Add XML docs and widen access for token methods

Vadim Belov · Vadim Belov · commit 0bfc56aafa54 · 2026-02-24T10:50:21.000-08:00
Added detailed XML documentation to CreateAccessToken and AddRefreshTokenToCookie in BaseAuthController. Changed their access modifiers from private protected to internal protected for broader accessibility within the assembly. No functional changes were made.
diff --git a/Sources/EasyExtensions.AspNetCore.Authorization/Controllers/BaseAuthController.cs b/Sources/EasyExtensions.AspNetCore.Authorization/Controllers/BaseAuthController.cs
@@ -372,7 +372,18 @@ public virtual IEnumerable<KeyValuePair<string, string>> GetAdditionalTokenClaim
             return [];
         }
 
-        private protected string CreateAccessToken(Guid userId, IEnumerable<string> roles)
+        /// <summary>
+        /// Generates a JWT access token for the specified user, including their roles and any additional claims.
+        /// </summary>
+        /// <remarks>The generated token includes standard claims such as the subject identifier, as well
+        /// as any additional claims retrieved for the user. Roles are added as claims to support role-based
+        /// authorization scenarios.</remarks>
+        /// <param name="userId">The unique identifier of the user for whom the access token is being generated.</param>
+        /// <param name="roles">A collection of role names to be included as claims in the access token. Each role represents a permission
+        /// or group associated with the user.</param>
+        /// <returns>A string containing the generated JWT access token that can be used to authenticate the user in subsequent
+        /// requests.</returns>
+        internal protected string CreateAccessToken(Guid userId, IEnumerable<string> roles)
         {
             return _tokenProvider.CreateToken(cb =>
             {
@@ -389,7 +400,15 @@ private protected string CreateAccessToken(Guid userId, IEnumerable<string> role
             });
         }
 
-        private protected void AddRefreshTokenToCookie(string refreshToken)
+        /// <summary>
+        /// Adds the specified refresh token to the HTTP response cookies to support secure session renewal.
+        /// </summary>
+        /// <remarks>The refresh token cookie is configured with security best practices: it is marked as
+        /// secure, HTTP-only, and uses a strict SameSite policy to help prevent cross-site request forgery (CSRF)
+        /// attacks. The cookie's expiration is determined by the application's configured refresh token
+        /// lifetime.</remarks>
+        /// <param name="refreshToken">The refresh token to be stored in the response cookie. Cannot be null or empty.</param>
+        internal protected void AddRefreshTokenToCookie(string refreshToken)
         {
             Response.Cookies.Append(CookieRefreshTokenName, refreshToken, new()
             {

Original file line number	Diff line number	Diff line change
`@@ -372,7 +372,18 @@ public virtual IEnumerable<KeyValuePair<string, string>> GetAdditionalTokenClaim`
`372`	`372`	`return [];`
`373`	`373`	`}`
`374`	`374`
`375`		`- private protected string CreateAccessToken(Guid userId, IEnumerable<string> roles)`
	`375`	`+ /// <summary>`
	`376`	`+ /// Generates a JWT access token for the specified user, including their roles and any additional claims.`
	`377`	`+ /// </summary>`
	`378`	`+ /// <remarks>The generated token includes standard claims such as the subject identifier, as well`
	`379`	`+ /// as any additional claims retrieved for the user. Roles are added as claims to support role-based`
	`380`	`+ /// authorization scenarios.</remarks>`
	`381`	`+ /// <param name="userId">The unique identifier of the user for whom the access token is being generated.</param>`
	`382`	`+ /// <param name="roles">A collection of role names to be included as claims in the access token. Each role represents a permission`
	`383`	`+ /// or group associated with the user.</param>`
	`384`	`+ /// <returns>A string containing the generated JWT access token that can be used to authenticate the user in subsequent`
	`385`	`+ /// requests.</returns>`
	`386`	`+ internal protected string CreateAccessToken(Guid userId, IEnumerable<string> roles)`
`376`	`387`	`{`
`377`	`388`	`return _tokenProvider.CreateToken(cb =>`
`378`	`389`	`{`
`@@ -389,7 +400,15 @@ private protected string CreateAccessToken(Guid userId, IEnumerable<string> role`
`389`	`400`	`});`
`390`	`401`	`}`
`391`	`402`
`392`		`- private protected void AddRefreshTokenToCookie(string refreshToken)`
	`403`	`+ /// <summary>`
	`404`	`+ /// Adds the specified refresh token to the HTTP response cookies to support secure session renewal.`
	`405`	`+ /// </summary>`
	`406`	`+ /// <remarks>The refresh token cookie is configured with security best practices: it is marked as`
	`407`	`+ /// secure, HTTP-only, and uses a strict SameSite policy to help prevent cross-site request forgery (CSRF)`
	`408`	`+ /// attacks. The cookie's expiration is determined by the application's configured refresh token`
	`409`	`+ /// lifetime.</remarks>`
	`410`	`+ /// <param name="refreshToken">The refresh token to be stored in the response cookie. Cannot be null or empty.</param>`
	`411`	`+ internal protected void AddRefreshTokenToCookie(string refreshToken)`
`393`	`412`	`{`
`394`	`413`	`Response.Cookies.Append(CookieRefreshTokenName, refreshToken, new()`
`395`	`414`	`{`