Less Logging In (#978)

* Implemented the framework for Refresh Token. Needs testing.

* Implemented Refresh Tokens. Users are issued tokens that last 7 days, just before the 7 days, the UI will request a new token to avoid having to re-authenticate.
This commit is contained in:
Joseph Milazzo 2022-01-22 06:36:32 -08:00 committed by GitHub
parent 52493cac70
commit 6c73f8b61a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 126 additions and 6 deletions

View File

@ -139,6 +139,7 @@ namespace API.Controllers
{
Username = user.UserName,
Token = await _tokenService.CreateToken(user),
RefreshToken = await _tokenService.CreateRefreshToken(user),
ApiKey = user.ApiKey,
Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
};
@ -192,11 +193,24 @@ namespace API.Controllers
{
Username = user.UserName,
Token = await _tokenService.CreateToken(user),
RefreshToken = await _tokenService.CreateRefreshToken(user),
ApiKey = user.ApiKey,
Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
};
}
[HttpPost("refresh-token")]
public async Task<ActionResult<TokenRequestDto>> RefreshToken([FromBody] TokenRequestDto tokenRequestDto)
{
var token = await _tokenService.ValidateRefreshToken(tokenRequestDto);
if (token == null)
{
return Unauthorized(new { message = "Invalid token" });
}
return Ok(token);
}
/// <summary>
/// Get All Roles back. See <see cref="PolicyConstants"/>
/// </summary>

View File

@ -0,0 +1,7 @@
namespace API.DTOs.Account;
public class TokenRequestDto
{
public string Token { get; init; }
public string RefreshToken { get; init; }
}

View File

@ -5,6 +5,7 @@ namespace API.DTOs
{
public string Username { get; init; }
public string Token { get; init; }
public string RefreshToken { get; init; }
public string ApiKey { get; init; }
public UserPreferencesDto Preferences { get; set; }
}

View File

@ -1,8 +1,10 @@
using System.Text;
using System;
using System.Text;
using System.Threading.Tasks;
using API.Constants;
using API.Data;
using API.Entities;
using ExCSS;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization.Infrastructure;
using Microsoft.AspNetCore.Identity;
@ -26,6 +28,7 @@ namespace API.Extensions
opt.Password.RequireNonAlphanumeric = false;
opt.Password.RequiredLength = 6;
})
.AddTokenProvider<DataProtectorTokenProvider<AppUser>>(TokenOptions.DefaultProvider)
.AddRoles<AppRole>()
.AddRoleManager<RoleManager<AppRole>>()
.AddSignInManager<SignInManager<AppUser>>()
@ -40,7 +43,8 @@ namespace API.Extensions
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["TokenKey"])),
ValidateIssuer = false,
ValidateAudience = false
ValidateAudience = false,
ValidIssuer = "Kavita"
};
options.Events = new JwtBearerEvents()

View File

@ -5,6 +5,7 @@ using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;
using API.DTOs.Account;
using API.Entities;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Configuration;
@ -17,6 +18,8 @@ namespace API.Services;
public interface ITokenService
{
Task<string> CreateToken(AppUser user);
Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request);
Task<string> CreateRefreshToken(AppUser user);
}
public class TokenService : ITokenService
@ -56,4 +59,33 @@ public class TokenService : ITokenService
return tokenHandler.WriteToken(token);
}
public async Task<string> CreateRefreshToken(AppUser user)
{
await _userManager.RemoveAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
var refreshToken = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
await _userManager.SetAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", refreshToken);
return refreshToken;
}
public async Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request)
{
var tokenHandler = new JwtSecurityTokenHandler();
var tokenContent = tokenHandler.ReadJwtToken(request.Token);
var username = tokenContent.Claims.FirstOrDefault(q => q.Type == JwtRegisteredClaimNames.NameId)?.Value;
var user = await _userManager.FindByNameAsync(username);
var isValid = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", request.RefreshToken);
if (isValid)
{
return new TokenRequestDto()
{
Token = await CreateToken(user),
RefreshToken = await CreateRefreshToken(user)
};
}
await _userManager.UpdateSecurityStampAsync(user);
return null;
}
}

View File

@ -4,6 +4,7 @@ import { Preferences } from './preferences/preferences';
export interface User {
username: string;
token: string;
refreshToken: string;
roles: string[];
preferences: Preferences;
apiKey: string;

View File

@ -1,6 +1,6 @@
import { HttpClient } from '@angular/common/http';
import { Injectable, OnDestroy } from '@angular/core';
import { Observable, ReplaySubject, Subject } from 'rxjs';
import { Observable, of, ReplaySubject, Subject } from 'rxjs';
import { map, takeUntil } from 'rxjs/operators';
import { environment } from 'src/environments/environment';
import { Preferences } from '../_models/preferences/preferences';
@ -22,6 +22,11 @@ export class AccountService implements OnDestroy {
private currentUserSource = new ReplaySubject<User>(1);
currentUser$ = this.currentUserSource.asObservable();
/**
* SetTimeout handler for keeping track of refresh token call
*/
private refreshTokenTimeout: ReturnType<typeof setTimeout> | undefined;
private readonly onDestroy = new Subject<void>();
constructor(private httpClient: HttpClient, private router: Router,
@ -69,17 +74,37 @@ export class AccountService implements OnDestroy {
this.currentUserSource.next(user);
this.currentUser = user;
if (this.currentUser !== undefined) {
this.startRefreshTokenTimer();
} else {
this.stopRefreshTokenTimer();
}
}
logout() {
localStorage.removeItem(this.userKey);
this.currentUserSource.next(undefined);
this.currentUser = undefined;
this.stopRefreshTokenTimer();
// Upon logout, perform redirection
this.router.navigateByUrl('/login');
this.messageHub.stopHubConnection();
}
// setCurrentUser() {
// // TODO: Refactor this to setCurentUser in accoutnService
// const user = this.getUserFromLocalStorage();
// if (user) {
// this.navService.setDarkMode(user.preferences.siteDarkMode);
// this.messageHub.createHubConnection(user, this.accountService.hasAdminRole(user));
// this.libraryService.getLibraryNames().pipe(take(1)).subscribe(() => {/* No Operation */});
// } else {
// this.navService.setDarkMode(true);
// }
// }
register(model: {username: string, password: string, isAdmin?: boolean}) {
if (!model.hasOwnProperty('isAdmin')) {
model.isAdmin = false;
@ -135,8 +160,45 @@ export class AccountService implements OnDestroy {
}
return key;
}));
}
private refreshToken() {
if (this.currentUser === null || this.currentUser === undefined) return of();
return this.httpClient.post<{token: string, refreshToken: string}>(this.baseUrl + 'account/refresh-token', {token: this.currentUser.token, refreshToken: this.currentUser.refreshToken}).pipe(map(user => {
if (this.currentUser) {
this.currentUser.token = user.token;
this.currentUser.refreshToken = user.refreshToken;
}
this.currentUserSource.next(this.currentUser);
this.startRefreshTokenTimer();
return user;
}));
}
private startRefreshTokenTimer() {
if (this.currentUser === null || this.currentUser === undefined) return;
if (this.refreshTokenTimeout !== undefined) {
this.stopRefreshTokenTimer();
}
const jwtToken = JSON.parse(atob(this.currentUser.token.split('.')[1]));
// set a timeout to refresh the token a minute before it expires
const expires = new Date(jwtToken.exp * 1000);
const timeout = expires.getTime() - Date.now() - (60 * 1000);
this.refreshTokenTimeout = setTimeout(() => this.refreshToken().subscribe(() => {
console.log('Token Refreshed');
}), timeout);
}
private stopRefreshTokenTimer() {
if (this.refreshTokenTimeout !== undefined) {
clearTimeout(this.refreshTokenTimeout);
}
}
}

View File

@ -40,7 +40,6 @@ export class AppComponent implements OnInit {
setCurrentUser() {
const user = this.accountService.getUserFromLocalStorage();
this.accountService.setCurrentUser(user);
if (user) {