Less Logging In (#978)

* Implemented the framework for Refresh Token. Needs testing.

* Implemented Refresh Tokens. Users are issued tokens that last 7 days, just before the 7 days, the UI will request a new token to avoid having to re-authenticate.

API/Controllers/AccountController.cs

@@ -139,6 +139,7 @@ namespace API.Controllers
                 {
                     Username = user.UserName,
                     Token = await _tokenService.CreateToken(user),
+                    RefreshToken = await _tokenService.CreateRefreshToken(user),
                     ApiKey = user.ApiKey,
                     Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
                 };
@@ -192,11 +193,24 @@ namespace API.Controllers
             {
                 Username = user.UserName,
                 Token = await _tokenService.CreateToken(user),
+                RefreshToken = await _tokenService.CreateRefreshToken(user),
                 ApiKey = user.ApiKey,
                 Preferences = _mapper.Map<UserPreferencesDto>(user.UserPreferences)
             };
         }
 
+        [HttpPost("refresh-token")]
+        public async Task<ActionResult<TokenRequestDto>> RefreshToken([FromBody] TokenRequestDto tokenRequestDto)
+        {
+            var token = await _tokenService.ValidateRefreshToken(tokenRequestDto);
+            if (token == null)
+            {
+                return Unauthorized(new { message = "Invalid token" });
+            }
+
+            return Ok(token);
+        }
+
         /// <summary>
         /// Get All Roles back. See <see cref="PolicyConstants"/>
         /// </summary>

API/DTOs/Account/TokenRequestDto.cs

@@ -0,0 +1,7 @@
+namespace API.DTOs.Account;
+
+public class TokenRequestDto
+{
+    public string Token { get; init; }
+    public string RefreshToken { get; init; }
+}

API/DTOs/UserDto.cs

@@ -5,6 +5,7 @@ namespace API.DTOs
     {
         public string Username { get; init; }
         public string Token { get; init; }
+        public string RefreshToken { get; init; }
         public string ApiKey { get; init; }
         public UserPreferencesDto Preferences { get; set; }
     }

API/Extensions/IdentityServiceExtensions.cs

@@ -1,8 +1,10 @@
-using System.Text;
+using System;
+using System.Text;
 using System.Threading.Tasks;
 using API.Constants;
 using API.Data;
 using API.Entities;
+using ExCSS;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 using Microsoft.AspNetCore.Identity;
@@ -26,6 +28,7 @@ namespace API.Extensions
                     opt.Password.RequireNonAlphanumeric = false;
                     opt.Password.RequiredLength = 6;
                 })
+                .AddTokenProvider<DataProtectorTokenProvider<AppUser>>(TokenOptions.DefaultProvider)
                 .AddRoles<AppRole>()
                 .AddRoleManager<RoleManager<AppRole>>()
                 .AddSignInManager<SignInManager<AppUser>>()
@@ -40,7 +43,8 @@ namespace API.Extensions
                         ValidateIssuerSigningKey = true,
                         IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["TokenKey"])),
                         ValidateIssuer = false,
-                        ValidateAudience = false
+                        ValidateAudience = false,
+                        ValidIssuer = "Kavita"
                     };
 
                     options.Events = new JwtBearerEvents()

API/Services/TokenService.cs

@@ -5,6 +5,7 @@ using System.Linq;
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
+using API.DTOs.Account;
 using API.Entities;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Configuration;
@@ -17,6 +18,8 @@ namespace API.Services;
 public interface ITokenService
 {
     Task<string> CreateToken(AppUser user);
+    Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request);
+    Task<string> CreateRefreshToken(AppUser user);
 }
 
 public class TokenService : ITokenService
@@ -56,4 +59,33 @@ public class TokenService : ITokenService
 
         return tokenHandler.WriteToken(token);
     }
+
+    public async Task<string> CreateRefreshToken(AppUser user)
+    {
+        await _userManager.RemoveAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
+        var refreshToken = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken");
+        await _userManager.SetAuthenticationTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", refreshToken);
+        return refreshToken;
+    }
+
+    public async Task<TokenRequestDto> ValidateRefreshToken(TokenRequestDto request)
+    {
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var tokenContent = tokenHandler.ReadJwtToken(request.Token);
+        var username = tokenContent.Claims.FirstOrDefault(q => q.Type == JwtRegisteredClaimNames.NameId)?.Value;
+        var user = await _userManager.FindByNameAsync(username);
+        var isValid = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "RefreshToken", request.RefreshToken);
+        if (isValid)
+        {
+            return new TokenRequestDto()
+            {
+                Token = await CreateToken(user),
+                RefreshToken = await CreateRefreshToken(user)
+            };
+        }
+
+        await _userManager.UpdateSecurityStampAsync(user);
+
+        return null;
+    }
 }

UI/Web/src/app/_models/user.ts

@@ -4,6 +4,7 @@ import { Preferences } from './preferences/preferences';
 export interface User {
     username: string;
     token: string;
+    refreshToken: string;
     roles: string[];
     preferences: Preferences;
     apiKey: string;

UI/Web/src/app/_services/account.service.ts

@@ -1,6 +1,6 @@
 import { HttpClient } from '@angular/common/http';
 import { Injectable, OnDestroy } from '@angular/core';
-import { Observable, ReplaySubject, Subject } from 'rxjs';
+import { Observable, of, ReplaySubject, Subject } from 'rxjs';
 import { map, takeUntil } from 'rxjs/operators';
 import { environment } from 'src/environments/environment';
 import { Preferences } from '../_models/preferences/preferences';
@@ -22,6 +22,11 @@ export class AccountService implements OnDestroy {
   private currentUserSource = new ReplaySubject<User>(1);
   currentUser$ = this.currentUserSource.asObservable();
 
+  /**
+   * SetTimeout handler for keeping track of refresh token call
+   */
+  private refreshTokenTimeout: ReturnType<typeof setTimeout> | undefined;
+
   private readonly onDestroy = new Subject<void>();
 
   constructor(private httpClient: HttpClient, private router: Router, 
@@ -69,17 +74,37 @@ export class AccountService implements OnDestroy {
 
     this.currentUserSource.next(user);
     this.currentUser = user;
+    if (this.currentUser !== undefined) {
+      this.startRefreshTokenTimer();
+    } else {
+      this.stopRefreshTokenTimer();
+    }
   }
 
   logout() {
     localStorage.removeItem(this.userKey);
     this.currentUserSource.next(undefined);
     this.currentUser = undefined;
+    this.stopRefreshTokenTimer();
     // Upon logout, perform redirection
     this.router.navigateByUrl('/login');
     this.messageHub.stopHubConnection();
   }
 
+  // setCurrentUser() {
+  //   // TODO: Refactor this to setCurentUser in accoutnService
+  //   const user = this.getUserFromLocalStorage();
+
+
+  //   if (user) {
+  //     this.navService.setDarkMode(user.preferences.siteDarkMode);
+  //     this.messageHub.createHubConnection(user, this.accountService.hasAdminRole(user));
+  //     this.libraryService.getLibraryNames().pipe(take(1)).subscribe(() => {/* No Operation */});
+  //   } else {
+  //     this.navService.setDarkMode(true);
+  //   }
+  // }
+
   register(model: {username: string, password: string, isAdmin?: boolean}) {
     if (!model.hasOwnProperty('isAdmin')) {
       model.isAdmin = false;
@@ -135,8 +160,45 @@ export class AccountService implements OnDestroy {
       }
       return key;
     }));
-
-    
   }
 
+  private refreshToken() {
+    if (this.currentUser === null || this.currentUser === undefined) return of();
+
+    return this.httpClient.post<{token: string, refreshToken: string}>(this.baseUrl + 'account/refresh-token', {token: this.currentUser.token, refreshToken: this.currentUser.refreshToken}).pipe(map(user => {
+      if (this.currentUser) {
+        this.currentUser.token = user.token;
+        this.currentUser.refreshToken = user.refreshToken;
+      }
+      
+      this.currentUserSource.next(this.currentUser);
+      this.startRefreshTokenTimer();
+      return user;
+    }));
+  }
+
+  private startRefreshTokenTimer() {
+    if (this.currentUser === null || this.currentUser === undefined) return;
+
+    if (this.refreshTokenTimeout !== undefined) {
+      this.stopRefreshTokenTimer();
+    }
+
+    const jwtToken = JSON.parse(atob(this.currentUser.token.split('.')[1]));
+    // set a timeout to refresh the token a minute before it expires
+    const expires = new Date(jwtToken.exp * 1000);
+    const timeout = expires.getTime() - Date.now() - (60 * 1000);
+    this.refreshTokenTimeout = setTimeout(() => this.refreshToken().subscribe(() => {
+      console.log('Token Refreshed');
+    }), timeout);
+  }
+
+  private stopRefreshTokenTimer() {
+    if (this.refreshTokenTimeout !== undefined) {
+      clearTimeout(this.refreshTokenTimeout);
+    }
+  }
+
+
+
 }

UI/Web/src/app/app.component.ts

@@ -40,7 +40,6 @@ export class AppComponent implements OnInit {
 
   setCurrentUser() {
     const user = this.accountService.getUserFromLocalStorage();
-
     this.accountService.setCurrentUser(user);
 
     if (user) {