Last Release before Release Testing (#2017)

* Attempting to invalidate JWT on login (when locked out), but can't figure a way to get a JWT, since we don't store them. Just committing as I'm going to remove the middleware, this is not worth the performance and complexity. * Removed some security stuff that didn't line up. * Dropping Token Expiration down to 2 days to test during release testing.
2023-05-28 09:07:05 -05:00 · 2023-05-28 09:07:05 -05:00 · 5a95911483
commit 5a95911483
parent 3eeb131985
7 changed files with 88 additions and 6 deletions
--- a/API/Middleware/JWTRevocationMiddleware.cs
+++ b/API/Middleware/JWTRevocationMiddleware.cs
@ -0,0 +1,57 @@
+using System.Threading.Tasks;
+using API.Constants;
+using EasyCaching.Core;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+
+namespace API.Middleware;
+
+/// <summary>
+/// Responsible for maintaining an in-memory. Not in use
+/// </summary>
+public class JwtRevocationMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly IEasyCachingProviderFactory _cacheFactory;
+    private readonly ILogger<JwtRevocationMiddleware> _logger;
+
+    public JwtRevocationMiddleware(RequestDelegate next, IEasyCachingProviderFactory cacheFactory, ILogger<JwtRevocationMiddleware> logger)
+    {
+        _next = next;
+        _cacheFactory = cacheFactory;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (context.User.Identity is {IsAuthenticated: false})
+        {
+            await _next(context);
+            return;
+        }
+
+        // Get the JWT from the request headers or wherever you store it
+        var token = context.Request.Headers["Authorization"].ToString()?.Replace("Bearer ", string.Empty);
+
+        // Check if the token is revoked
+        if (await IsTokenRevoked(token))
+        {
+            _logger.LogWarning("Revoked token detected: {Token}", token);
+            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+            return;
+        }
+
+        await _next(context);
+    }
+
+    private async Task<bool> IsTokenRevoked(string token)
+    {
+        // Check if the token exists in the revocation list stored in the cache
+        var isRevoked = await _cacheFactory.GetCachingProvider(EasyCacheProfiles.RevokedJwt)
+            .GetAsync<string>(token);
+
+
+        return isRevoked.HasValue;
+    }
+}