kai/ColaFlow
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(backend): Implement Refresh Token mechanism (Day 5 Phase 1)

Browse Source 
Implemented secure refresh token rotation with the following features:
- RefreshToken domain entity with IsExpired(), IsRevoked(), IsActive(), Revoke() methods
- IRefreshTokenService with token generation, rotation, and revocation
- RefreshTokenService with SHA-256 hashing and token family tracking
- RefreshTokenRepository for database operations
- Database migration for refresh_tokens table with proper indexes
- Updated LoginCommandHandler and RegisterTenantCommandHandler to return refresh tokens
- Added POST /api/auth/refresh endpoint (token rotation)
- Added POST /api/auth/logout endpoint (revoke single token)
- Added POST /api/auth/logout-all endpoint (revoke all user tokens)
- Updated JWT access token expiration to 15 minutes (from 60)
- Refresh token expiration set to 7 days
- Security features: token reuse detection, IP address tracking, user-agent logging

Changes:
- Domain: RefreshToken.cs, IRefreshTokenRepository.cs
- Application: IRefreshTokenService.cs, updated LoginResponseDto and RegisterTenantResult
- Infrastructure: RefreshTokenService.cs, RefreshTokenRepository.cs, RefreshTokenConfiguration.cs
- API: AuthController.cs (3 new endpoints), RefreshTokenRequest.cs, LogoutRequest.cs
- Configuration: appsettings.Development.json (updated JWT settings)
- DI: DependencyInjection.cs (registered new services)
- Migration: AddRefreshTokens migration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Yaojia Wang
2025-11-03 14:44:36 +01:00
parent 1f66b25f30
commit 9e2edb2965
32 changed files with 4669 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

389
colaflow-api/DAY4-IMPLEMENTATION-SUMMARY.md Normal file
View File

@@ -0,0 +1,389 @@
# Day 4 Implementation Summary: JWT Service + Password Hashing + Authentication Middleware
## Date: 2025-11-03
---
## Overview
Successfully implemented **Day 4** objectives:
- ✅ JWT Token Generation Service
- ✅ BCrypt Password Hashing Service
- ✅ Real JWT Authentication Middleware
- ✅ Protected Endpoints with [Authorize]
- ✅ Replaced all dummy tokens with real JWT
- ✅ Compilation Successful
---
## Files Created
### 1. Application Layer Interfaces
**`src/Modules/Identity/ColaFlow.Modules.Identity.Application/Services/IJwtService.cs`**
```csharp
public interface IJwtService
{
string GenerateToken(User user, Tenant tenant);
Task<string> GenerateRefreshTokenAsync(User user, CancellationToken cancellationToken = default);
}
```
**`src/Modules/Identity/ColaFlow.Modules.Identity.Application/Services/IPasswordHasher.cs`**
```csharp
public interface IPasswordHasher
{
string HashPassword(string password);
bool VerifyPassword(string password, string hashedPassword);
}
```
### 2. Infrastructure Layer Implementations
**`src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Services/JwtService.cs`**
- Uses `System.IdentityModel.Tokens.Jwt`
- Generates JWT with tenant and user claims
- Configurable via appsettings (Issuer, Audience, SecretKey, Expiration)
- Token includes: user_id, tenant_id, tenant_slug, email, full_name, auth_provider, role
**`src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/Services/PasswordHasher.cs`**
- Uses `BCrypt.Net-Next`
- Work factor: 12 (balance between security and performance)
- HashPassword() - hashes plain text passwords
- VerifyPassword() - verifies password against hash
---
## Files Modified
### 1. Dependency Injection
**`src/Modules/Identity/ColaFlow.Modules.Identity.Infrastructure/DependencyInjection.cs`**
```csharp
// Added services
services.AddScoped<IJwtService, JwtService>();
services.AddScoped<IPasswordHasher, PasswordHasher>();
```
### 2. Command Handlers
**`src/Modules/Identity/ColaFlow.Modules.Identity.Application/Commands/RegisterTenant/RegisterTenantCommandHandler.cs`**
- Removed dummy token generation
- Now uses `IPasswordHasher` to hash admin password
- Now uses `IJwtService` to generate real JWT token
**`src/Modules/Identity/ColaFlow.Modules.Identity.Application/Commands/Login/LoginCommandHandler.cs`**
- Removed dummy token generation
- Now uses `IPasswordHasher.VerifyPassword()` to validate password
- Now uses `IJwtService.GenerateToken()` to generate real JWT token
### 3. API Configuration
**`src/ColaFlow.API/Program.cs`**
- Added JWT Bearer authentication configuration
- Added authentication and authorization middleware
- Token validation parameters: ValidateIssuer, ValidateAudience, ValidateLifetime, ValidateIssuerSigningKey
**`src/ColaFlow.API/appsettings.Development.json`**
```json
{
"Jwt": {
"SecretKey": "your-super-secret-key-min-32-characters-long-12345",
"Issuer": "ColaFlow.API",
"Audience": "ColaFlow.Web",
"ExpirationMinutes": "60"
}
}
```
**`src/ColaFlow.API/Controllers/AuthController.cs`**
- Added `[Authorize]` attribute to `/api/auth/me` endpoint
- Endpoint now extracts and returns JWT claims (user_id, tenant_id, email, etc.)
---
## NuGet Packages Added
| Package | Version | Project | Purpose |
|---------|---------|---------|---------|
| Microsoft.IdentityModel.Tokens | 8.14.0 | Identity.Infrastructure | JWT token validation |
| System.IdentityModel.Tokens.Jwt | 8.14.0 | Identity.Infrastructure | JWT token generation |
| BCrypt.Net-Next | 4.0.3 | Identity.Infrastructure | Password hashing |
| Microsoft.AspNetCore.Authentication.JwtBearer | 9.0.10 | ColaFlow.API | JWT bearer authentication |
---
## JWT Claims Structure
Tokens include the following claims:
```json
{
"sub": "user-guid",
"email": "user@example.com",
"jti": "unique-token-id",
"user_id": "user-guid",
"tenant_id": "tenant-guid",
"tenant_slug": "tenant-slug",
"tenant_plan": "Professional",
"full_name": "User Full Name",
"auth_provider": "Local",
"role": "User",
"iss": "ColaFlow.API",
"aud": "ColaFlow.Web",
"exp": 1762125000
}
```
---
## Security Features Implemented
1. **Password Hashing**: BCrypt with work factor 12
- Passwords are never stored in plain text
- Salted hashing prevents rainbow table attacks
2. **JWT Token Security**:
- HMAC SHA-256 signing algorithm
- 60-minute token expiration (configurable)
- Secret key validation (min 32 characters)
- Issuer and Audience validation
3. **Authentication Middleware**:
- Validates token signature
- Validates token expiration
- Validates issuer and audience
- Rejects requests without valid tokens to protected endpoints
---
## Testing Instructions
### Prerequisites
1. Ensure PostgreSQL is running
2. Database migrations are up to date: `dotnet ef database update --context IdentityDbContext`
### Manual Testing
#### Step 1: Start the API
```bash
cd c:\Users\yaoji\git\ColaCoder\product-master\colaflow-api
dotnet run --project src/ColaFlow.API
```
#### Step 2: Register a Tenant
```powershell
$body = @{
tenantName = "Test Corp"
tenantSlug = "test-corp"
subscriptionPlan = "Professional"
adminEmail = "admin@testcorp.com"
adminPassword = "Admin@1234"
adminFullName = "Test Admin"
} | ConvertTo-Json
$response = Invoke-RestMethod -Uri "http://localhost:5167/api/tenants/register" `
-Method Post `
-ContentType "application/json" `
-Body $body
$token = $response.accessToken
Write-Host "Token: $token"
```
**Expected Result**: Returns JWT token (long base64 string)
#### Step 3: Login with Correct Password
```powershell
$loginBody = @{
tenantSlug = "test-corp"
email = "admin@testcorp.com"
password = "Admin@1234"
} | ConvertTo-Json
$loginResponse = Invoke-RestMethod -Uri "http://localhost:5167/api/auth/login" `
-Method Post `
-ContentType "application/json" `
-Body $loginBody
Write-Host "Login Token: $($loginResponse.accessToken)"
```
**Expected Result**: Returns JWT token
#### Step 4: Login with Wrong Password
```powershell
$wrongPasswordBody = @{
tenantSlug = "test-corp"
email = "admin@testcorp.com"
password = "WrongPassword"
} | ConvertTo-Json
try {
Invoke-RestMethod -Uri "http://localhost:5167/api/auth/login" `
-Method Post `
-ContentType "application/json" `
-Body $wrongPasswordBody
} catch {
Write-Host "Correctly rejected: $($_.Exception.Response.StatusCode)"
}
```
**Expected Result**: 401 Unauthorized
#### Step 5: Access Protected Endpoint WITHOUT Token
```powershell
try {
Invoke-RestMethod -Uri "http://localhost:5167/api/auth/me" -Method Get
} catch {
Write-Host "Correctly rejected: $($_.Exception.Response.StatusCode)"
}
```
**Expected Result**: 401 Unauthorized
#### Step 6: Access Protected Endpoint WITH Token
```powershell
$headers = @{
"Authorization" = "Bearer $token"
}
$meResponse = Invoke-RestMethod -Uri "http://localhost:5167/api/auth/me" `
-Method Get `
-Headers $headers
$meResponse | ConvertTo-Json
```
**Expected Result**: Returns user claims
```json
{
"userId": "...",
"tenantId": "...",
"email": "admin@testcorp.com",
"fullName": "Test Admin",
"tenantSlug": "test-corp",
"claims": [...]
}
```
---
## Automated Test Script
A PowerShell test script is available:
```bash
powershell -ExecutionPolicy Bypass -File test-auth-simple.ps1
```
---
## Build Status
**Compilation**: Successful
**Warnings**: Minor (async method without await, EF Core version conflicts)
**Errors**: None
```
Build succeeded.
20 Warning(s)
0 Error(s)
```
---
## Next Steps (Day 5)
Based on the original 10-day plan:
1. **Refresh Token Implementation**
- Implement `GenerateRefreshTokenAsync()` in JwtService
- Add refresh token storage (Database or Redis)
- Add `/api/auth/refresh` endpoint
2. **Role-Based Authorization**
- Implement real role system (Admin, Member, Guest)
- Add role claims to JWT
- Add `[Authorize(Roles = "Admin")]` attributes
3. **Email Verification**
- Email verification flow
- Update `User.EmailVerifiedAt` on verification
4. **SSO Integration** (if time permits)
- OAuth 2.0 / OpenID Connect support
- Azure AD / Google / GitHub providers
---
## Configuration Recommendations
### Production Configuration
**Never use the default secret key in production!** Generate a strong secret:
```powershell
# Generate a 64-character random secret
$bytes = New-Object byte[] 64
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($bytes)
$secret = [Convert]::ToBase64String($bytes)
Write-Host $secret
```
Update `appsettings.Production.json`:
```json
{
"Jwt": {
"SecretKey": "<generated-strong-secret-key>",
"Issuer": "ColaFlow.API",
"Audience": "ColaFlow.Web",
"ExpirationMinutes": "30"
}
}
```
### Security Best Practices
1. **Secret Key**: Use environment variables for production
2. **Token Expiration**: Shorter tokens (15-30 min) + refresh tokens
3. **HTTPS**: Always use HTTPS in production
4. **Password Policy**: Enforce strong password requirements (min length, complexity)
5. **Rate Limiting**: Add rate limiting to auth endpoints
6. **Audit Logging**: Log all authentication attempts
---
## Troubleshooting
### Issue: "JWT SecretKey not configured"
**Solution**: Ensure `appsettings.Development.json` contains `Jwt:SecretKey`
### Issue: Token validation fails
**Solution**: Check Issuer and Audience match between token generation and validation
### Issue: "Invalid credentials" even with correct password
**Solution**:
- Check if password was hashed during registration
- Verify `PasswordHash` column in database is not null
- Re-register tenant to re-hash password
---
## Summary
Day 4 successfully implemented **real authentication security**:
- ✅ BCrypt password hashing (no plain text passwords)
- ✅ JWT token generation with proper claims
- ✅ JWT authentication middleware
- ✅ Protected endpoints with [Authorize]
- ✅ Token validation (signature, expiration, issuer, audience)
The authentication system is now production-ready (with appropriate configuration changes).
---
**Implementation Time**: ~3 hours
**Files Created**: 2 interfaces, 2 implementations, 1 test script
**Files Modified**: 6 files (handlers, DI, Program.cs, AuthController, appsettings)
**Packages Added**: 4 NuGet packages