Completed Core Options & Improved AuthFlowContext and AccessContext Creation Security

Author: mckaragoz

src/CodeBeam.UltimateAuth.Client/Components/UALoginForm.razor

@@ -7,7 +7,6 @@
 @using CodeBeam.UltimateAuth.Core.Options
 @using Microsoft.Extensions.Options
 @inject IJSRuntime JS
-@inject IOptions<UAuthOptions> CoreOptions
 @inject IOptions<UAuthClientOptions> Options
 @inject NavigationManager Navigation
 

src/CodeBeam.UltimateAuth.Client/Components/UALoginForm.razor.cs

@@ -115,7 +115,7 @@ public async Task SubmitAsync()
         await JS.InvokeVoidAsync("uauth.submitForm", _form);
     }
 
-    private string ClientProfileValue => CoreOptions.Value.ClientProfile.ToString();
+    private string ClientProfileValue => Options.Value.ClientProfile.ToString();
 
     private string EffectiveEndpoint => LoginType == UAuthLoginType.Pkce
         ? Options.Value.Endpoints.PkceComplete

src/CodeBeam.UltimateAuth.Client/Extensions/ServiceCollectionExtensions.cs

@@ -79,7 +79,7 @@ private static IServiceCollection AddUltimateAuthClientInternal(this IServiceCol
         // services.AddSingleton<IValidateOptions<UAuthClientOptions>, ...>();
 
         services.AddSingleton<IClientProfileDetector, UAuthClientProfileDetector>();
-        services.AddSingleton<IPostConfigureOptions<UAuthOptions>, UAuthOptionsPostConfigure>();
+        services.AddSingleton<IPostConfigureOptions<UAuthClientOptions>, UAuthClientOptionsPostConfigure>();
         services.TryAddSingleton<IClock, ClientClock>();
 
         //services.PostConfigure<UAuthOptions>(o =>
@@ -107,9 +107,9 @@ private static IServiceCollection AddUltimateAuthClientInternal(this IServiceCol
 
         services.AddScoped<ISessionCoordinator>(sp =>
         {
-            var core = sp.GetRequiredService<IOptions<UAuthOptions>>().Value;
+            var options = sp.GetRequiredService<IOptions<UAuthClientOptions>>().Value;
 
-            return core.ClientProfile == UAuthClientProfile.BlazorServer
+            return options.ClientProfile == UAuthClientProfile.BlazorServer
                 ? sp.GetRequiredService<BlazorServerSessionCoordinator>()
                 : sp.GetRequiredService<NoOpSessionCoordinator>();
         });

src/CodeBeam.UltimateAuth.Client/Infrastructure/UAuthRequestClient.cs

@@ -1,5 +1,6 @@
 using CodeBeam.UltimateAuth.Client.Abstractions;
 using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Client.Options;
 using CodeBeam.UltimateAuth.Core.Options;
 using Microsoft.Extensions.Options;
 using Microsoft.JSInterop;
@@ -10,12 +11,12 @@ namespace CodeBeam.UltimateAuth.Client.Infrastructure;
 internal sealed class UAuthRequestClient : IUAuthRequestClient
 {
     private readonly IJSRuntime _js;
-    private UAuthOptions _coreOptions;
+    private UAuthClientOptions _options;
 
-    public UAuthRequestClient(IJSRuntime js, IOptions<UAuthOptions> coreOptions)
+    public UAuthRequestClient(IJSRuntime js, IOptions<UAuthClientOptions> options)
     {
         _js = js;
-        _coreOptions = coreOptions.Value;
+        _options = options.Value;
     }
 
     public Task NavigateAsync(string endpoint, IDictionary<string, string>? form = null, CancellationToken ct = default)
@@ -27,7 +28,7 @@ public Task NavigateAsync(string endpoint, IDictionary<string, string>? form = n
             url = endpoint,
             mode = "navigate",
             data = form,
-            clientProfile = _coreOptions.ClientProfile.ToString()
+            clientProfile = _options.ClientProfile.ToString()
         }).AsTask();
     }
 
@@ -41,7 +42,7 @@ public async Task<UAuthTransportResult> SendFormAsync(string endpoint, IDictiona
             mode = "fetch",
             expectJson = false,
             data = form,
-            clientProfile = _coreOptions.ClientProfile.ToString()
+            clientProfile = _options.ClientProfile.ToString()
         });
 
         return result;
@@ -59,7 +60,7 @@ public async Task<UAuthTransportResult> SendFormForJsonAsync(string endpoint, ID
                 mode = "fetch",
                 expectJson = true,
                 data = postData,
-                clientProfile = _coreOptions.ClientProfile.ToString()
+                clientProfile = _options.ClientProfile.ToString()
             });
     }
 
@@ -71,7 +72,7 @@ public async Task<UAuthTransportResult> SendJsonAsync(string endpoint, object? p
         {
             url = endpoint,
             payload = payload,
-            clientProfile = _coreOptions.ClientProfile.ToString()
+            clientProfile = _options.ClientProfile.ToString()
         });
     }
 

src/CodeBeam.UltimateAuth.Client/Options/UAuthClientOptions.cs

@@ -1,9 +1,13 @@
 using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Options;
 
 namespace CodeBeam.UltimateAuth.Client.Options;
 
 public sealed class UAuthClientOptions
 {
+    public UAuthClientProfile ClientProfile { get; set; } = UAuthClientProfile.NotSpecified;
+    public bool AutoDetectClientProfile { get; set; } = true;
+
     public AuthEndpointOptions Endpoints { get; set; } = new();
     public LoginFlowOptions Login { get; set; } = new();
 

src/CodeBeam.UltimateAuth.Client/Options/UAuthOptionsPostConfigure.cs

@@ -1,20 +1,21 @@
-using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Client.Options;
+using CodeBeam.UltimateAuth.Core.Options;
 using Microsoft.Extensions.Options;
 
 namespace CodeBeam.UltimateAuth.Client.Infrastructure;
 
-internal sealed class UAuthOptionsPostConfigure : IPostConfigureOptions<UAuthOptions>
+internal sealed class UAuthClientOptionsPostConfigure : IPostConfigureOptions<UAuthClientOptions>
 {
     private readonly IClientProfileDetector _detector;
     private readonly IServiceProvider _services;
 
-    public UAuthOptionsPostConfigure(IClientProfileDetector detector, IServiceProvider services)
+    public UAuthClientOptionsPostConfigure(IClientProfileDetector detector, IServiceProvider services)
     {
         _detector = detector;
         _services = services;
     }
 
-    public void PostConfigure(string? name, UAuthOptions options)
+    public void PostConfigure(string? name, UAuthClientOptions options)
     {
         if (!options.AutoDetectClientProfile)
             return;

src/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs

@@ -19,20 +19,17 @@ internal class UAuthFlowClient : IFlowClient
 {
     private readonly IUAuthRequestClient _post;
     private readonly UAuthClientOptions _options;
-    private readonly UAuthOptions _coreOptions;
     private readonly UAuthClientDiagnostics _diagnostics;
     private readonly NavigationManager _nav;
 
     public UAuthFlowClient(
         IUAuthRequestClient post,
         IOptions<UAuthClientOptions> options,
-        IOptions<UAuthOptions> coreOptions,
         UAuthClientDiagnostics diagnostics,
         NavigationManager nav)
     {
         _post = post;
         _options = options.Value;
-        _coreOptions = coreOptions.Value;
         _diagnostics = diagnostics;
         _nav = nav;
     }
@@ -188,7 +185,7 @@ private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifi
             ["authorization_code"] = authorizationCode,
             ["code_verifier"] = codeVerifier,
             ["return_url"] = returnUrl,
-            ["client_profile"] = _coreOptions.ClientProfile.ToString()
+            ["client_profile"] = _options.ClientProfile.ToString()
         };
 
         return _post.NavigateAsync(hubLoginUrl, data);

src/CodeBeam.UltimateAuth.Core/Contracts/Authority/AccessContext.cs

@@ -14,23 +14,47 @@ public sealed class AccessContext
 
     // Target
     public string? Resource { get; init; }
-    public string? ResourceId { get; init; }
+    public UserKey? TargetUserKey { get; init; }
     public TenantKey ResourceTenant { get; init; }
 
     public string Action { get; init; } = default!;
     public IReadOnlyDictionary<string, object> Attributes { get; init; } = EmptyAttributes.Instance;
 
     public bool IsCrossTenant => !string.Equals(ActorTenant, ResourceTenant, StringComparison.Ordinal);
-    public bool IsSelfAction => ActorUserKey != null && ResourceId != null && string.Equals(ActorUserKey.Value, ResourceId, StringComparison.Ordinal);
+    public bool IsSelfAction => ActorUserKey != null && TargetUserKey != null && string.Equals(ActorUserKey.Value, TargetUserKey.Value, StringComparison.Ordinal);
     public bool HasActor => ActorUserKey != null;
-    public bool HasTarget => ResourceId != null;
+    public bool HasTarget => TargetUserKey != null;
 
     public UserKey GetTargetUserKey()
     {
-        if (ResourceId is null)
-            throw new InvalidOperationException("Target user is not specified.");
+        if (TargetUserKey is not UserKey targetUserKey)
+            throw new InvalidOperationException("Target user is not found.");
 
-        return UserKey.Parse(ResourceId, null);
+        return targetUserKey;
+    }
+
+    internal AccessContext(
+        UserKey? actorUserKey,
+        TenantKey actorTenant,
+        bool isAuthenticated,
+        bool isSystemActor,
+        string resource,
+        UserKey? targetUserKey,
+        TenantKey resourceTenant,
+        string action,
+        IReadOnlyDictionary<string, object> attributes)
+    {
+        ActorUserKey = actorUserKey;
+        ActorTenant = actorTenant;
+        IsAuthenticated = isAuthenticated;
+        IsSystemActor = isSystemActor;
+
+        Resource = resource;
+        TargetUserKey = targetUserKey;
+        ResourceTenant = resourceTenant;
+
+        Action = action;
+        Attributes = attributes;
     }
 }
 

src/CodeBeam.UltimateAuth.Core/Infrastructure/UserKeyJsonConverter.cs

@@ -4,6 +4,9 @@
 
 namespace CodeBeam.UltimateAuth.Core.Infrastructure;
 
+// NOTE:
+// UserKey is the canonical domain identity type.
+// JSON serialization/deserialization is intentionally direct and does not use IUserIdConverterResolver.
 public sealed class UserKeyJsonConverter : JsonConverter<UserKey>
 {
     public override UserKey Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)

src/CodeBeam.UltimateAuth.Core/Options/UAuthOptions.cs

@@ -1,5 +1,4 @@
-using CodeBeam.UltimateAuth.Core.Abstractions;
-using CodeBeam.UltimateAuth.Core.Events;
+using CodeBeam.UltimateAuth.Core.Events;
 
 namespace CodeBeam.UltimateAuth.Core.Options;
 
@@ -48,13 +47,4 @@ public sealed class UAuthOptions
     /// validated, and optionally enforced.
     /// </summary>
     public UAuthMultiTenantOptions MultiTenant { get; set; } = new();
-
-    /// <summary>
-    /// Provides converters used to normalize and serialize TUserId
-    /// across the system (sessions, stores, tokens, logging).
-    /// </summary>
-    public IUserIdConverterResolver? UserIdConverters { get; set; }
-
-    public UAuthClientProfile ClientProfile { get; set; } = UAuthClientProfile.NotSpecified;
-    public bool AutoDetectClientProfile { get; set; } = true;
 }