Merge branch 'main' of https://github.com/bvdcode/EasyExtensions

Author: bvdcode

Sources/EasyExtensions.AspNetCore.Authorization/Controllers/BaseAuthController.cs

@@ -24,6 +24,8 @@ public abstract class BaseAuthController(
         IPasswordHashService _passwordHasher,
         ITokenProvider _tokenProvider) : ControllerBase
     {
+        private const string CookieRefreshTokenName = "ee_refresh_token";
+
         /// <summary>
         /// Gets the IP address from which the current request originated.
         /// </summary>
@@ -71,8 +73,24 @@ public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest
         /// <returns>An <see cref="IActionResult"/> containing the new access token if the refresh token is valid; otherwise, a
         /// 404 Not Found result if the token is invalid or revoked.</returns>
         [HttpPost("refresh")]
-        public async Task<IActionResult> RefreshToken([FromBody] RefreshTokenRequestDto request)
+        public async Task<IActionResult> RefreshToken([FromBody] RefreshTokenRequestDto? request)
         {
+            bool useCookie = string.IsNullOrWhiteSpace(request?.RefreshToken);
+            if (useCookie)
+            {
+                if (Request.Cookies.TryGetValue(CookieRefreshTokenName, out string? cookieRefreshToken))
+                {
+                    request = request is not null
+                        ? request with { RefreshToken = cookieRefreshToken }
+                        : new RefreshTokenRequestDto { RefreshToken = cookieRefreshToken };
+                }
+            }
+
+            if (string.IsNullOrWhiteSpace(request?.RefreshToken))
+            {
+                return this.ApiNotFound("Refresh token was not found");
+            }
+
             Guid? userId = await FindUserByRefreshTokenAsync(request.RefreshToken);
             if (!userId.HasValue || userId == Guid.Empty)
             {
@@ -83,10 +101,17 @@ public async Task<IActionResult> RefreshToken([FromBody] RefreshTokenRequestDto
             var roles = await GetUserRolesAsync(userId.Value);
             string accessToken = CreateAccessToken(userId.Value, roles);
             await SaveAndRevokeRefreshTokenAsync(userId.Value, request.RefreshToken, newRefreshToken, AuthType.Unknown);
-            return Ok(new TokenPairDto
+            Response.Cookies.Append(CookieRefreshTokenName, newRefreshToken, new()
+            {
+                Secure = true,
+                HttpOnly = true,
+                SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict,
+                Expires = DateTimeOffset.UtcNow.Add(GetCookieExpirationTime()),
+            });
+            return Ok(new TokenPairResponseDto
             {
                 AccessToken = accessToken,
-                RefreshToken = newRefreshToken
+                RefreshToken = useCookie ? StringHelpers.CreateRandomString(64) : newRefreshToken
             });
         }
 
@@ -98,7 +123,7 @@ public async Task<IActionResult> RefreshToken([FromBody] RefreshTokenRequestDto
         /// re-entering credentials. Repeated failed login attempts may be subject to rate limiting or account lockout
         /// policies, depending on system configuration.</remarks>
         /// <param name="request">The login request containing the user's username and password. Cannot be null.</param>
-        /// <returns>An <see cref="IActionResult"/> containing a <see cref="TokenPairDto"/> with access and refresh tokens if
+        /// <returns>An <see cref="IActionResult"/> containing a <see cref="TokenPairResponseDto"/> with access and refresh tokens if
         /// authentication is successful; otherwise, an unauthorized response if the credentials are invalid.</returns>
         [HttpPost("login")]
         public async Task<IActionResult> Login([FromBody] LoginRequestDto request)
@@ -132,7 +157,14 @@ public async Task<IActionResult> Login([FromBody] LoginRequestDto request)
             string refreshToken = StringHelpers.CreateRandomString(64);
             await SaveAndRevokeRefreshTokenAsync(userId.Value, string.Empty, refreshToken, AuthType.Credentials);
             await OnUserLoggingInAsync(userId.Value, AuthType.Credentials, AuthRejectionType.None);
-            return Ok(new TokenPairDto
+            Response.Cookies.Append(CookieRefreshTokenName, refreshToken, new()
+            {
+                Secure = true,
+                HttpOnly = true,
+                SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict,
+                Expires = DateTimeOffset.UtcNow.Add(GetCookieExpirationTime()),
+            });
+            return Ok(new TokenPairResponseDto
             {
                 AccessToken = accessToken,
                 RefreshToken = refreshToken
@@ -148,7 +180,7 @@ public async Task<IActionResult> Login([FromBody] LoginRequestDto request)
         /// The method issues new tokens and revokes any previous refresh tokens for the user.</remarks>
         /// <param name="token">The Google OAuth access token to use for retrieving user information. Must be a valid token issued by
         /// Google.</param>
-        /// <returns>An <see cref="IActionResult"/> containing a <see cref="TokenPairDto"/> with access and refresh tokens if
+        /// <returns>An <see cref="IActionResult"/> containing a <see cref="TokenPairResponseDto"/> with access and refresh tokens if
         /// authentication is successful; otherwise, an unauthorized response if authentication fails or the user's
         /// email is not verified.</returns>
         /// <exception cref="InvalidOperationException">Thrown if user information cannot be retrieved from Google using the provided token.</exception>
@@ -181,7 +213,14 @@ public async Task<IActionResult> LoginWithGoogle([FromQuery] string token)
             string refreshToken = StringHelpers.CreateRandomString(64);
             await SaveAndRevokeRefreshTokenAsync(userId.Value, string.Empty, refreshToken, AuthType.Google);
             await OnUserLoggingInAsync(userId.Value, AuthType.Google, AuthRejectionType.None);
-            return Ok(new TokenPairDto
+            Response.Cookies.Append(CookieRefreshTokenName, refreshToken, new()
+            {
+                Secure = true,
+                HttpOnly = true,
+                SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict,
+                Expires = DateTimeOffset.UtcNow.Add(GetCookieExpirationTime()),
+            });
+            return Ok(new TokenPairResponseDto
             {
                 AccessToken = accessToken,
                 RefreshToken = refreshToken
@@ -294,6 +333,15 @@ public virtual bool IsEmailVerificationRequired()
             return Task.FromResult<Guid?>(null);
         }
 
+        /// <summary>
+        /// Returns the default expiration time span for cookies issued by the application.
+        /// </summary>
+        /// <returns>A <see cref="TimeSpan"/> representing the duration after which a cookie expires. The default is 30 days.</returns>
+        public virtual TimeSpan GetCookieExpirationTime()
+        {
+            return TimeSpan.FromDays(30);
+        }
+
         private string CreateAccessToken(Guid userId, IEnumerable<string> roles)
         {
             return _tokenProvider.CreateToken(cb =>

Sources/EasyExtensions.AspNetCore.Authorization/Models/Dto/RefreshTokenRequestDto.cs

@@ -1,6 +1,4 @@
-using System.ComponentModel.DataAnnotations;
-
-namespace EasyExtensions.AspNetCore.Authorization.Models.Dto
+namespace EasyExtensions.AspNetCore.Authorization.Models.Dto
 {
     /// <summary>
     /// Represents a request to refresh an authentication token using the current password.
@@ -10,7 +8,6 @@ public record RefreshTokenRequestDto
         /// <summary>
         /// Gets or sets the refresh token used to obtain a new access token when the current one expires.
         /// </summary>
-        [Required(AllowEmptyStrings = false)]
-        public string RefreshToken { get; set; } = null!;
+        public string? RefreshToken { get; set; }
     }
 }

…Authorization/Models/Dto/TokenPairDto.cs …ation/Models/Dto/TokenPairResponseDto.csSources/EasyExtensions.AspNetCore.Authorization/Models/Dto/TokenPairDto.cs renamed to Sources/EasyExtensions.AspNetCore.Authorization/Models/Dto/TokenPairResponseDto.cs Sources/EasyExtensions.AspNetCore.Authorization/Models/Dto/TokenPairDto.cs renamed to Sources/EasyExtensions.AspNetCore.Authorization/Models/Dto/TokenPairResponseDto.cs

@@ -6,7 +6,7 @@
     /// <remarks>A token pair typically consists of an access token, which is used to authorize API requests,
     /// and a refresh token, which can be used to obtain a new access token when the current one expires. This class is
     /// commonly used in authentication flows that require token management.</remarks>
-    public class TokenPairDto
+    public class TokenPairResponseDto
     {
         /// <summary>
         /// Gets or sets the OAuth 2.0 access token used for authenticating API requests.
@@ -16,6 +16,6 @@ public class TokenPairDto
         /// <summary>
         /// Gets or sets the refresh token used to obtain a new access token when the current one expires.
         /// </summary>
-        public string RefreshToken { get; set; } = null!;
+        public string? RefreshToken { get; set; } = null!;
     }
 }

Sources/EasyExtensions.AspNetCore.Stack/EasyExtensions.AspNetCore.Stack.csproj

@@ -34,7 +34,7 @@
 		<ProjectReference Include="..\EasyExtensions.EntityFrameworkCore.Npgsql\EasyExtensions.EntityFrameworkCore.Npgsql.csproj" />
 		<ProjectReference Include="..\EasyExtensions.EntityFrameworkCore\EasyExtensions.EntityFrameworkCore.csproj" />
 		<ProjectReference Include="..\EasyExtensions.Quartz\EasyExtensions.Quartz.csproj" />
-		<PackageReference Include="EasyVault" Version="1.0.9" />
+		<PackageReference Include="EasyVault" Version="1.0.10" />
 		<PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
 	</ItemGroup>
 

Sources/EasyExtensions.AspNetCore.Stack/GlobalSuppressions.cs

@@ -0,0 +1,8 @@
+// This file is used by Code Analysis to maintain SuppressMessage
+// attributes that are applied to this project.
+// Project-level suppressions either have no target or are given
+// a specific target and scoped to a namespace, type, member, etc.
+
+using System.Diagnostics.CodeAnalysis;
+
+[assembly: SuppressMessage("Performance", "CA1873:Avoid potentially expensive logging", Justification = "<Pending>", Scope = "member", Target = "~M:EasyExtensions.AspNetCore.Stack.Extensions.HostApplicationBuilderExtensions.AddEasyStack(Microsoft.Extensions.Hosting.IHostApplicationBuilder,System.Action{EasyExtensions.AspNetCore.Stack.Builders.EasyStackOptions})~Microsoft.Extensions.Hosting.IHostApplicationBuilder")]

Sources/EasyExtensions.EntityFrameworkCore/Database/RefreshToken.cs

@@ -0,0 +1,35 @@
+using Microsoft.EntityFrameworkCore;
+using System.ComponentModel.DataAnnotations.Schema;
+using EasyExtensions.EntityFrameworkCore.Abstractions;
+
+namespace EasyExtensions.EntityFrameworkCore.Database
+{
+    /// <summary>
+    /// Represents a refresh token used to obtain new access tokens for a user in authentication workflows.
+    /// </summary>
+    /// <remarks>A refresh token is typically issued alongside an access token and allows clients to request
+    /// new access tokens without requiring the user to re-authenticate. Each refresh token is associated with a
+    /// specific user and can be revoked to prevent further use.</remarks>
+    [Table("refresh_tokens")]
+    [Index(nameof(Token), IsUnique = true)]
+    public class RefreshToken : BaseEntity<Guid>
+    {
+        /// <summary>
+        /// Gets or sets the unique identifier for the user.
+        /// </summary>
+        [Column("user_id")]
+        public Guid UserId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the authentication token associated with the entity.
+        /// </summary>
+        [Column("token")]
+        public string Token { get; set; } = null!;
+
+        /// <summary>
+        /// Gets or sets the date and time when the entity was revoked. Stored in UTC.
+        /// </summary>
+        [Column("revoked_at")]
+        public DateTime? RevokedAt { get; set; }
+    }
+}

Sources/EasyExtensions/Streams/ChunkedStream.cs

@@ -16,7 +16,7 @@ public class ChunkedStream : IDisposable
     {
         private readonly Stream _baseStream;
         private readonly int _chunkSize;
-        private readonly bool _disposed;
+        private bool _disposed;
 
         /// <summary>
         /// Initializes a new instance of the ChunkedStream class that reads from or writes to the specified base stream
@@ -101,6 +101,7 @@ public void Dispose()
             if (!_disposed)
             {
                 _baseStream.Dispose();
+                _disposed = true;
             }
         }
     }