Create HappyPath

Author: mckaragoz

UltimateAuth.slnx

@@ -3,8 +3,11 @@
     <File Path="Readme.md" />
     <File Path="Roadmap.md" />
   </Folder>
-  <Project Path="src/CodeBeam.UltimateAuth.Users/CodeBeam.UltimateAuth.Server.Users.csproj" Id="30d5db36-6dc8-46f6-9139-8b6b3d6053d5" />
   <Project Path="src/CodeBeam.UltimateAuth.Client/CodeBeam.UltimateAuth.Client.csproj" Id="eb60a3b7-ba9d-48c9-98ad-b28e879b23bf" />
   <Project Path="src/CodeBeam.UltimateAuth.Core/CodeBeam.UltimateAuth.Core.csproj" />
   <Project Path="src/CodeBeam.UltimateAuth.Server/CodeBeam.UltimateAuth.Server.csproj" Id="0a8cdd12-a8c4-4530-87e8-ae778c46322b" />
+  <Project Path="src/CodeBeam.UltimateAuth.Users/CodeBeam.UltimateAuth.Server.Users.csproj" Id="30d5db36-6dc8-46f6-9139-8b6b3d6053d5" />
+  <Project Path="src/security/CodeBeam.UltimateAuth.Security.Argon2/CodeBeam.UltimateAuth.Security.Argon2.csproj" Id="6abfb7a6-ea36-42db-a843-38054dd40fd8" />
+  <Project Path="src/sessions/CodeBeam.UltimateAuth.Sessions.InMemory/CodeBeam.UltimateAuth.Sessions.InMemory.csproj" Id="fc9bfef0-8a89-4639-81ee-3f84f6e33816" />
+  <Project Path="src/tokens/CodeBeam.UltimateAuth.Tokens.InMemory/CodeBeam.UltimateAuth.Tokens.InMemory.csproj" Id="8220884e-4958-4b49-8c69-56ce9d2b6c6f" />
 </Solution>

src/CodeBeam.UltimateAuth.Core/Contracts/Session/SessionRefreshResult.cs

@@ -1,21 +1,36 @@
-namespace CodeBeam.UltimateAuth.Core.Contracts
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts
 {
     public sealed record SessionRefreshResult
     {
-        public AccessToken AccessToken { get; init; } = default!;
+        public SessionRefreshStatus Status { get; init; }
+
+        public AccessToken? AccessToken { get; init; }
+
         public RefreshToken? RefreshToken { get; init; }
 
-        public bool IsValid => AccessToken is not null;
+        public bool IsSuccess => Status == SessionRefreshStatus.Success;
 
         private SessionRefreshResult() { }
 
-        public static SessionRefreshResult Success(AccessToken accessToken, RefreshToken? refreshToken)
+        public static SessionRefreshResult Success(
+            AccessToken accessToken,
+            RefreshToken? refreshToken)
             => new()
             {
+                Status = SessionRefreshStatus.Success,
                 AccessToken = accessToken,
                 RefreshToken = refreshToken
             };
 
+        public static SessionRefreshResult ReauthRequired()
+            => new()
+            {
+                Status = SessionRefreshStatus.ReauthRequired
+            };
+
+        // TODO: ?
         public static SessionRefreshResult Invalid() => new();
     }
 }

src/CodeBeam.UltimateAuth.Core/Contracts/Token/RefreshTokenValidationResult.cs

@@ -6,16 +6,30 @@ public sealed record RefreshTokenValidationResult<TUserId>
     {
         public bool IsValid { get; init; }
 
+        public bool IsReuseDetected { get; init; }
+
         public TUserId? UserId { get; init; }
 
         public AuthSessionId? SessionId { get; init; }
 
         private RefreshTokenValidationResult() { }
 
+        // ----------------------------
+        // FACTORIES
+        // ----------------------------
+
         public static RefreshTokenValidationResult<TUserId> Invalid()
             => new()
             {
-                IsValid = false
+                IsValid = false,
+                IsReuseDetected = false
+            };
+
+        public static RefreshTokenValidationResult<TUserId> ReuseDetected()
+            => new()
+            {
+                IsValid = false,
+                IsReuseDetected = true
             };
 
         public static RefreshTokenValidationResult<TUserId> Valid(
@@ -24,6 +38,7 @@ public static RefreshTokenValidationResult<TUserId> Valid(
             => new()
             {
                 IsValid = true,
+                IsReuseDetected = false,
                 UserId = userId,
                 SessionId = sessionId
             };

src/CodeBeam.UltimateAuth.Core/Domain/Session/ISession.cs

@@ -78,6 +78,7 @@ public interface ISession<TUserId>
 
         bool ShouldUpdateLastSeen(DateTimeOffset now);
         ISession<TUserId> Touch(DateTimeOffset now);
+        ISession<TUserId> Revoke(DateTimeOffset at);
 
     }
 }

src/CodeBeam.UltimateAuth.Core/Domain/Session/UAuthSession.cs

@@ -126,11 +126,11 @@ public ISession<TUserId> Touch(DateTimeOffset at)
             );
         }
 
-        public UAuthSession<TUserId> Revoke(DateTimeOffset at)
+        public ISession<TUserId> Revoke(DateTimeOffset at)
         {
             if (IsRevoked) return this;
 
-            return new(
+            return new UAuthSession<TUserId>(
                 SessionId,
                 TenantId,
                 UserId,

src/CodeBeam.UltimateAuth.Core/Domain/Token/SessionRefreshStatus.cs

@@ -0,0 +1,8 @@
+namespace CodeBeam.UltimateAuth.Core.Domain
+{
+    public enum SessionRefreshStatus
+    {
+        Success,
+        ReauthRequired
+    }
+}

src/CodeBeam.UltimateAuth.Server/Services/UAuthFlowService.cs

@@ -2,6 +2,7 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
+using CodeBeam.UltimateAuth.Server.Infrastructure.Orchestrator;
 using Microsoft.AspNetCore.Http;
 
 namespace CodeBeam.UltimateAuth.Server.Services
@@ -12,19 +13,22 @@ internal sealed class UAuthFlowService<TUserId> : IUAuthFlowService
         private readonly ISessionOrchestrator<TUserId> _orchestrator;
         private readonly ISessionQueryService<TUserId> _queries;
         private readonly ITokenIssuer _tokens;
+        private readonly ITokenStore<TUserId> _tokenStore;
         private readonly IRefreshTokenResolver<TUserId> _refreshTokens;
 
         public UAuthFlowService(
             IUAuthUserService<TUserId> users,
             ISessionOrchestrator<TUserId> orchestrator,
             ISessionQueryService<TUserId> queries,
             ITokenIssuer tokens,
+            ITokenStore<TUserId> tokenStore,
             IRefreshTokenResolver<TUserId> refreshTokens)
         {
             _users = users;
             _orchestrator = orchestrator;
             _queries = queries;
             _tokens = tokens;
+            _tokenStore = tokenStore;
             _refreshTokens = refreshTokens;
         }
 
@@ -181,43 +185,63 @@ public Task<ReauthResult> ReauthenticateAsync(ReauthRequest request, Cancellatio
         public async Task<SessionRefreshResult> RefreshSessionAsync(SessionRefreshRequest request, CancellationToken ct = default)
         {
             var now = DateTimeOffset.UtcNow;
-            var resolved = await _refreshTokens.ResolveAsync(request.TenantId, request.RefreshToken, now, ct);
 
-            if (resolved is null)
-                return SessionRefreshResult.Invalid();
+            // Validate refresh token (STORE is authority)
+            var validation = await _tokenStore.ValidateRefreshTokenAsync(
+                request.TenantId,
+                request.RefreshToken,
+                now);
 
-            if (!resolved.IsValid)
+            if (!validation.IsValid)
             {
-                // TODO: Add reuse detection handling here
-                //if (resolved.IsReuseDetected)
-                //{
-                //    await _sessions.RevokeChainAsync(
-                //        tenantId,
-                //        resolved.Chain!.ChainId,
-                //        now);
-                //}
-
-                //return SessionRefreshResult.ReauthRequired();
+                if (validation.IsReuseDetected && validation.SessionId is not null)
+                {
+                    var chainId = await _queries.ResolveChainIdAsync(
+                        request.TenantId,
+                        validation.SessionId.Value,
+                        ct);
+
+                    if (chainId is not null)
+                    {
+                        var authContext = AuthContext.System(
+                            request.TenantId,
+                            AuthOperation.Revoke,
+                            now);
+
+                        await _orchestrator.ExecuteAsync(
+                            authContext,
+                            new RevokeChainCommand<TUserId>(chainId.Value),
+                            ct);
+                    }
+                }
+
+                return SessionRefreshResult.ReauthRequired();
             }
 
-            var session = resolved.Session;
+            var session = await _queries.GetSessionAsync(request.TenantId, validation.SessionId!.Value);
+
+            if (session is null)
+                return SessionRefreshResult.ReauthRequired();
 
             var rotationContext = new SessionRotationContext<TUserId>
             {
                 TenantId = request.TenantId,
-                CurrentSessionId = session.SessionId,
-                UserId = session.UserId,
+                CurrentSessionId = validation.SessionId!.Value,
+                UserId = validation.UserId!,
                 Now = now
             };
 
-            var authContext = AuthContext.ForAuthenticatedUser(request.TenantId, AuthOperation.Refresh, now, DeviceContext.From(session.Device));
+            var refreshAuthContext = AuthContext.ForAuthenticatedUser(request.TenantId, AuthOperation.Refresh, now, DeviceContext.From(session.Device));
 
-            var issuedSession = await _orchestrator.ExecuteAsync(authContext, new RotateSessionCommand<TUserId>(rotationContext), ct);
+            var issuedSession = await _orchestrator.ExecuteAsync(
+                refreshAuthContext,
+                new RotateSessionCommand<TUserId>(rotationContext),
+                ct);
 
             var tokenContext = new TokenIssuanceContext
             {
                 TenantId = request.TenantId,
-                UserId = session.UserId!.ToString()!,
+                UserId = validation.UserId!.ToString()!,
                 SessionId = issuedSession.Session.SessionId
             };
 

src/security/CodeBeam.UltimateAuth.Security.Argon2/Argon2Options.cs

@@ -0,0 +1,13 @@
+namespace CodeBeam.UltimateAuth.Security.Argon2
+{
+    public sealed class Argon2Options
+    {
+        // OWASP recommended baseline
+        public int MemorySizeKb { get; init; } = 64 * 1024; // 64 MB
+        public int Iterations { get; init; } = 3;
+        public int Parallelism { get; init; } = Environment.ProcessorCount;
+
+        public int SaltSize { get; init; } = 16;
+        public int HashSize { get; init; } = 32;
+    }
+}

src/security/CodeBeam.UltimateAuth.Security.Argon2/Argon2PasswordHasher.cs

@@ -0,0 +1,62 @@
+using System.Security.Cryptography;
+using System.Text;
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using Konscious.Security.Cryptography;
+
+namespace CodeBeam.UltimateAuth.Security.Argon2
+{
+    public sealed class Argon2PasswordHasher : IUAuthPasswordHasher
+    {
+        private readonly Argon2Options _options;
+
+        public Argon2PasswordHasher(Argon2Options options)
+        {
+            _options = options;
+        }
+
+        public string Hash(string password)
+        {
+            if (string.IsNullOrEmpty(password))
+                throw new ArgumentException("Password cannot be null or empty.", nameof(password));
+
+            var salt = RandomNumberGenerator.GetBytes(_options.SaltSize);
+
+            var argon2 = CreateArgon2(password, salt);
+
+            var hash = argon2.GetBytes(_options.HashSize);
+
+            // format:
+            // {salt}.{hash}
+            return $"{Convert.ToBase64String(salt)}.{Convert.ToBase64String(hash)}";
+        }
+
+        public bool Verify(string password, string hash)
+        {
+            if (string.IsNullOrWhiteSpace(password) || string.IsNullOrWhiteSpace(hash))
+                return false;
+
+            var parts = hash.Split('.');
+            if (parts.Length != 2)
+                return false;
+
+            var salt = Convert.FromBase64String(parts[0]);
+            var expectedHash = Convert.FromBase64String(parts[1]);
+
+            var argon2 = CreateArgon2(password, salt);
+            var actualHash = argon2.GetBytes(expectedHash.Length);
+
+            return CryptographicOperations.FixedTimeEquals(actualHash, expectedHash);
+        }
+
+        private Argon2id CreateArgon2(string password, byte[] salt)
+        {
+            return new Argon2id(Encoding.UTF8.GetBytes(password))
+            {
+                Salt = salt,
+                DegreeOfParallelism = _options.Parallelism,
+                Iterations = _options.Iterations,
+                MemorySize = _options.MemorySizeKb
+            };
+        }
+    }
+}

src/security/CodeBeam.UltimateAuth.Security.Argon2/CodeBeam.UltimateAuth.Security.Argon2.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<PropertyGroup>
+		<TargetFrameworks>net8.0;net9.0;net10.0</TargetFrameworks>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+		<GenerateDocumentationFile>true</GenerateDocumentationFile>
+	</PropertyGroup>
+
+	<ItemGroup>
+	  <PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
+	</ItemGroup>
+
+	<ItemGroup>
+	  <ProjectReference Include="..\..\CodeBeam.UltimateAuth.Core\CodeBeam.UltimateAuth.Core.csproj" />
+	</ItemGroup>
+
+</Project>