tgstation-server/_token_factory_8cs_source.html

using System;

using System.Collections.Generic;

using System.Diagnostics.CodeAnalysis;

using System.Globalization;

using System.IdentityModel.Tokens.Jwt;

using System.Linq;

using System.Security.Claims;


using Microsoft.Extensions.Options;

using Microsoft.IdentityModel.Tokens;


using Tgstation.Server.Api.Models.Response;

using Tgstation.Server.Host.Configuration;

using Tgstation.Server.Host.Models;

using Tgstation.Server.Host.System;


namespace Tgstation.Server.Host.Security

{


    sealed class TokenFactory : ITokenFactory

    {

        public TokenValidationParameters ValidationParameters { get; }


        public ReadOnlySpan<byte> SigningKeyBytes

        {

            get => signingKey.Key;

            [MemberNotNull(nameof(signingKey))]

            [MemberNotNull(nameof(tokenHeader))]

            set

            {

                signingKey = new SymmetricSecurityKey(value.ToArray());

                tokenHeader = new JwtHeader(

                new SigningCredentials(

                    signingKey,

                    SecurityAlgorithms.HmacSha256));

            }

        }


        readonly SecurityConfiguration securityConfiguration;


        readonly JwtSecurityTokenHandler tokenHandler;


        SymmetricSecurityKey signingKey;


        JwtHeader tokenHeader;


        public TokenFactory(

            ICryptographySuite cryptographySuite,

            IAssemblyInformationProvider assemblyInformationProvider,

            IOptions<SecurityConfiguration> securityConfigurationOptions)

        {

            ArgumentNullException.ThrowIfNull(cryptographySuite);

            ArgumentNullException.ThrowIfNull(assemblyInformationProvider);


            securityConfiguration = securityConfigurationOptions?.Value ?? throw new ArgumentNullException(nameof(securityConfigurationOptions));


            SigningKeyBytes = String.IsNullOrWhiteSpace(securityConfiguration.CustomTokenSigningKeyBase64)

                ? cryptographySuite.GetSecureBytes(securityConfiguration.TokenSigningKeyByteCount)

                : Convert.FromBase64String(securityConfiguration.CustomTokenSigningKeyBase64);


            ValidationParameters = new TokenValidationParameters

            {

                ValidateIssuerSigningKey = true,

                IssuerSigningKeyResolver = (_, _, _, _) => Enumerable.Repeat(signingKey, 1),


                ValidateIssuer = true,

                ValidIssuer = assemblyInformationProvider.AssemblyName.Name,


                ValidateLifetime = true,

                ValidateAudience = true,

                ValidAudience = typeof(TokenResponse).Assembly.GetName().Name,


                ClockSkew = TimeSpan.FromMinutes(securityConfiguration.TokenClockSkewMinutes),


                RequireSignedTokens = true,


                RequireExpirationTime = true,

            };


            tokenHandler = new JwtSecurityTokenHandler();

        }


        public string CreateToken(User user, bool oAuth)

        {

            ArgumentNullException.ThrowIfNull(user);


            var uid = user.Require(x => x.Id);

            var now = DateTimeOffset.UtcNow;

            var nowUnix = now.ToUnixTimeSeconds();


            // this prevents validation conflicts down the line

            // tldr we can (theoretically) receive a token the same second after we generate it

            // since unix time rounds down, it looks like it came from before the user changed their password

            // this happens occasionally in unit tests

            // just delay a second so we can force a round up

            var userLastPassworUpdateUnix = user.LastPasswordUpdate?.ToUnixTimeSeconds();

            DateTimeOffset notBefore;

            if (nowUnix == userLastPassworUpdateUnix)

                notBefore = now.AddSeconds(1);

            else

                notBefore = now;


            var expiry = now.AddMinutes(oAuth

                ? securityConfiguration.OAuthTokenExpiryMinutes

                : securityConfiguration.TokenExpiryMinutes);


            var securityToken = new JwtSecurityToken(

                tokenHeader,

                new JwtPayload(

                    ValidationParameters.ValidIssuer,

                    ValidationParameters.ValidAudience,

                    Enumerable.Empty<Claim>(),

                    new Dictionary<string, object>

                    {

                        { JwtRegisteredClaimNames.Sub, uid.ToString(CultureInfo.InvariantCulture) },

                    },

                    notBefore.UtcDateTime,

                    expiry.UtcDateTime,

                    now.UtcDateTime));


            var tokenResponse = tokenHandler.WriteToken(securityToken);


            return tokenResponse;

        }


    }


}

Tgstation.Server.Api.Models.Response.TokenResponse
Represents a JWT returned by the API.
Definition TokenResponse.cs:9

Tgstation.Server.Host.Configuration.SecurityConfiguration
Configuration options pertaining to user security.
Definition SecurityConfiguration.cs:14

Tgstation.Server.Host.Configuration.SecurityConfiguration.TokenSigningKeyByteCount
uint TokenSigningKeyByteCount
Amount of bytes to use in the Microsoft.IdentityModel.Tokens.TokenValidationParameters....
Definition SecurityConfiguration.cs:53

Tgstation.Server.Host.Configuration.SecurityConfiguration.CustomTokenSigningKeyBase64
string? CustomTokenSigningKeyBase64
A custom token signing key. Overrides TokenSigningKeyByteCount.
Definition SecurityConfiguration.cs:63

Tgstation.Server.Host.Configuration.SecurityConfiguration.TokenClockSkewMinutes
uint TokenClockSkewMinutes
Amount of minutes to skew the clock for Api.Models.Response.TokenResponse validation.
Definition SecurityConfiguration.cs:48

Tgstation.Server.Host.Configuration.SecurityConfiguration.OAuthTokenExpiryMinutes
uint OAuthTokenExpiryMinutes
Amount of minutes until Api.Models.Response.TokenResponses generated from OAuth logins expire.
Definition SecurityConfiguration.cs:58

Tgstation.Server.Host.Configuration.SecurityConfiguration.TokenExpiryMinutes
uint TokenExpiryMinutes
Amount of minutes until Api.Models.Response.TokenResponses generated from passwords expire.
Definition SecurityConfiguration.cs:43

Tgstation.Server.Host.Models.User
Definition User.cs:17

Tgstation.Server.Host.Models.User.LastPasswordUpdate
DateTimeOffset? LastPasswordUpdate
When PasswordHash was last changed.
Definition User.cs:63

Tgstation.Server.Host.Security.TokenFactory
Definition TokenFactory.cs:21

Tgstation.Server.Host.Security.TokenFactory.signingKey
SymmetricSecurityKey signingKey
Backing field for SigningKeyBytes.
Definition TokenFactory.cs:54

Tgstation.Server.Host.Security.TokenFactory.ValidationParameters
TokenValidationParameters ValidationParameters
The TokenValidationParameters for the ITokenFactory.
Definition TokenFactory.cs:23

Tgstation.Server.Host.Security.TokenFactory.SigningKeyBytes
ReadOnlySpan< byte > SigningKeyBytes
Gets or sets the ITokenFactory's signing key bytes.
Definition TokenFactory.cs:27

Tgstation.Server.Host.Security.TokenFactory.CreateToken
string CreateToken(User user, bool oAuth)
Create a TokenResponse for a given user .A new token string.
Definition TokenFactory.cs:104

Tgstation.Server.Host.Security.TokenFactory.tokenHandler
readonly JwtSecurityTokenHandler tokenHandler
The JwtSecurityTokenHandler used to generate TokenResponse.Bearer strings.
Definition TokenFactory.cs:49

Tgstation.Server.Host.Security.TokenFactory.securityConfiguration
readonly SecurityConfiguration securityConfiguration
The SecurityConfiguration for the TokenFactory.
Definition TokenFactory.cs:44

Tgstation.Server.Host.Security.TokenFactory.TokenFactory
TokenFactory(ICryptographySuite cryptographySuite, IAssemblyInformationProvider assemblyInformationProvider, IOptions< SecurityConfiguration > securityConfigurationOptions)
Initializes a new instance of the TokenFactory class.
Definition TokenFactory.cs:67

Tgstation.Server.Host.Security.TokenFactory.tokenHeader
JwtHeader tokenHeader
The JwtHeader for generating tokens.
Definition TokenFactory.cs:59

Tgstation.Server.Host.Security.ICryptographySuite
Contains various cryptographic functions.
Definition ICryptographySuite.cs:9

Tgstation.Server.Host.Security.ICryptographySuite.GetSecureBytes
byte[] GetSecureBytes(uint amount)
Generates a secure set of bytes.

Tgstation.Server.Host.Security.ITokenFactory
For creating TokenResponses.
Definition ITokenFactory.cs:13

Tgstation.Server.Host.System.IAssemblyInformationProvider
For retrieving the Assembly's location.
Definition IAssemblyInformationProvider.cs:11

Tgstation.Server.Host.System.IAssemblyInformationProvider.AssemblyName
AssemblyName AssemblyName
Gets the global::System.Reflection.AssemblyName.
Definition IAssemblyInformationProvider.cs:20

Tgstation.Server.Api.Models.Response
Definition AdministrationResponse.cs:6

Tgstation.Server.Host.Configuration
Definition ControlPanelConfiguration.cs:4

Tgstation.Server.Host.Models
Definition ChatBot.cs:9

Tgstation.Server.Host.Security
Definition AuthenticationContext.cs:8

Tgstation.Server.Host.System
Definition AssemblyInformationProvider.cs:9