Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added max idle time for refresh token #52

Merged
merged 2 commits into from
Nov 19, 2024
Merged

Added max idle time for refresh token #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
083c320
Added max idle time for refresh token
adimiko Nov 19, 2024
2b9c723
Added default value for RefreshTokenMaxIdleTime
adimiko Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions source/EasyWay.Auth.WebApi/Internals/Settings/AuthServerSettings.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ internal sealed class AuthServerSettings : IAuthServerSettings, IAuthSettings

public TimeSpan RefreshTokenLifetime { get; set; } = TimeSpan.FromDays(1);

public TimeSpan? RefreshTokenMaxIdleTime { get; set; } = null;

public TimeSpan AccessTokenLifetime { get; set; } = TimeSpan.FromSeconds(3);

public string SecretKey { get; set; } = "XN32ifS0ZumZ0QZTAFyY86GdQRPnTHjwzh42KpflDemEZ+Ewlzpgb3N5l8u9/jWV";
Expand Down
2 changes: 1 addition & 1 deletion source/EasyWay.Auth/Internals/Application/Issue/IssueTokensActionHandler.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public async Task<SecurityResult<TokensDto>> Handle(IssueTokensAction action)
var hashedRefreshToken = _refreshTokenHasher.Hash(refreshToken);

//TODO hash after check rules
var storageToken = SecurityTokens.Issue(action.UserId, hashedRefreshToken, _authSettings.RefreshTokenLifetime, accessToken.Expires);
var storageToken = SecurityTokens.Issue(action.UserId, hashedRefreshToken, _authSettings.RefreshTokenLifetime, _authSettings.RefreshTokenMaxIdleTime, accessToken.Expires);

await _storage.Add(storageToken);

Expand Down
9 changes: 7 additions & 2 deletions source/EasyWay.Auth/Internals/Application/Refresh/RefreshTokensActionHandler.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
using EasyWay.Internals.Domain;
using EasyWay.Internals.Domain.SeedWorks.Results;
using EasyWay.Internals.RefreshTokenCreators;
using EasyWay.Settings;

namespace EasyWay.Internals.Application.Refresh
{
Expand All @@ -16,16 +17,20 @@ internal sealed class RefreshTokensActionHandler : ISecurityActionHandler<Refres

private readonly IRefreshTokenHasher _refreshTokenHasher;

private readonly IAuthSettings _authSettings;

public RefreshTokensActionHandler(
IAccessTokensCreator accessTokensCreator,
IRefreshTokenCreator refreshTokenCreator,
ISecurityTokensRepository storage,
IRefreshTokenHasher refreshTokenHasher)
IRefreshTokenHasher refreshTokenHasher,
IAuthSettings authSettings)
{
_accessTokensCreator = accessTokensCreator;
_refreshTokenCreator = refreshTokenCreator;
_storage = storage;
_refreshTokenHasher = refreshTokenHasher;
_authSettings = authSettings;
}

public async Task<SecurityResult<TokensDto>> Handle(RefreshTokensAction action)
Expand All @@ -48,7 +53,7 @@ public async Task<SecurityResult<TokensDto>> Handle(RefreshTokensAction action)

var newRefreshToken = _refreshTokenCreator.Create();

var refreshResult = storageTokens.Refresh(newRefreshToken, accessToken.Expires, _refreshTokenHasher);
var refreshResult = storageTokens.Refresh(newRefreshToken, accessToken.Expires, _refreshTokenHasher, _authSettings.RefreshTokenMaxIdleTime);

if (refreshResult.IsFailure)
{
Expand Down
2 changes: 1 addition & 1 deletion .../Errors/RefreshTokenIsExpiredException.cs → ...s/AccessTokenIsNotExpiredSecurityError.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@

namespace EasyWay.Internals.Domain.Errors
{
internal sealed class RefreshTokenIsExpiredException : SecurityError;
internal sealed class AccessTokenIsNotExpiredSecurityError : SecurityError;
}
2 changes: 1 addition & 1 deletion ...rrors/AccessTokenIsNotExpiredException.cs → ...ors/RefreshTokenIsExpiredSecurityError.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@

namespace EasyWay.Internals.Domain.Errors
{
internal sealed class AccessTokenIsNotExpiredException : SecurityError;
internal sealed class RefreshTokenIsExpiredSecurityError : SecurityError;
}
6 changes: 6 additions & 0 deletions source/EasyWay.Auth/Internals/Domain/Errors/RefreshTokenTimeoutExceededSecurityError.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
using EasyWay.Internals.Domain.SeedWorks.Results;

namespace EasyWay.Internals.Domain.Errors
{
internal sealed class RefreshTokenTimeoutExceededSecurityError : SecurityError;
}
50 changes: 44 additions & 6 deletions source/EasyWay.Auth/Internals/Domain/SecurityTokens.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,35 +13,59 @@ internal sealed class SecurityTokens

public DateTime RefreshTokenExpires { get; private set; }

public DateTime? RefreshTokenTimeout { get; private set; }

public DateTime AccessTokenExpires { get; private set; }

private SecurityTokens(Guid userId, string hashedRefreshToken, DateTime refreshTokenExpires, DateTime accessTokenExpires)
private SecurityTokens(
Guid userId,
string hashedRefreshToken,
DateTime refreshTokenExpires,
DateTime? refreshTokenTimeout,
DateTime accessTokenExpires)
{
UserId = userId;
HashedRefreshToken = hashedRefreshToken;
RefreshTokenExpires = refreshTokenExpires;
RefreshTokenTimeout = refreshTokenTimeout;
AccessTokenExpires = accessTokenExpires;
}

internal static SecurityTokens Issue(Guid userId, string hashedRefreshToken, TimeSpan refreshTokenLifetime, DateTime accessTokenExpires)
internal static SecurityTokens Issue(
Guid userId,
string hashedRefreshToken,
TimeSpan refreshTokenLifetime,
TimeSpan? refreshTokenMaxIdleTime,
DateTime accessTokenExpires)
{
var refreshTokenExpires = SecurityClock.UtcNow.Add(refreshTokenLifetime);
var refreshTokenTimeout = CalculateRefreshTokenTimeout(refreshTokenMaxIdleTime, refreshTokenExpires);

return new SecurityTokens(userId, hashedRefreshToken, refreshTokenExpires, accessTokenExpires);
return new SecurityTokens(userId, hashedRefreshToken, refreshTokenExpires, refreshTokenTimeout, accessTokenExpires);
}

internal SecurityResult Refresh(string refreshToken, DateTime accessTokenExpires, IRefreshTokenHasher refreshTokenHasher)
internal SecurityResult Refresh(
string refreshToken,
DateTime accessTokenExpires,
IRefreshTokenHasher refreshTokenHasher,
TimeSpan? refreshTokenMaxIdleTime)
{
if (!IsAccessTokenExpired())
{
return SecurityResult.Failure(new AccessTokenIsNotExpiredException());
return SecurityResult.Failure(new AccessTokenIsNotExpiredSecurityError());
}

if (IsRefreshTokenExpired())
{
return SecurityResult.Failure(new RefreshTokenIsExpiredException());
return SecurityResult.Failure(new RefreshTokenIsExpiredSecurityError());
}

if (IsRefreshTokenIdleTimeExceeded())
{
return SecurityResult.Failure(new RefreshTokenTimeoutExceededSecurityError());
}

RefreshTokenTimeout = CalculateRefreshTokenTimeout(refreshTokenMaxIdleTime, RefreshTokenExpires);
HashedRefreshToken = refreshTokenHasher.Hash(refreshToken);
AccessTokenExpires = accessTokenExpires;

Expand All @@ -51,5 +75,19 @@ internal SecurityResult Refresh(string refreshToken, DateTime accessTokenExpires
private bool IsAccessTokenExpired() => SecurityClock.UtcNow >= AccessTokenExpires;

private bool IsRefreshTokenExpired() => SecurityClock.UtcNow >= RefreshTokenExpires;

private bool IsRefreshTokenIdleTimeExceeded() => RefreshTokenTimeout is not null ? SecurityClock.UtcNow >= RefreshTokenTimeout : false;

private static DateTime? CalculateRefreshTokenTimeout(TimeSpan? refreshTokenMaxIdleTime, DateTime refreshTokenExpires)
{
DateTime? refreshTokenTimeout = refreshTokenMaxIdleTime.HasValue ? SecurityClock.UtcNow + refreshTokenMaxIdleTime.Value : null;

if (refreshTokenTimeout.HasValue)
{
return refreshTokenTimeout > refreshTokenExpires ? refreshTokenExpires : refreshTokenTimeout;
}

return refreshTokenTimeout;
}
}
}
2 changes: 2 additions & 0 deletions source/EasyWay.Auth/Settings/IAuthSettings.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ internal interface IAuthSettings

TimeSpan RefreshTokenLifetime { get; }

TimeSpan? RefreshTokenMaxIdleTime { get; }

int RefreshTokenSize { get; }

string RefreshTokenSalt { get; }
Expand Down
Loading