diff --git a/API/Controllers/AccountController.cs b/API/Controllers/AccountController.cs index 3d3a93f85..cfc3a1c7a 100644 --- a/API/Controllers/AccountController.cs +++ b/API/Controllers/AccountController.cs @@ -139,6 +139,7 @@ namespace API.Controllers { Username = user.UserName, Token = await _tokenService.CreateToken(user), + RefreshToken = await _tokenService.CreateRefreshToken(user), ApiKey = user.ApiKey, Preferences = _mapper.Map(user.UserPreferences) }; @@ -192,11 +193,24 @@ namespace API.Controllers { Username = user.UserName, Token = await _tokenService.CreateToken(user), + RefreshToken = await _tokenService.CreateRefreshToken(user), ApiKey = user.ApiKey, Preferences = _mapper.Map(user.UserPreferences) }; } + [HttpPost("refresh-token")] + public async Task> RefreshToken([FromBody] TokenRequestDto tokenRequestDto) + { + var token = await _tokenService.ValidateRefreshToken(tokenRequestDto); + if (token == null) + { + return Unauthorized(new { message = "Invalid token" }); + } + + return Ok(token); + } + /// /// Get All Roles back. See /// diff --git a/API/DTOs/Account/TokenRequestDto.cs b/API/DTOs/Account/TokenRequestDto.cs new file mode 100644 index 000000000..508e0c75c --- /dev/null +++ b/API/DTOs/Account/TokenRequestDto.cs @@ -0,0 +1,7 @@ +namespace API.DTOs.Account; + +public class TokenRequestDto +{ + public string Token { get; init; } + public string RefreshToken { get; init; } +} diff --git a/API/DTOs/UserDto.cs b/API/DTOs/UserDto.cs index d9c232578..d7d6be2e9 100644 --- a/API/DTOs/UserDto.cs +++ b/API/DTOs/UserDto.cs @@ -5,6 +5,7 @@ namespace API.DTOs { public string Username { get; init; } public string Token { get; init; } + public string RefreshToken { get; init; } public string ApiKey { get; init; } public UserPreferencesDto Preferences { get; set; } } diff --git a/API/Extensions/IdentityServiceExtensions.cs b/API/Extensions/IdentityServiceExtensions.cs index cf2ca4635..bdf177586 100644 --- a/API/Extensions/IdentityServiceExtensions.cs +++ b/API/Extensions/IdentityServiceExtensions.cs @@ -1,8 +1,10 @@ -using System.Text; +using System; +using System.Text; using System.Threading.Tasks; using API.Constants; using API.Data; using API.Entities; +using ExCSS; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authorization.Infrastructure; using Microsoft.AspNetCore.Identity; @@ -26,6 +28,7 @@ namespace API.Extensions opt.Password.RequireNonAlphanumeric = false; opt.Password.RequiredLength = 6; }) + .AddTokenProvider>(TokenOptions.DefaultProvider) .AddRoles() .AddRoleManager>() .AddSignInManager>() @@ -40,7 +43,8 @@ namespace API.Extensions ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["TokenKey"])), ValidateIssuer = false, - ValidateAudience = false + ValidateAudience = false, + ValidIssuer = "Kavita" }; options.Events = new JwtBearerEvents() diff --git a/API/Services/TokenService.cs b/API/Services/TokenService.cs index 8145b330e..ffd3c9429 100644 --- a/API/Services/TokenService.cs +++ b/API/Services/TokenService.cs @@ -5,6 +5,7 @@ using System.Linq; using System.Security.Claims; using System.Text; using System.Threading.Tasks; +using API.DTOs.Account; using API.Entities; using Microsoft.AspNetCore.Identity; using Microsoft.Extensions.Configuration; @@ -17,6 +18,8 @@ namespace API.Services; public interface ITokenService { Task CreateToken(AppUser user); + Task ValidateRefreshToken(TokenRequestDto request); + Task CreateRefreshToken(AppUser user); } public class TokenService : ITokenService @@ -56,4 +59,33 @@ public class TokenService : ITokenService return tokenHandler.WriteToken(token); } + + public async Task CreateRefreshToken(AppUser user) + { + await _userManager.RemoveAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken"); + var refreshToken = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken"); + await _userManager.SetAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", refreshToken); + return refreshToken; + } + + public async Task ValidateRefreshToken(TokenRequestDto request) + { + var tokenHandler = new JwtSecurityTokenHandler(); + var tokenContent = tokenHandler.ReadJwtToken(request.Token); + var username = tokenContent.Claims.FirstOrDefault(q => q.Type == JwtRegisteredClaimNames.NameId)?.Value; + var user = await _userManager.FindByNameAsync(username); + var isValid = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", request.RefreshToken); + if (isValid) + { + return new TokenRequestDto() + { + Token = await CreateToken(user), + RefreshToken = await CreateRefreshToken(user) + }; + } + + await _userManager.UpdateSecurityStampAsync(user); + + return null; + } } diff --git a/UI/Web/src/app/_models/user.ts b/UI/Web/src/app/_models/user.ts index 74b7913a0..626e56a5f 100644 --- a/UI/Web/src/app/_models/user.ts +++ b/UI/Web/src/app/_models/user.ts @@ -4,6 +4,7 @@ import { Preferences } from './preferences/preferences'; export interface User { username: string; token: string; + refreshToken: string; roles: string[]; preferences: Preferences; apiKey: string; diff --git a/UI/Web/src/app/_services/account.service.ts b/UI/Web/src/app/_services/account.service.ts index d3006815a..7b6159b51 100644 --- a/UI/Web/src/app/_services/account.service.ts +++ b/UI/Web/src/app/_services/account.service.ts @@ -1,6 +1,6 @@ import { HttpClient } from '@angular/common/http'; import { Injectable, OnDestroy } from '@angular/core'; -import { Observable, ReplaySubject, Subject } from 'rxjs'; +import { Observable, of, ReplaySubject, Subject } from 'rxjs'; import { map, takeUntil } from 'rxjs/operators'; import { environment } from 'src/environments/environment'; import { Preferences } from '../_models/preferences/preferences'; @@ -22,6 +22,11 @@ export class AccountService implements OnDestroy { private currentUserSource = new ReplaySubject(1); currentUser$ = this.currentUserSource.asObservable(); + /** + * SetTimeout handler for keeping track of refresh token call + */ + private refreshTokenTimeout: ReturnType | undefined; + private readonly onDestroy = new Subject(); constructor(private httpClient: HttpClient, private router: Router, @@ -69,17 +74,37 @@ export class AccountService implements OnDestroy { this.currentUserSource.next(user); this.currentUser = user; + if (this.currentUser !== undefined) { + this.startRefreshTokenTimer(); + } else { + this.stopRefreshTokenTimer(); + } } logout() { localStorage.removeItem(this.userKey); this.currentUserSource.next(undefined); this.currentUser = undefined; + this.stopRefreshTokenTimer(); // Upon logout, perform redirection this.router.navigateByUrl('/login'); this.messageHub.stopHubConnection(); } + // setCurrentUser() { + // // TODO: Refactor this to setCurentUser in accoutnService + // const user = this.getUserFromLocalStorage(); + + + // if (user) { + // this.navService.setDarkMode(user.preferences.siteDarkMode); + // this.messageHub.createHubConnection(user, this.accountService.hasAdminRole(user)); + // this.libraryService.getLibraryNames().pipe(take(1)).subscribe(() => {/* No Operation */}); + // } else { + // this.navService.setDarkMode(true); + // } + // } + register(model: {username: string, password: string, isAdmin?: boolean}) { if (!model.hasOwnProperty('isAdmin')) { model.isAdmin = false; @@ -135,8 +160,45 @@ export class AccountService implements OnDestroy { } return key; })); - - } + private refreshToken() { + if (this.currentUser === null || this.currentUser === undefined) return of(); + + return this.httpClient.post<{token: string, refreshToken: string}>(this.baseUrl + 'account/refresh-token', {token: this.currentUser.token, refreshToken: this.currentUser.refreshToken}).pipe(map(user => { + if (this.currentUser) { + this.currentUser.token = user.token; + this.currentUser.refreshToken = user.refreshToken; + } + + this.currentUserSource.next(this.currentUser); + this.startRefreshTokenTimer(); + return user; + })); + } + + private startRefreshTokenTimer() { + if (this.currentUser === null || this.currentUser === undefined) return; + + if (this.refreshTokenTimeout !== undefined) { + this.stopRefreshTokenTimer(); + } + + const jwtToken = JSON.parse(atob(this.currentUser.token.split('.')[1])); + // set a timeout to refresh the token a minute before it expires + const expires = new Date(jwtToken.exp * 1000); + const timeout = expires.getTime() - Date.now() - (60 * 1000); + this.refreshTokenTimeout = setTimeout(() => this.refreshToken().subscribe(() => { + console.log('Token Refreshed'); + }), timeout); + } + + private stopRefreshTokenTimer() { + if (this.refreshTokenTimeout !== undefined) { + clearTimeout(this.refreshTokenTimeout); + } + } + + + } diff --git a/UI/Web/src/app/app.component.ts b/UI/Web/src/app/app.component.ts index c4a8cd863..1378a292a 100644 --- a/UI/Web/src/app/app.component.ts +++ b/UI/Web/src/app/app.component.ts @@ -40,7 +40,6 @@ export class AppComponent implements OnInit { setCurrentUser() { const user = this.accountService.getUserFromLocalStorage(); - this.accountService.setCurrentUser(user); if (user) {