Cookie Authentication

.gitignore

@@ -357,4 +357,4 @@ healthchecksdb
 c:azurite
 
 #snyk
-.dccache
+.dccache

Orso.Arpa.Api/Controllers/AuthController.cs

@@ -30,13 +30,14 @@ public AuthController(IAuthService authService)
         /// <response code="422">If validation fails</response>
         [AllowAnonymous]
         [HttpPost("login")]
-        [ProducesResponseType(StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status204NoContent)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status404NotFound)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status422UnprocessableEntity)]
-        public async Task<ActionResult<TokenDto>> Login([FromBody] LoginDto loginDto)
+        public async Task<ActionResult> Login([FromBody] LoginDto loginDto)
         {
-            return await _authService.LoginAsync(loginDto, RemoteIpAddress);
+            await _authService.LoginAsync(loginDto, RemoteIpAddress);
+            return NoContent();
         }
 
         /// <summary>
@@ -183,14 +184,15 @@ public async Task<ActionResult> CreateNewEmailConfirmationToken(
         /// <returns>A new access token. Sets new refresh token cookie</returns>
         [AllowAnonymous]
         [HttpPost("refreshtoken")]
-        [ProducesResponseType(StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status204NoContent)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status403Forbidden)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status404NotFound)]
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status422UnprocessableEntity)]
-        public async Task<ActionResult<TokenDto>> RefreshAccessToken()
+        public async Task<ActionResult> RefreshAccessToken()
         {
-            return await _authService.RefreshAccessTokenAsync(RefreshToken, RemoteIpAddress);
+            await _authService.RefreshAccessTokenAsync(RefreshToken, RemoteIpAddress);
+            return NoContent();
         }
 
         /// <summary>
@@ -205,7 +207,7 @@ public async Task<ActionResult<TokenDto>> RefreshAccessToken()
         [ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.Status422UnprocessableEntity)]
         public async Task<ActionResult> Logout()
         {
-            await _authService.RevokeRefreshTokenAsync(RefreshToken, RemoteIpAddress);
+            await _authService.SignOut(RefreshToken, RemoteIpAddress);
             return NoContent();
         }
     }

Orso.Arpa.Api/Startup.cs

@@ -17,8 +17,8 @@
 using HotChocolate.Types.Pagination;
 using MediatR;
 using MicroElements.Swashbuckle.FluentValidation.AspNetCore;
-using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Identity;
@@ -101,7 +101,6 @@
 using Orso.Arpa.Domain.UserDomain.Enums;
 using Orso.Arpa.Domain.UserDomain.Model;
 using Orso.Arpa.Domain.UserDomain.Repositories;
-using Orso.Arpa.Domain.VenueDomain.Model;
 using Orso.Arpa.Infrastructure.Authentication;
 using Orso.Arpa.Infrastructure.Authorization;
 using Orso.Arpa.Infrastructure.Authorization.AuthorizationRequirements;
@@ -119,6 +118,7 @@
 using SixLabors.ImageSharp.Web.Providers;
 using Yoh.Text.Json.NamingPolicies;
 using User = Orso.Arpa.Domain.UserDomain.Model.User;
+using Microsoft.AspNetCore.Http;
 
 namespace Orso.Arpa.Api
 {
@@ -154,6 +154,7 @@ public void ConfigureServices(IServiceCollection services)
                 _ = services.AddApplicationInsightsTelemetry();
             }
             _ = services.AddMediatR(typeof(LoginUser.Handler).Assembly);
+
             _ = services.AddGenericMediatorHandlers();
             _ = services.AddAutoMapper(
                 typeof(LoginDtoMappingProfile).Assembly,
@@ -373,6 +374,7 @@ private void ConfigureSwagger(IServiceCollection services)
         private void RegisterServices(IServiceCollection services)
         {
             _ = services.AddScoped<IJwtGenerator, JwtGenerator>();
+            _ = services.AddScoped<CustomCookieAuthenticationEvents>();
             _ = services.AddScoped<IUserAccessor, UserAccessor>();
             _ = services.AddScoped<ITokenAccessor, TokenAccessor>();
             _ = services.AddScoped<IDataSeeder, DataSeeder>();
@@ -408,6 +410,7 @@ private void RegisterServices(IServiceCollection services)
             _ = services.AddScoped<IMyProjectService, MyProjectService>();
             _ = services.AddScoped<INewsService, NewsService>();
             _ = services.AddScoped<IClubService, ClubService>();
+            _ = services.AddScoped<ICookieSignIn, CookieSignIn>();
             services.AddScoped<IRoomService, RoomService>();
             services.AddScoped<IRoomEquipmentService, RoomEquipmentService>();
             services.AddScoped<IRoomSectionService, RoomSectionService>();
@@ -452,6 +455,34 @@ private void ConfigureAuthentication(IServiceCollection services)
                 .AddRoleManager<RoleManager<Role>>()
                 .AddUserManager<ArpaUserManager>();
 
+            JwtConfiguration jwtConfig = AddConfiguration<JwtConfiguration>(services);
+
+
+            _ = identityBuilder.Services.AddAuthentication(options =>
+            {
+                options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
+                options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
+                options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
+                options.DefaultSignOutScheme = IdentityConstants.ExternalScheme;
+                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            })
+            .AddCookie(options =>
+            {
+                options.EventsType = typeof(CustomCookieAuthenticationEvents);
+                options.Cookie.Name = "sessionCookie";
+                options.Cookie.Path = "/";
+                options.Cookie.HttpOnly = true;
+                options.ExpireTimeSpan = TimeSpan.FromMinutes(jwtConfig.AccessTokenExpiryInMinutes);
+                options.Cookie.MaxAge = TimeSpan.FromMinutes(jwtConfig.AccessTokenExpiryInMinutes);
+                options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
+            })
+            .AddIdentityCookies();
+
+            services.ConfigureApplicationCookie(o =>
+            {
+                o.EventsType = typeof(CustomCookieAuthenticationEvents);
+            });
+
             IdentityConfiguration identityConfig = AddConfiguration<IdentityConfiguration>(services);
 
             _ = services.Configure<IdentityOptions>(opts =>
@@ -469,11 +500,15 @@ private void ConfigureAuthentication(IServiceCollection services)
             _ = services.Configure<EmailConfirmationTokenProviderOptions>(opt =>
                 opt.TokenLifespan = TimeSpan.FromDays(identityConfig.EmailConfirmationTokenExpiryInDays));
 
-            JwtConfiguration jwtConfig = AddConfiguration<JwtConfiguration>(services);
+            _ = services.Configure<CookiePolicyOptions>(options =>
+            {
+                options.MinimumSameSitePolicy = SameSiteMode.Strict;
+                options.ConsentCookie.IsEssential = true;
+                options.CheckConsentNeeded = context => false;
+                options.Secure = _hostingEnvironment.IsDevelopment()
+                    ? CookieSecurePolicy.None : CookieSecurePolicy.Always;
+            });
 
-            _ = services
-                .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearerConfiguration(jwtConfig);
         }
 
         private void ConfigureCors(IServiceCollection services)
@@ -530,20 +565,20 @@ public virtual void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {
             _ = app.UseIpRateLimiting();
 
+            _ = app.UseRouting();
+
             _ = app.UseRequestLocalization();
 
-            _ = app.UseErrorResponseLocalizationMiddleware();
+            _ = app.UseCookiePolicy();
 
-            _ = app.UseMiddleware<ErrorHandlingMiddleware>();
+            _ = app.UseErrorResponseLocalizationMiddleware();
 
             _ = app.UseMiddleware<EnableRequestBodyRewindMiddleware>();
 
             _ = app.UseMiddleware<SecurityHeaderMiddleware>();
 
             ConfigureSecurityHeaders(app, env);
 
-            _ = app.UseRouting();
-
             _ = app.UseCors("CorsPolicy");
 
             _ = app.UseHealthChecks("/health");
@@ -557,6 +592,8 @@ public virtual void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             _ = app.UseDefaultFiles(); // use index.html
             _ = app.UseStaticFiles();
 
+            _ = app.UseMiddleware<ErrorHandlingMiddleware>();
+
             AddSwagger(app);
 
             _ = app.UseEndpoints(endpoints =>
@@ -622,10 +659,8 @@ protected virtual void EnsureDatabaseMigrations(IApplicationBuilder app)
                 IDataSeeder dataSeeder = services.GetRequiredService<IDataSeeder>();
                 dataSeeder.SeedDataAsync().Wait();
             }
-            catch (Exception ex)
+            catch (Exception)
             {
-                ILogger<Startup> logger = services.GetRequiredService<ILogger<Startup>>();
-                logger.LogError(ex, "An error occured during database migration");
                 throw;
             }
         }
@@ -639,12 +674,12 @@ protected void PreloadTranslationsFromDb(IApplicationBuilder app)
                 ILocalizerCache localizerCache = services.GetRequiredService<ILocalizerCache>();
                 _ = localizerCache.LoadTranslations();
             }
-            catch (Exception ex)
+            catch (Exception)
             {
-                ILogger<Startup> logger = services.GetRequiredService<ILogger<Startup>>();
-                logger.LogError(ex, "Error during localization of data");
                 throw;
             }
         }
     }
+
 }
+

Orso.Arpa.Application/AuthApplication/Interfaces/IAuthService.cs

@@ -5,7 +5,7 @@ namespace Orso.Arpa.Application.AuthApplication.Interfaces
 {
     public interface IAuthService
     {
-        Task<TokenDto> LoginAsync(LoginDto loginDto, string remoteIpAddress);
+        Task LoginAsync(LoginDto loginDto, string remoteIpAddress);
 
         Task RegisterAsync(UserRegisterDto registerDto);
 
@@ -21,8 +21,9 @@ public interface IAuthService
 
         Task CreateNewEmailConfirmationTokenAsync(CreateEmailConfirmationTokenDto createEmailConfirmationTokenDto);
 
-        Task<TokenDto> RefreshAccessTokenAsync(string refreshToken, string remoteIpAddress);
+        Task RefreshAccessTokenAsync(string refreshToken, string remoteIpAddress);
 
         Task RevokeRefreshTokenAsync(string refreshToken, string remoteIpAddress);
+        Task SignOut(string refreshToken, string remoteIpAddress);
     }
 }

Orso.Arpa.Application/AuthApplication/Services/AuthService.cs

@@ -21,19 +21,18 @@ public AuthService(IMediator mediator, IMapper mapper)
             _mediator = mediator;
         }
 
-        public async Task<TokenDto> LoginAsync(LoginDto loginDto, string remoteIpAddress)
+        public async Task LoginAsync(LoginDto loginDto, string remoteIpAddress)
         {
             LoginUser.Command command = _mapper.Map<LoginUser.Command>(loginDto);
             command.RemoteIpAddress = remoteIpAddress;
-            var token = await _mediator.Send(command);
-            return _mapper.Map<TokenDto>(token);
+            await _mediator.Send(command);
         }
 
         public async Task RegisterAsync(UserRegisterDto registerDto)
         {
             RegisterUser.Command registerCommand = _mapper.Map<RegisterUser.Command>(registerDto);
             await _mediator.Send(registerCommand);
-            
+
             CreateEmailConfirmationToken.Command command = _mapper.Map<CreateEmailConfirmationToken.Command>(registerDto);
             await _mediator.Send(command);
 
@@ -97,18 +96,24 @@ public async Task CreateNewEmailConfirmationTokenAsync(CreateEmailConfirmationTo
             await _mediator.Send(command);
         }
 
-        public async Task<TokenDto> RefreshAccessTokenAsync(string refreshToken, string remoteIpAddress)
+        public async Task RefreshAccessTokenAsync(string refreshToken, string remoteIpAddress)
         {
             var command = new RefreshAccessToken.Command { RefreshToken = refreshToken, RemoteIpAddress = remoteIpAddress };
-            var token = await _mediator.Send(command);
+            await _mediator.Send(command);
             await RevokeRefreshTokenAsync(refreshToken, remoteIpAddress);
-            return _mapper.Map<TokenDto>(token);
         }
 
         public async Task RevokeRefreshTokenAsync(string refreshToken, string remoteIpAddress)
         {
             var command = new RevokeRefreshToken.Command { RefreshToken = refreshToken, RemoteIpAddress = remoteIpAddress };
             await _mediator.Send(command);
         }
+
+        public async Task SignOut(string refreshToken, string remoteIpAddress)
+        {
+            await RevokeRefreshTokenAsync(refreshToken, remoteIpAddress);
+            var command = new SignOutUser.Command { };
+            await _mediator.Send(command);
+        }
     }
 }