Add Audience on the refresh token

oveldman · Feb 3, 2024 · 8ba6d5c · 8ba6d5c
1 parent 5b04044
commit 8ba6d5c
Show file tree

Hide file tree

Showing 32 changed files with 561 additions and 55 deletions.
diff --git a/MadWorld/MadWorld.Backend.API/Program.cs b/MadWorld/MadWorld.Backend.API/Program.cs
@@ -58,7 +58,7 @@ private static void Main(string[] args)
                 ValidateLifetime = true,
                 ValidateIssuerSigningKey = true,
                 ValidIssuer = builder.Configuration["Jwt:Issuer"],
-                ValidAudience = builder.Configuration["Jwt:Audience"],
+                ValidAudiences = builder.Configuration.GetSection("Jwt:Audiences").Get<string[]>(),
                 IssuerSigningKey =
                     new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
             };
@@ -75,6 +75,18 @@ private static void Main(string[] args)
             options.ForwardedHeaders =
                 ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
         });
+
+        const string madWorldOrigins = "_myAllowSpecificOrigins";
+        builder.Services.AddCors(options =>
+        {
+            options.AddPolicy(name: madWorldOrigins,
+                policy =>
+                {
+                    policy.WithOrigins(builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>()!);
+                    policy.AllowAnyMethod();
+                    policy.AllowAnyHeader();
+                });
+        });
 
         builder.Services.AddRateLimiter(rateLimiterOptions =>
             {
@@ -107,6 +119,7 @@ private static void Main(string[] args)
         app.AddTestEndpoints();
 
         app.UseRateLimiter();
+        app.UseCors(madWorldOrigins);
 
         app.MigrateDatabases();
 

diff --git a/MadWorld/MadWorld.Backend.API/appsettings.Development.json b/MadWorld/MadWorld.Backend.API/appsettings.Development.json
@@ -5,8 +5,25 @@
   },
   "Jwt": {
     "Key": "mSWX4ctFHyPAPYddRzgVETAUEj3oJE2cNCPfhbyW9K5M4rXYjR",
-    "Issuer": "https://identity.mad-world.nl/",
-    "Audience": "https://identity.mad-world.nl/"
+    "Issuer": "https://localhost:7056/",
+    "Audiences": [
+      "https://localhost:7298/",
+      "https://localhost:7177/",
+      "https://localhost:7056/",
+      "https://localhost:7180/",
+      "https://localhost:7205/",
+      "https://localhost:7300/"
+    ]
+  },
+  "Cors": {
+    "AllowedOrigins": [
+      "https://localhost:7298",
+      "https://localhost:7177",
+      "https://localhost:7056",
+      "https://localhost:7180",
+      "https://localhost:7205",
+      "https://localhost:7300"
+    ]
   },
   "Logging": {
     "LogLevel": {

diff --git a/MadWorld/MadWorld.Backend.API/appsettings.json b/MadWorld/MadWorld.Backend.API/appsettings.json
@@ -6,7 +6,24 @@
   "Jwt": {
     "Key": "Empty",
     "Issuer": "https://identity.mad-world.nl/",
-    "Audience": "https://api.mad-world.nl/"
+    "Audiences": [
+      "https://admin.mad-world.nl/",
+      "https://api.mad-world.nl/",
+      "https://identity.mad-world.nl/",
+      "https://shipsimulator.mad-world.nl/",
+      "https://shipsimulator-api.mad-world.nl/",
+      "https://www.mad-world.nl/"
+    ]
+  },
+  "Cors": {
+    "AllowedOrigins": [
+      "https://admin.mad-world.nl",
+      "https://api.mad-world.nl",
+      "https://identity.mad-world.nl",
+      "https://shipsimulator.mad-world.nl",
+      "https://shipsimulator-api.mad-world.nl",
+      "https://www.mad-world.nl"
+    ]
   },
   "Logging": {
     "LogLevel": {

diff --git a/MadWorld/MadWorld.Backend.Identity.Contracts/UserManagers/RefreshTokenContract.cs b/MadWorld/MadWorld.Backend.Identity.Contracts/UserManagers/RefreshTokenContract.cs
@@ -3,5 +3,6 @@ namespace MadWorld.Backend.Identity.Contracts.UserManagers;
 public class RefreshTokenContract
 {
     public string Id { get; set; }
+    public string Audience { get; set; }
     public DateTime Expires { get; set; }
 }
diff --git a/MadWorld/MadWorld.Backend.Identity/Application/JwtGenerator.cs b/MadWorld/MadWorld.Backend.Identity/Application/JwtGenerator.cs
@@ -16,7 +16,7 @@ public JwtGenerator(IConfiguration configuration)
         _configuration = configuration;
     }
 
-    public JwtToken GenerateToken(IdentityUserExtended user, IList<string> roles)
+    public JwtToken GenerateToken(IdentityUserExtended user, string audience, IList<string> roles)
     {
         var tokenHandler = new JwtSecurityTokenHandler();
         var key = Encoding.ASCII.GetBytes(_configuration["Jwt:Key"]!);
@@ -42,7 +42,7 @@ public JwtToken GenerateToken(IdentityUserExtended user, IList<string> roles)
             Subject = new ClaimsIdentity(claims),
             Expires = expires,
             Issuer = _configuration["Jwt:Issuer"],
-            Audience = _configuration["Jwt:Audience"],
+            Audience = audience,
             SigningCredentials =
                 new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
         };

diff --git a/MadWorld/MadWorld.Backend.Identity/Application/Mappers/IdentityUserMapper.cs b/MadWorld/MadWorld.Backend.Identity/Application/Mappers/IdentityUserMapper.cs
@@ -31,6 +31,7 @@ private static RefreshTokenContract ToRefreshTokenContract(RefreshToken refreshT
         return new RefreshTokenContract()
         {
             Id = refreshToken.Id.ToString(),
+            Audience = refreshToken.Audience,
             Expires = refreshToken.Expires
         };
     }

diff --git a/MadWorld/MadWorld.Backend.Identity/Application/PostJwtLoginUseCase.cs b/MadWorld/MadWorld.Backend.Identity/Application/PostJwtLoginUseCase.cs
@@ -22,7 +22,7 @@ public PostJwtLoginUseCase(IJwtGenerator jwtGenerator, IUserRepository userRepos
         _userManager = userManager;
     }
 
-    public async Task<IResult> PostJwtLogin(JwtLoginRequest request)
+    public async Task<IResult> PostJwtLogin(JwtLoginRequest request, string audience)
     {
         var result = await _signInManager.PasswordSignInAsync(request.Email, request.Password, false, false);
         if (!result.Succeeded)
@@ -33,10 +33,10 @@ public async Task<IResult> PostJwtLogin(JwtLoginRequest request)
         var user = await _userManager.FindByEmailAsync(request.Email);
         var roles = await _userManager.GetRolesAsync(user!);
 
-        var jwt = _jwtGenerator.GenerateToken(user!, roles);
+        var jwt = _jwtGenerator.GenerateToken(user!, audience, roles);
         var token = GenerateRefreshToken();
 
-        var refreshToken = new RefreshToken(token, expires: DateTime.UtcNow.AddDays(7), user!.Id);
+        var refreshToken = new RefreshToken(token, audience, expires: DateTime.UtcNow.AddDays(7), user!.Id);
         await _userRepository.AddRefreshToken(refreshToken);
 
         return Results.Ok(new JwtLoginResponse

diff --git a/MadWorld/MadWorld.Backend.Identity/Application/PostJwtRefreshUseCase.cs b/MadWorld/MadWorld.Backend.Identity/Application/PostJwtRefreshUseCase.cs
@@ -19,7 +19,7 @@ public PostJwtRefreshUseCase(IJwtGenerator jwtGenerator, UserManager<IdentityUse
         _userRepository = userRepository;
     }
 
-    public async Task<IResult> PostJwtRefresh(JwtRefreshRequest request)
+    public async Task<IResult> PostJwtRefresh(JwtRefreshRequest request, string audience)
     {
         var refreshToken = _userRepository.GetRefreshToken(request.RefreshToken);
 
@@ -31,7 +31,7 @@ public async Task<IResult> PostJwtRefresh(JwtRefreshRequest request)
         var user = refreshToken.User;
         var roles = await _userManager.GetRolesAsync(user);
 
-        var jwt = _jwtGenerator.GenerateToken(user, roles);
+        var jwt = _jwtGenerator.GenerateToken(user, audience, roles);
 
         return Results.Ok(new JwtRefreshResponse()
         {

diff --git a/MadWorld/MadWorld.Backend.Identity/Domain/IJwtGenerator.cs b/MadWorld/MadWorld.Backend.Identity/Domain/IJwtGenerator.cs
@@ -4,5 +4,5 @@ namespace MadWorld.Backend.Identity.Domain;
 
 public interface IJwtGenerator
 {
-    JwtToken GenerateToken(IdentityUserExtended user, IList<string> roles);
+    JwtToken GenerateToken(IdentityUserExtended user, string audience, IList<string> roles);
 }
diff --git a/MadWorld/MadWorld.Backend.Identity/Domain/Users/RefreshToken.cs b/MadWorld/MadWorld.Backend.Identity/Domain/Users/RefreshToken.cs
@@ -6,15 +6,17 @@ public class RefreshToken
 {
     public const int MaxLength = 1000;
 
-    public RefreshToken(string token, DateTime expires, string userId)
+    public RefreshToken(string token, string audience, DateTime expires, string userId)
     {
         Token = token;
+        Audience = audience;
         Expires = expires;
         UserId = userId;
     }
     private RefreshToken() {}
 
     public Guid Id { get; set; }
+    public string Audience { get; set; } = string.Empty;
     public string Token { get; set; } = string.Empty;
     public DateTime Expires { get; set; }
 

diff --git a/MadWorld/MadWorld.Backend.Identity/Endpoints/IdentityEndpoints.cs b/MadWorld/MadWorld.Backend.Identity/Endpoints/IdentityEndpoints.cs
@@ -5,6 +5,7 @@
 using MadWorld.Backend.Identity.Application;
 using MadWorld.Backend.Identity.Contracts;
 using MadWorld.Backend.Identity.Domain.Users;
+using MadWorld.Backend.Identity.Extensions;
 using MadWorld.Shared.Infrastructure.Settings;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
@@ -24,15 +25,15 @@ public static void AddIdentityEndpoints(this WebApplication app)
             .WithOpenApi();
 
         account.MapPost("/JwtLogin",
-                ([FromBody] JwtLoginRequest request, [FromServices] PostJwtLoginUseCase useCase) =>
-                    useCase.PostJwtLogin(request))
+                ([FromBody] JwtLoginRequest request, [FromServices] PostJwtLoginUseCase useCase, HttpContext context) =>
+                    useCase.PostJwtLogin(request, context.Request.GetBaseUrl()))
             .WithName("JwtLogin")
             .WithOpenApi()
             .AllowAnonymous();
 
         account.MapPost("/JwtRefresh",
-                ([FromBody] JwtRefreshRequest request, [FromServices] PostJwtRefreshUseCase useCase) =>
-                    useCase.PostJwtRefresh(request))
+                ([FromBody] JwtRefreshRequest request, [FromServices] PostJwtRefreshUseCase useCase, HttpContext context) =>
+                    useCase.PostJwtRefresh(request, context.Request.GetBaseUrl()))
             .WithName("JwtRefresh")
             .WithOpenApi()
             .AllowAnonymous();

diff --git a/MadWorld/MadWorld.Backend.Identity/Extensions/RequestExtensions.cs b/MadWorld/MadWorld.Backend.Identity/Extensions/RequestExtensions.cs
@@ -0,0 +1,13 @@
+using Microsoft.Extensions.Primitives;
+
+namespace MadWorld.Backend.Identity.Extensions;
+
+public static class RequestExtensions
+{
+    public static string GetBaseUrl(this HttpRequest request)
+    {
+        request.Headers.TryGetValue("Origin", out var originValues);
+        var url = originValues.Count != 0 ? originValues[0]! : string.Empty;
+        return url.TrimEnd('/') + "/";
+    }
+}
diff --git a/MadWorld/MadWorld.Backend.Identity/Infrastructure/RefreshTokenEntityTypeConfiguration.cs b/MadWorld/MadWorld.Backend.Identity/Infrastructure/RefreshTokenEntityTypeConfiguration.cs
@@ -10,6 +10,10 @@ public void Configure(EntityTypeBuilder<RefreshToken> builder)
     {
         builder.HasKey(x => x.Id);
 
+        builder.Property(x => x.Audience)
+            .IsRequired()
+            .HasMaxLength(RefreshToken.MaxLength);
+
         builder.Property(x => x.Token)
             .IsRequired()
             .HasMaxLength(RefreshToken.MaxLength);