Add CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore & Implementation

Author: mckaragoz

UltimateAuth.slnx

@@ -14,6 +14,7 @@
   <Project Path="src/CodeBeam.UltimateAuth.Core/CodeBeam.UltimateAuth.Core.csproj" />
   <Project Path="src/CodeBeam.UltimateAuth.Server/CodeBeam.UltimateAuth.Server.csproj" Id="0a8cdd12-a8c4-4530-87e8-ae778c46322b" />
   <Project Path="src/CodeBeam.UltimateAuth.Users/CodeBeam.UltimateAuth.Server.Users.csproj" Id="30d5db36-6dc8-46f6-9139-8b6b3d6053d5" />
+  <Project Path="src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore.csproj" Id="1fd362d5-864b-4bb3-97be-9095d94cfdba" />
   <Project Path="src/credentials/CodeBeam.UltimateAuth.Credentials.InMemory/CodeBeam.UltimateAuth.Credentials.InMemory.csproj" Id="62ee7b1d-46ce-4f2e-985d-1e794f891b8b" />
   <Project Path="src/security/CodeBeam.UltimateAuth.Security.Argon2/CodeBeam.UltimateAuth.Security.Argon2.csproj" Id="6abfb7a6-ea36-42db-a843-38054dd40fd8" />
   <Project Path="src/sessions/CodeBeam.UltimateAuth.Sessions.EntityFrameworkCore/CodeBeam.UltimateAuth.Sessions.EntityFrameworkCore.csproj" Id="5b9a090d-1689-4a81-9dfa-3ba69f0bda38" />

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Abstractions/CredentialUserMapping.cs

@@ -0,0 +1,10 @@
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+internal sealed class CredentialUserMapping<TUser, TUserId>
+{
+    public Func<TUser, TUserId> UserId { get; init; } = default!;
+    public Func<TUser, string> Username { get; init; } = default!;
+    public Func<TUser, string> PasswordHash { get; init; } = default!;
+    public Func<TUser, long> SecurityVersion { get; init; } = default!;
+    public Func<TUser, bool> CanAuthenticate { get; init; } = default!;
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/AssemblyVisibility.cs

@@ -0,0 +1,3 @@
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("CodeBeam.UltimateAuth.Tests.Unit")]

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore.csproj

@@ -0,0 +1,28 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<PropertyGroup>
+		<TargetFrameworks>net8.0;net9.0;net10.0</TargetFrameworks>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+		<Version>0.0.1-preview</Version>
+		<GenerateDocumentationFile>true</GenerateDocumentationFile>
+	</PropertyGroup>
+
+	<ItemGroup Condition=" '$(TargetFramework)' == 'net8.0' ">
+		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.22" />
+		<PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="8.0.22" />
+	</ItemGroup>
+	<ItemGroup Condition=" '$(TargetFramework)' == 'net9.0' ">
+		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.11" />
+		<PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.11" />
+	</ItemGroup>
+	<ItemGroup Condition=" '$(TargetFramework)' == 'net10.0' ">
+		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.1" />
+		<PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="10.0.1" />
+	</ItemGroup>
+	
+	<ItemGroup>
+		<ProjectReference Include="..\..\CodeBeam.UltimateAuth.Core\CodeBeam.UltimateAuth.Core.csproj" />
+	</ItemGroup>
+
+</Project>

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Configuration/ConventionResolver.cs

@@ -0,0 +1,24 @@
+using System.Linq.Expressions;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore
+{
+    internal static class ConventionResolver
+    {
+        public static Expression<Func<TUser, TProp>>? TryResolve<TUser, TProp>(params string[] names)
+        {
+            var prop = typeof(TUser)
+                .GetProperties()
+                .FirstOrDefault(p =>
+                    names.Contains(p.Name, StringComparer.OrdinalIgnoreCase) &&
+                    typeof(TProp).IsAssignableFrom(p.PropertyType));
+
+            if (prop is null)
+                return null;
+
+            var param = Expression.Parameter(typeof(TUser), "u");
+            var body = Expression.Property(param, prop);
+
+            return Expression.Lambda<Func<TUser, TProp>>(body, param);
+        }
+    }
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Configuration/CredentialUserMappingBuilder.cs

@@ -0,0 +1,75 @@
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore
+{
+    internal static class CredentialUserMappingBuilder
+    {
+        public static CredentialUserMapping<TUser, TUserId> Build<TUser, TUserId>(CredentialUserMappingOptions<TUser, TUserId> options)
+        {
+            if (options.UserId is null)
+            {
+                var expr = ConventionResolver.TryResolve<TUser, TUserId>("Id", "UserId");
+                if (expr != null)
+                    options.ApplyUserId(expr);
+            }
+
+            if (options.Username is null)
+            {
+                var expr = ConventionResolver.TryResolve<TUser, string>(
+                    "Username",
+                    "UserName",
+                    "Email",
+                    "EmailAddress",
+                    "Login");
+
+                if (expr != null)
+                    options.ApplyUsername(expr);
+            }
+
+            // Never add "Password" as a convention to avoid accidental mapping to plaintext password properties
+            if (options.PasswordHash is null)
+            {
+                var expr = ConventionResolver.TryResolve<TUser, string>(
+                    "PasswordHash",
+                    "Passwordhash",
+                    "PasswordHashV2");
+
+                if (expr != null)
+                    options.ApplyPasswordHash(expr);
+            }
+
+            if (options.SecurityVersion is null)
+            {
+                var expr = ConventionResolver.TryResolve<TUser, long>(
+                    "SecurityVersion",
+                    "SecurityStamp",
+                    "AuthVersion");
+
+                if (expr != null)
+                    options.ApplySecurityVersion(expr);
+            }
+
+
+            if (options.UserId is null)
+                throw new InvalidOperationException("UserId mapping is required. Use MapUserId(...) or ensure a conventional property exists.");
+
+            if (options.Username is null)
+                throw new InvalidOperationException("Username mapping is required. Use MapUsername(...) or ensure a conventional property exists.");
+
+            if (options.PasswordHash is null)
+                throw new InvalidOperationException("PasswordHash mapping is required. Use MapPasswordHash(...) or ensure a conventional property exists.");
+
+            if (options.SecurityVersion is null)
+                throw new InvalidOperationException("SecurityVersion mapping is required. Use MapSecurityVersion(...) or ensure a conventional property exists.");
+
+            var canAuthenticateExpr = options.CanAuthenticate ?? (_ => true);
+
+            return new CredentialUserMapping<TUser, TUserId>
+            {
+                UserId = options.UserId.Compile(),
+                Username = options.Username.Compile(),
+                PasswordHash = options.PasswordHash.Compile(),
+                SecurityVersion = options.SecurityVersion.Compile(),
+                CanAuthenticate = canAuthenticateExpr.Compile()
+            };
+        }
+    }
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Configuration/CredentialUserMappingOptions.cs

@@ -0,0 +1,29 @@
+using System.Linq.Expressions;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+public sealed class CredentialUserMappingOptions<TUser, TUserId>
+{
+    internal Expression<Func<TUser, TUserId>>? UserId { get; private set; }
+    internal Expression<Func<TUser, string>>? Username { get; private set; }
+    internal Expression<Func<TUser, string>>? PasswordHash { get; private set; }
+    internal Expression<Func<TUser, long>>? SecurityVersion { get; private set; }
+    internal Expression<Func<TUser, bool>>? CanAuthenticate { get; private set; }
+
+    public void MapUserId(Expression<Func<TUser, TUserId>> expr) => UserId = expr;
+    public void MapUsername(Expression<Func<TUser, string>> expr) => Username = expr;
+    public void MapPasswordHash(Expression<Func<TUser, string>> expr) => PasswordHash = expr;
+    public void MapSecurityVersion(Expression<Func<TUser, long>> expr) => SecurityVersion = expr;
+
+    /// <summary>
+    /// Optional. If not specified, all users are allowed to authenticate.
+    /// Use this to enforce custom user state rules (e.g. Active, Locked, Suspended).
+    /// Users that can't authenticate don't show up in authentication results.
+    /// </summary>
+    public void MapCanAuthenticate(Expression<Func<TUser, bool>> expr) => CanAuthenticate = expr;
+
+    internal void ApplyUserId(Expression<Func<TUser, TUserId>> expr) => UserId = expr;
+    internal void ApplyUsername(Expression<Func<TUser, string>> expr) => Username = expr;
+    internal void ApplyPasswordHash(Expression<Func<TUser, string>> expr) => PasswordHash = expr;
+    internal void ApplySecurityVersion(Expression<Func<TUser, long>> expr) => SecurityVersion = expr;
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/EfCoreAuthUser.cs

@@ -0,0 +1,16 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore
+{
+    internal sealed class EfCoreAuthUser<TUserId> : IUser<TUserId>
+    {
+        public TUserId UserId { get; }
+
+        IReadOnlyDictionary<string, object>? IUser<TUserId>.Claims => null;
+
+        public EfCoreAuthUser(TUserId userId)
+        {
+            UserId = userId;
+        }
+    }
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Infrastructure/EfCoreUserStore.cs

@@ -0,0 +1,83 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Infrastructure;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+internal sealed class EfCoreUserStore<TUser, TUserId> : IUAuthUserStore<TUserId> where TUser : class
+{
+    private readonly DbContext _db;
+    private readonly CredentialUserMapping<TUser, TUserId> _map;
+
+    public EfCoreUserStore(DbContext db, IOptions<CredentialUserMappingOptions<TUser, TUserId>> options)
+    {
+        _db = db;
+        _map = CredentialUserMappingBuilder.Build(options.Value);
+    }
+
+    public async Task<IUser<TUserId>?> FindByIdAsync(string? tenantId, TUserId userId, CancellationToken ct = default)
+    {
+        var user = await _db.Set<TUser>().FirstOrDefaultAsync(u => _map.UserId(u)!.Equals(userId), ct);
+
+        if (user is null || !_map.CanAuthenticate(user))
+            return null;
+
+        return new EfCoreAuthUser<TUserId>(_map.UserId(user));
+    }
+
+    public async Task<UserRecord<TUserId>?> FindByUsernameAsync(string? tenantId, string username, CancellationToken ct = default)
+    {
+        var user = await _db.Set<TUser>().FirstOrDefaultAsync(u => _map.Username(u) == username, ct);
+
+        if (user is null || !_map.CanAuthenticate(user))
+            return null;
+
+        return new UserRecord<TUserId>
+        {
+            Id = _map.UserId(user),
+            Username = _map.Username(user),
+            PasswordHash = _map.PasswordHash(user),
+            IsActive = true,
+            CreatedAt = DateTimeOffset.UtcNow,
+            IsDeleted = false
+        };
+    }
+
+    public async Task<IUser<TUserId>?> FindByLoginAsync(string? tenantId, string login, CancellationToken ct = default)
+    {
+        var user = await _db.Set<TUser>().FirstOrDefaultAsync(u => _map.Username(u) == login, ct);
+
+        if (user is null || !_map.CanAuthenticate(user))
+            return null;
+
+        return new EfCoreAuthUser<TUserId>(_map.UserId(user));
+    }
+
+    public Task<string?> GetPasswordHashAsync(string? tenantId, TUserId userId, CancellationToken ct = default)
+    {
+        return _db.Set<TUser>()
+            .Where(u => _map.UserId(u)!.Equals(userId))
+            .Select(u => _map.PasswordHash(u))
+            .FirstOrDefaultAsync(ct);
+    }
+
+    public Task SetPasswordHashAsync(string? tenantId, TUserId userId, string passwordHash, CancellationToken token = default)
+    {
+        throw new NotSupportedException("Password updates are not supported by EfCoreUserStore. " +
+            "Use application-level user management services.");
+    }
+
+    public async Task<long> GetSecurityVersionAsync(string? tenantId, TUserId userId, CancellationToken ct = default)
+    {
+        var user = await _db.Set<TUser>().FirstOrDefaultAsync(u => _map.UserId(u)!.Equals(userId), ct);
+        return user is null ? 0 : _map.SecurityVersion(user);
+    }
+
+    public Task IncrementSecurityVersionAsync(string? tenantId, TUserId userId, CancellationToken token = default)
+    {
+        throw new NotSupportedException("Security version updates must be handled by the application.");
+    }
+
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/ServiceCollectionExtensions.cs

@@ -0,0 +1,19 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+public static class ServiceCollectionExtensions
+{
+    public static IServiceCollection AddUltimateAuthEfCoreCredentials<TUser, TUserId>(
+        this IServiceCollection services,
+        Action<CredentialUserMappingOptions<TUser, TUserId>> configure)
+        where TUser : class
+    {
+        services.Configure(configure);
+
+        services.AddScoped<IUAuthUserStore<TUserId>, EfCoreUserStore<TUser, TUserId>>();
+
+        return services;
+    }
+}