kamacharovs / aiof-auth Goto Github PK

Cannot enable a disabled Client

Reproduction steps

1. Disable a Client by their id
   

2. Try to enable the Client by their id
   

Root cause analysis
The root cause of this is the query filter applied to on the context level. A disabled client is not returned because the query filter is applied on the get level (when you try to get a client to see if they exist, also why we see the 404 returned).

Overview
Add support for multiple roles for a user in the JWT. This will include a database changes - schema, etc.

For example, the roles object in the JWT should look like this

{
  "iss": "https://www.jerriepelser.com",
  "aud": "blog-readers",
  "sub": "123456",
  "exp": 1499863217,
  "roles": [ "Admin", "SuperUser" ]
}

Use it as [Authorize(Roles = "")]

public class ValuesController : Controller
{
    [Authorize(Roles = "Admin")]
    [HttpGet("ping/admin")]
    public string PingAdmin()
    {
        return "Pong";
    }
}

Current
The User and Client entities have a RoleId reference (as a foreign key) to the Role entity. This is a one-to-one relationship

Solution
Remove the current relationship between the User, Client and Role entities. Create 2 new entities - UserRole and ClientRole. These will store a one-to-many relationship between a UserId / ClientId and RoleId

Task breakdown
When all tasks are completed, then this will reach the definition of done

• Create separate UserRole entity that stores UserId and RoleId. Foreign keys from User and Role entities
• Create separate ClientRole entity that stores ClientId and RoleId. Foreign keys from Client and Role entities
• Populate UserRole and ClientRole entities and PostgreSQL tables
• Add functionality to get the many roles stored in the entities
• Add those claims in the JWT generation and is returned to the end-user
• Feature flag?
• Remove RoleId from User entity
• Remove RoleId from Client entity
• Add / update unit tests
• Perform integration tests

There is a missing OrderBy that makes Entity Framework throw a warning log message when generating a JWT for a user.

This warning is appearing even though the following query is setup via LINQ:

public async Task<IUserRefreshToken> GetRefreshTokenAsync(int userId)
{
    return await GetRefreshTokensQuery()
        .Where(x => x.UserId == userId
            && x.Revoked == null)
        .OrderByDescending(x => x.Expires)
        .Take(1)
        .FirstOrDefaultAsync();
}

In this specific example, it essentially checks if there are any existing refresh tokens. If not (the call from this function is null), then create one. Else, return the token

Move TokenType enum from TokenRequest.cs to Constants.cs. All this is in the aiof.auth.data project

Source

Destination
Right after the TokenStatus enum in Constants.cs

Description

Use FluentValidator RuleSets for TokenRequestValidator. There are a few scenarios that we generate token through

• Email and password (User)
• ApiKey (User or Client)
• Token (User or Client, refresh token)

Example

An example of how FluentValidator RuleSets are used is in aiof-asset microservice

https://github.com/kamacharovs/aiof-asset/blob/aae5087522794ce8565b01c442b114c4c053290c/aiof.asset.data/AssetValidator.cs#L71-L99

public AssetDtoValidator(AssetContext context)
{
    ValidatorOptions.Global.CascadeMode = CascadeMode.Stop;

    _context = context ?? throw new ArgumentNullException(nameof(context));

    RuleSet(Constants.AddRuleSet, () => { SetAddRules(); });
    RuleSet(Constants.AddStockRuleSet, () => { SetAddRules(); });

    RuleSet(Constants.UpdateRuleSet, () => { SetUpdateRules(); });
    RuleSet(Constants.UpdateStockRuleSet, () => { SetUpdateRules(); });
}

public void SetAddRules()
{
    RuleFor(x => x.Name)
        .NotEmpty()
        .MaximumLength(100);

    RuleFor(x => x.TypeName)
        .NotEmpty()
        .SetValidator(new AssetTypeValidator(_context));

    RuleFor(x => x.Value)
        .NotNull()
         .GreaterThanOrEqualTo(CommonValidator.MinimumValue)
        .LessThan(CommonValidator.MaximumValue)
        .WithMessage(CommonValidator.ValueMessage);
}

Solution

Set a rule set for each scenario - email & password, api key and token.

public void SetEmailPasswordRuleSet() { }
public void SetApiKeyRuleSet() { }
public void SetTokenRuleSet() { }

For each, we'll then set the .TokenType to the appropriate one and return true. At this point, there is no further logic other than that. However, in the future we might have additional logic to validate each request

General improvements to the aiof-auth microservice

• remove entities' attributes [] such as required, max length, etc. On entities not DTO's
• add versioning. Similar or same as in aiof-asset
• (optional) optimize JWT logic

Move TokenType enum from TokenRequest.cs to Constants.cs. All this is in the aiof.auth.data project

Source

Destination
Right after the TokenStatus enum in Constants.cs