClaimTypes.AuthenticationMethod, "Refresh")
+            }),
+            Expires = DateTime.UtcNow.AddDays(7),
+            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+        };
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        return tokenHandler.WriteToken(token);
+    }
+
+    /// <summary>
+    /// Validates the access token and extracts the username from it if valid.
+    /// Returns a tuple indicating whether the token is valid and the extracted username.
+    /// </summary>
+    /// <param name="token">The access token to validate.</param>
+    /// <returns>A tuple indicating whether the token is valid and the extracted username.</returns>
+    public Tuple<bool, string> ValidateAccessToken(string? token)
+    {
+        try
+        {
+            if (token == null)
+            {
+                _logger.LogWarning("JwtService: No access token string provided");
+                return new (false, "");
+            }
+            var tokenHandler = new JwtSecurityTokenHandler();
+            var key = Convert.FromBase64String(_secretKey);
+    
+            TokenValidationParameters validationParameters = new() {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = new SymmetricSecurityKey(key),
+                ValidateIssuer = true,
+                ValidIssuer = _issuer,
+                ValidateAudience = true,
+                ValidAudience = _audience,
+                ClockSkew = TimeSpan.Zero
+            };
+    
+            // Валидация токена
+            tokenHandler.ValidateToken(token, validationParameters, out SecurityToken validatedToken);
+            JwtSecurityToken validatedJwt = (JwtSecurityToken)validatedToken;
+
+            var username = validatedJwt.Claims.First(claim => claim.Type == "unique_name").Value;
+
+            // Проверка типа токена
+            if (validatedJwt.Claims.First(claim => claim.Type == ClaimTypes.AuthenticationMethod).Value != "Access")
+            {
+                _logger.LogWarning("JwtService: the token was not a access token");
+                return new (false, "");
+            }
+
+            return new (true, username);
+        }
+        catch (Exception e)
+        {
+            _logger.LogWarning("JwtService: Token invalidated due to exception:\n{Exception}", e);
+            return new (false, "");;
+        }  
+    }
+
+    /// <summary>
+    /// Validates the refresh token and extracts the username from it if valid.
+    /// Returns a tuple indicating whether the token is valid and the extracted username.
+    /// </summary>
+    /// <param name="token">The refresh token to validate.</param>
+    /// <returns>A tuple indicating whether the token is valid and the extracted username.</returns>
+    public async Task<Tuple<bool, string>> ValidateRefreshToken(string? token)
+    {
+        try
+        {
+            if (token == null)
+            {
+                _logger.LogWarning("JwtService: No refresh token string provided");
+                return new (false, "");;
+            }
+            var tokenHandler = new JwtSecurityTokenHandler();
+            var key = Convert.FromBase64String(_secretKey);
+    
+            TokenValidationParameters validationParameters = new() {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = new SymmetricSecurityKey(key),
+                ValidateIssuer = true,
+                ValidIssuer = _issuer,
+                ValidateAudience = true,
+                ValidAudience = _audience,
+                ClockSkew = TimeSpan.Zero
+            };
+    
+            // Валидация токена
+            tokenHandler.ValidateToken(token, validationParameters, out SecurityToken validatedToken);
+            JwtSecurityToken validatedJwt = (JwtSecurityToken)validatedToken;
+
+            var passwordChangeDate = validatedJwt.Claims.First(claim => claim.Type == "PasswordChangeDate").Value;
+            var username = validatedJwt.Claims.First(claim => claim.Type == "unique_name").Value;
+
+            // Проверка типа токена
+            if (validatedJwt.Claims.First(claim => claim.Type == "authmethod").Value != "Refresh")
+            {
+                _logger.LogWarning("JwtService: the token was not a refresh token");
+                return new (false, "");
+            }
+
+            var user = await _userRepo.GetUserByPhone(username);
+            if (user == null)
+            {
+                return new (false, "");
+            }
+
+            // Проверка, что дата изменения пароля совпадает с фактической
+            if (user.PasswordChangeDate.ToString() != passwordChangeDate)
+            {
+                username=null;
+                _logger.LogWarning("JwtService: the password change date was not equal to the one in the token\n1. {1}\n2. {2}", passwordChangeDate, user.PasswordChangeDate.ToString());
+                return new (false, "");
+            }
+
+            return new (true, username);
+        }
+        catch (Exception e)
+        {
+            _logger.LogWarning("JwtService: Token invalidated due to exception:\n{Exception}", e);
+            return new (false, "");
+        }
+    }
+}

renis-backend.csproj

@@ -14,16 +14,17 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.8" />
     <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="8.0.4" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.2" />
-    <PackageReference Include="Serilog" Version="4.0.0" />
+    <PackageReference Include="Serilog" Version="4.0.1" />
-    <PackageReference Include="Serilog.AspNetCore" Version="8.0.1" />
+    <PackageReference Include="Serilog.AspNetCore" Version="8.0.2" />
-    <PackageReference Include="Serilog.Enrichers.Environment" Version="2.3.0" />
+    <PackageReference Include="Serilog.Enrichers.Environment" Version="3.0.1" />
     <PackageReference Include="Serilog.Exceptions" Version="8.4.0" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
-    <PackageReference Include="Serilog.Formatting.OpenSearch" Version="1.0.0" />
+    <PackageReference Include="Serilog.Formatting.OpenSearch" Version="1.2.0" />
-    <PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" />
+    <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
-    <PackageReference Include="Serilog.Sinks.Debug" Version="2.0.0" />
+    <PackageReference Include="Serilog.Sinks.Debug" Version="3.0.0" />
-    <PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
+    <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
-    <PackageReference Include="Serilog.Sinks.OpenSearch" Version="1.0.0" />
+    <PackageReference Include="Serilog.Sinks.OpenSearch" Version="1.2.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.8" />
   </ItemGroup>
 
 </Project>