Merge pull request #25 from barzin144/feature/data-protection

Implemented authentication cookie

Author: barzin144

.env_SAMPLE

@@ -0,0 +1,17 @@
+ConnectionStrings__MongoDb= "mongodb://USERNAME:PASSWORD@mongo:27017"
+Jwt__PrivateKey= "PRIVATE_KEY"
+Jwt__Issuer= "https://localhost:8001"
+Jwt__AccessTokenExpirationMinutes= 2
+Jwt__Audience= "http://localhost:5010"
+Jwt__DataProtectionApplicationName= "microidp"
+Jwt__DataProtectionKeysPath= "./DataProtectionKeys"
+Jwt__CookieName= "microidp"
+Jwt__DataProtectionPurpose= "JwtCookieEncryption"
+OAuth__GoogleCallbackURL= "https://localhost:8001/api/auth/google-callback"
+OAuth__GoogleClientId= "GOOGLE_CLIENT_ID"
+OAuth__GoogleClientSecret= "GOOGLE_CLIENT_SECRET"
+ASPNETCORE_URLS= "https://+;http://+"
+ASPNETCORE_Kestrel__Certificates__Default__Path= "/https/aspnetcore.pfx"
+ASPNETCORE_Kestrel__Certificates__Default__Password= "1234567890"
+Cors__Origins= "http://localhost:3000"
+DBName= "microIDP"

.gitignore

@@ -46,3 +46,5 @@ msbuild.wrn
 aspnetcore.crt
 aspnetcore.key
 aspnetcore.pfx
+**/DataProtectionKeys/
+.env

Domain/Models/AuthCookie.cs

@@ -0,0 +1,7 @@
+namespace Domain.Models;
+
+public class AuthCookie
+{
+	public string AccessToken { get; set; }
+	public string RefreshToken { get; set; }
+}

Domain/Models/JwtOptions.cs

@@ -9,5 +9,10 @@ public class JwtOptions
 		public int RefreshTokenExpirationMinutes { set; get; }
 		public bool AllowMultipleLoginsFromTheSameUser { set; get; }
 		public bool AllowSignoutAllUserActiveClients { set; get; }
+		public string DataProtectionApplicationName { get; set; }
+		public string DataProtectionKeysPath { get; set; }
+		public string DataProtectionPurpose { get; set; }
+		public string CookieName { get; set; }
+
 	}
 }

IoCConfig/ConfigureServicesExtensions.cs

@@ -4,7 +4,6 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;
-using System.Collections.Generic;
 using DataAccess;
 using MongoDB.Driver;
 using Domain.Repositories;
@@ -14,6 +13,10 @@
 using System.Security.Cryptography;
 using System;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.DataProtection;
+using System.IO;
+using System.Threading.Tasks;
+using System.Text.Json;
 
 namespace IoCConfig
 {
@@ -59,9 +62,40 @@ public static void AddCustomAuthentication(this IServiceCollection services, ICo
 					ValidAudience = configuration["Jwt:Audience"],
 					IssuerSigningKey = new RsaSecurityKey(rsa)
 				};
+
+				options.Events = new JwtBearerEvents
+				{
+					OnMessageReceived = context =>
+					{
+						if (context.Request.Cookies.TryGetValue(configuration["Jwt:CookieName"], out var encryptedToken))
+						{
+							var dataProtector = context.HttpContext.RequestServices
+									.GetRequiredService<IDataProtectionProvider>()
+									.CreateProtector(configuration["Jwt:DataProtectionPurpose"]);
+
+							try
+							{
+								var authCookie = JsonSerializer.Deserialize<AuthCookie>(dataProtector.Unprotect(encryptedToken));
+								context.Token = authCookie.AccessToken;
+							}
+							catch
+							{
+								context.Fail("Invalid or tampered token");
+							}
+						}
+
+						return Task.CompletedTask;
+					}
+				};
 			});
 		}
 
+		public static void AddCustomDataProtection(this IServiceCollection services, IConfiguration configuration)
+		{
+			services.AddDataProtection()
+			.PersistKeysToFileSystem(new DirectoryInfo(configuration["Jwt:DataProtectionKeysPath"]))
+			.SetApplicationName(configuration["Jwt:DataProtectionApplicationName"]);
+		}
 		public static void AddCustomServices(this IServiceCollection services)
 		{
 			services.AddScoped<IJwtTokenService, JwtTokenService>();
@@ -87,17 +121,6 @@ public static void AddCustomSwagger(this IServiceCollection services)
 					Title = "Micro IDP API Document",
 					Version = "v1"
 				});
-
-				options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
-				{
-					Description = @"JWT Authorization header using the Bearer scheme.",
-					Name = "Authorization",
-					In = ParameterLocation.Header,
-					Type = SecuritySchemeType.ApiKey,
-					Scheme = "Bearer"
-				});
-
-				options.AddSecurityRequirement(new OpenApiSecurityRequirement() { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }, Scheme = "oauth2", Name = "Bearer", In = ParameterLocation.Header, }, new List<string>() } });
 			});
 		}