Less Logging In (#978)

* Implemented the framework for Refresh Token. Needs testing. * Implemented Refresh Tokens. Users are issued tokens that last 7 days, just before the 7 days, the UI will request a new token to avoid having to re-authenticate.
2022-01-22 06:36:32 -08:00 · 2022-01-22 06:36:32 -08:00 · 6c73f8b61a
commit 6c73f8b61a
parent 52493cac70
8 changed files with 126 additions and 6 deletions
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@ -139,6 +139,7 @@ namespace API.Controllers
                {
                    Username = user.UserName,
                    Token = await _tokenService.CreateToken(user),
+                    RefreshToken = await _tokenService.CreateRefreshToken(user),
                    ApiKey = user.ApiKey,
                    Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
                };
@ -192,11 +193,24 @@ namespace API.Controllers
            {
                Username = user.UserName,
                Token = await _tokenService.CreateToken(user),
+                RefreshToken = await _tokenService.CreateRefreshToken(user),
                ApiKey = user.ApiKey,
                Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
            };
        }

+        [HttpPost("refresh-token")]
+        public async Task<ActionResult<TokenRequestDto>> RefreshToken([FromBody] TokenRequestDto tokenRequestDto)
+        {
+            var token = await _tokenService.ValidateRefreshToken(tokenRequestDto);
+            if (token == null)
+            {
+                return Unauthorized(new { message = "Invalid token" });
+            }
+
+            return Ok(token);
+        }
+
        /// <summary>
        /// Get All Roles back. See <see cref="PolicyConstants"/>
        /// </summary>
--- a/API/DTOs/Account/TokenRequestDto.cs
+++ b/API/DTOs/Account/TokenRequestDto.cs
@ -0,0 +1,7 @@
+namespace API.DTOs.Account;
+
+public class TokenRequestDto
+{
+    public string Token { get; init; }
+    public string RefreshToken { get; init; }
+}
--- a/API/DTOs/UserDto.cs
+++ b/API/DTOs/UserDto.cs
@ -5,6 +5,7 @@ namespace API.DTOs
    {
        public string Username { get; init; }
        public string Token { get; init; }
+        public string RefreshToken { get; init; }
        public string ApiKey { get; init; }
        public UserPreferencesDto Preferences { get; set; }
    }
--- a/API/Extensions/IdentityServiceExtensions.cs
+++ b/API/Extensions/IdentityServiceExtensions.cs
@ -1,8 +1,10 @@
-using System.Text;
+using System;
+using System.Text;
 using System.Threading.Tasks;
 using API.Constants;
 using API.Data;
 using API.Entities;
+using ExCSS;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 using Microsoft.AspNetCore.Identity;
@ -26,6 +28,7 @@ namespace API.Extensions
                    opt.Password.RequireNonAlphanumeric = false;
                    opt.Password.RequiredLength = 6;
                })
+                .AddTokenProvider<DataProtectorTokenProvider<AppUser>>(TokenOptions.DefaultProvider)
                .AddRoles<AppRole>()
                .AddRoleManager<RoleManager<AppRole>>()
                .AddSignInManager<SignInManager<AppUser>>()
@ -40,7 +43,8 @@ namespace API.Extensions
                        ValidateIssuerSigningKey = true,
                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["TokenKey"])),
                        ValidateIssuer = false,
-                        ValidateAudience = false
+                        ValidateAudience = false,
+                        ValidIssuer = "Kavita"
                    };

                    options.Events = new JwtBearerEvents()
--- a/API/Services/TokenService.cs
+++ b/API/Services/TokenService.cs
@ -5,6 +5,7 @@ using System.Linq;
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
+using API.DTOs.Account;
 using API.Entities;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Configuration;
@ -17,6 +18,8 @@ namespace API.Services;
 public interface ITokenService
 {
    Task<string> CreateToken(AppUser user);
+    Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request);
+    Task<string> CreateRefreshToken(AppUser user);
 }

 public class TokenService : ITokenService
@ -56,4 +59,33 @@ public class TokenService : ITokenService

        return tokenHandler.WriteToken(token);
    }
+
+    public async Task<string> CreateRefreshToken(AppUser user)
+    {
+        await _userManager.RemoveAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
+        var refreshToken = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
+        await _userManager.SetAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", refreshToken);
+        return refreshToken;
+    }
+
+    public async Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request)
+    {
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var tokenContent = tokenHandler.ReadJwtToken(request.Token);
+        var username = tokenContent.Claims.FirstOrDefault(q => q.Type == JwtRegisteredClaimNames.NameId)?.Value;
+        var user = await _userManager.FindByNameAsync(username);
+        var isValid = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", request.RefreshToken);
+        if (isValid)
+        {
+            return new TokenRequestDto()
+            {
+                Token = await CreateToken(user),
+                RefreshToken = await CreateRefreshToken(user)
+            };
+        }
+
+        await _userManager.UpdateSecurityStampAsync(user);
+
+        return null;
+    }
 }