Added ISessionValidator

Author: mckaragoz

src/CodeBeam.UltimateAuth.Server/Abstractions/IHttpSessionIssuer.cs

@@ -22,7 +22,7 @@ internal sealed class DefaultAuthFlowContextFactory : IAuthFlowContextFactory
         private readonly IAuthResponseResolver _authResponseResolver;
         private readonly IDeviceResolver _deviceResolver;
         private readonly IDeviceContextFactory _deviceContextFactory;
-        private readonly ISessionQueryService _sessionQueryService;
+        private readonly ISessionValidator _sessionValidator;
 
         public DefaultAuthFlowContextFactory(
             IClientProfileReader clientProfileReader,
@@ -31,15 +31,15 @@ public DefaultAuthFlowContextFactory(
             IAuthResponseResolver authResponseResolver,
             IDeviceResolver deviceResolver,
             IDeviceContextFactory deviceContextFactory,
-            ISessionQueryService sessionQueryService)
+            ISessionValidator sessionValidator)
         {
             _clientProfileReader = clientProfileReader;
             _primaryTokenResolver = primaryTokenResolver;
             _serverOptionsProvider = serverOptionsProvider;
             _authResponseResolver = authResponseResolver;
             _deviceResolver = deviceResolver;
             _deviceContextFactory = deviceContextFactory;
-            _sessionQueryService = sessionQueryService;
+            _sessionValidator = sessionValidator;
         }
 
         public async ValueTask<AuthFlowContext> CreateAsync(HttpContext ctx, AuthFlowType flowType, CancellationToken ct = default)
@@ -64,7 +64,7 @@ public async ValueTask<AuthFlowContext> CreateAsync(HttpContext ctx, AuthFlowTyp
 
             if (!sessionCtx.IsAnonymous)
             {
-                var validation = await _sessionQueryService.ValidateSessionAsync(
+                var validation = await _sessionValidator.ValidateSessionAsync(
                     new SessionValidationContext
                     {
                         TenantId = sessionCtx.TenantId,

src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthFlowContextFactory.cs

@@ -4,18 +4,16 @@
 using CodeBeam.UltimateAuth.Core.Extensions;
 using CodeBeam.UltimateAuth.Server.Defaults;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
-using CodeBeam.UltimateAuth.Server.Services;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using System.Security.Claims;
 
 namespace CodeBeam.UltimateAuth.Server.Authentication;
 
 internal sealed class UAuthAuthenticationHandler : AuthenticationHandler<UAuthAuthenticationCookieOptions>
 {
     private readonly ITransportCredentialResolver _transportCredentialResolver;
-    private readonly ISessionQueryService _sessionQuery;
+    private readonly ISessionValidator _sessionValidator;
     private readonly IDeviceContextFactory _deviceContextFactory;
     private readonly IClock _clock;
 
@@ -25,13 +23,13 @@ public UAuthAuthenticationHandler(
         ILoggerFactory logger,
         System.Text.Encodings.Web.UrlEncoder encoder,
         ISystemClock clock,
-        ISessionQueryService sessionQuery,
+        ISessionValidator sessionValidator,
         IDeviceContextFactory deviceContextFactory,
         IClock uauthClock)
         : base(options, logger, encoder, clock)
     {
         _transportCredentialResolver = transportCredentialResolver;
-        _sessionQuery = sessionQuery;
+        _sessionValidator = sessionValidator;
         _deviceContextFactory = deviceContextFactory;
         _clock = uauthClock;
     }
@@ -45,7 +43,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         if (!AuthSessionId.TryCreate(credential.Value, out var sessionId))
             return AuthenticateResult.Fail("Invalid credential");
 
-        var result = await _sessionQuery.ValidateSessionAsync(
+        var result = await _sessionValidator.ValidateSessionAsync(
             new SessionValidationContext
             {
                 TenantId = credential.TenantId,
@@ -59,46 +57,5 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
         var principal = result.Claims.ToClaimsPrincipal(UAuthCookieDefaults.AuthenticationScheme);
         return AuthenticateResult.Success(new AuthenticationTicket(principal, UAuthCookieDefaults.AuthenticationScheme));
-
-
-        //var principal = CreatePrincipal(result);
-        //var ticket = new AuthenticationTicket(principal,UAuthCookieDefaults.AuthenticationScheme);
-
-        //return AuthenticateResult.Success(ticket);
     }
-
-    private static ClaimsPrincipal CreatePrincipal(SessionValidationResult result)
-    {
-        //var claims = new List<Claim>
-        //{
-        //    new Claim(ClaimTypes.NameIdentifier, result.UserKey.Value),
-        //    new Claim("uauth:session_id", result.SessionId.ToString())
-        //};
-
-        //if (!string.IsNullOrEmpty(result.TenantId))
-        //{
-        //    claims.Add(new Claim("uauth:tenant", result.TenantId));
-        //}
-
-        //// Session claims (snapshot)
-        //foreach (var (key, value) in result.Claims.AsDictionary())
-        //{
-        //    if (key == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
-        //    {
-        //        foreach (var role in value.Split(','))
-        //            claims.Add(new Claim(ClaimTypes.Role, role));
-        //    }
-        //    else
-        //    {
-        //        claims.Add(new Claim(key, value));
-        //    }
-        //}
-
-        //var identity = new ClaimsIdentity(claims, UAuthCookieDefaults.AuthenticationScheme);
-        //return new ClaimsPrincipal(identity);
-
-        var identity = new ClaimsIdentity(result.Claims.ToClaims(), UAuthCookieDefaults.AuthenticationScheme);
-        return new ClaimsPrincipal(identity);
-    }
-
 }

src/CodeBeam.UltimateAuth.Server/Authentication/UAuthAuthenticationHandler.cs

@@ -1,97 +1,94 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
-using CodeBeam.UltimateAuth.Core.Extensions;
 using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
-using CodeBeam.UltimateAuth.Server.Services;
 using Microsoft.AspNetCore.Http;
 
-namespace CodeBeam.UltimateAuth.Server.Endpoints
+namespace CodeBeam.UltimateAuth.Server.Endpoints;
+
+internal sealed class DefaultValidateEndpointHandler : IValidateEndpointHandler
 {
-    internal sealed class DefaultValidateEndpointHandler : IValidateEndpointHandler
+    private readonly IAuthFlowContextAccessor _authContext;
+    private readonly IFlowCredentialResolver _credentialResolver;
+    private readonly ISessionValidator _sessionValidator;
+    private readonly IClock _clock;
+
+    public DefaultValidateEndpointHandler(
+        IAuthFlowContextAccessor authContext,
+        IFlowCredentialResolver credentialResolver,
+        ISessionValidator sessionValidator,
+        IClock clock)
+    {
+        _authContext = authContext;
+        _credentialResolver = credentialResolver;
+        _sessionValidator = sessionValidator;
+        _clock = clock;
+    }
+
+    public async Task<IResult> ValidateAsync(HttpContext context, CancellationToken ct = default)
     {
-        private readonly IAuthFlowContextAccessor _authContext;
-        private readonly IFlowCredentialResolver _credentialResolver;
-        private readonly ISessionQueryService _sessionValidator;
-        private readonly IClock _clock;
+        var auth = _authContext.Current;
+        var credential = _credentialResolver.Resolve(context, auth.Response);
 
-        public DefaultValidateEndpointHandler(
-            IAuthFlowContextAccessor authContext,
-            IFlowCredentialResolver credentialResolver,
-            ISessionQueryService sessionValidator,
-            IClock clock)
+        if (credential is null)
         {
-            _authContext = authContext;
-            _credentialResolver = credentialResolver;
-            _sessionValidator = sessionValidator;
-            _clock = clock;
+            return Results.Json(
+                new AuthValidationResult
+                {
+                    IsValid = false,
+                    State = "missing"
+                },
+                statusCode: StatusCodes.Status401Unauthorized
+            );
         }
 
-        public async Task<IResult> ValidateAsync(HttpContext context, CancellationToken ct = default)
+        if (credential.Kind == PrimaryCredentialKind.Stateful)
         {
-            var auth = _authContext.Current;
-            var credential = _credentialResolver.Resolve(context, auth.Response);
-
-            if (credential is null)
+            if (!AuthSessionId.TryCreate(credential.Value, out var sessionId))
             {
                 return Results.Json(
                     new AuthValidationResult
                     {
                         IsValid = false,
-                        State = "missing"
+                        State = "invalid"
                     },
                     statusCode: StatusCodes.Status401Unauthorized
                 );
             }
 
-            if (credential.Kind == PrimaryCredentialKind.Stateful)
-            {
-                if (!AuthSessionId.TryCreate(credential.Value, out var sessionId))
+            var result = await _sessionValidator.ValidateSessionAsync(
+                new SessionValidationContext
                 {
-                    return Results.Json(
-                        new AuthValidationResult
-                        {
-                            IsValid = false,
-                            State = "invalid"
-                        },
-                        statusCode: StatusCodes.Status401Unauthorized
-                    );
-                }
-
-                var result = await _sessionValidator.ValidateSessionAsync(
-                    new SessionValidationContext
-                    {
-                        TenantId = credential.TenantId,
-                        SessionId = sessionId,
-                        Now = _clock.UtcNow,
-                        Device = auth.Device
-                    },
-                    ct);
-
-                return Results.Ok(new AuthValidationResult
-                {
-                    IsValid = result.IsValid,
-                    State = result.IsValid ? "active" : result.State.ToString().ToLowerInvariant(),
-                    Snapshot = new AuthStateSnapshot
-                    {
-                        UserId = result.UserKey,
-                        TenantId = result.TenantId,
-                        Claims = result.Claims,
-                        AuthenticatedAt = _clock.UtcNow,
-                    }
-                });
-            }
+                    TenantId = credential.TenantId,
+                    SessionId = sessionId,
+                    Now = _clock.UtcNow,
+                    Device = auth.Device
+                },
+                ct);
 
-            // Stateless (JWT / Opaque) – 0.0.1 no support yet
-            return Results.Json(
-                new AuthValidationResult
+            return Results.Ok(new AuthValidationResult
+            {
+                IsValid = result.IsValid,
+                State = result.IsValid ? "active" : result.State.ToString().ToLowerInvariant(),
+                Snapshot = new AuthStateSnapshot
                 {
-                    IsValid = false,
-                    State = "unsupported"
-                },
-                statusCode: StatusCodes.Status401Unauthorized
-            );
+                    UserId = result.UserKey,
+                    TenantId = result.TenantId,
+                    Claims = result.Claims,
+                    AuthenticatedAt = _clock.UtcNow,
+                }
+            });
         }
+
+        // Stateless (JWT / Opaque) – 0.0.1 no support yet
+        return Results.Json(
+            new AuthValidationResult
+            {
+                IsValid = false,
+                State = "unsupported"
+            },
+            statusCode: StatusCodes.Status401Unauthorized
+        );
     }
 }

src/CodeBeam.UltimateAuth.Server/Endpoints/DefaultValidateEndpointHandler.cs

@@ -179,6 +179,7 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
             services.TryAddScoped(typeof(ISessionQueryService), typeof(UAuthSessionQueryService));
             services.TryAddScoped(typeof(IRefreshTokenResolver), typeof(DefaultRefreshTokenResolver));
             services.TryAddScoped(typeof(ISessionTouchService), typeof(DefaultSessionTouchService));
+            services.TryAddScoped<ISessionValidator, UAuthSessionValidator>();
             services.TryAddScoped<IDeviceResolver, DefaultDeviceResolver>();
             services.TryAddScoped<ICredentialResponseWriter, DefaultCredentialResponseWriter>();
             services.TryAddScoped<IFlowCredentialResolver, DefaultFlowCredentialResolver>();
@@ -229,7 +230,6 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
 
             services.TryAddScoped<AuthFlowEndpointFilter>();
 
-
             services.TryAddSingleton<IAuthEndpointRegistrar, UAuthEndpointRegistrar>();
 
             // Endpoint handlers
@@ -247,43 +247,10 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
 
             services.TryAddScoped<DefaultPkceEndpointHandler<UserKey>>();
             services.TryAddScoped<IPkceEndpointHandler, PkceEndpointHandlerBridge>();
-            //services.TryAddScoped<IReauthEndpointHandler, ReauthEndpointHandler>();
-            //services.TryAddScoped<ITokenEndpointHandler, TokenEndpointHandler>();
-            //services.TryAddScoped<IUserInfoEndpointHandler, UserInfoEndpointHandler>();
 
             return services;
         }
 
-        //internal static IServiceCollection AddUltimateAuthPolicies(this IServiceCollection services, Action<AccessPolicyRegistry>? configure = null)
-        //{
-        //    if (services.Any(d => d.ServiceType == typeof(AccessPolicyRegistry)))
-        //        throw new InvalidOperationException("UltimateAuth policies already registered.");
-
-        //    var registry = new AccessPolicyRegistry();
-
-        //    DefaultPolicySet.Register(registry);
-        //    configure?.Invoke(registry);
-        //    services.AddSingleton(registry);
-        //    services.AddSingleton<IAccessPolicyProvider>(sp =>
-        //    {
-        //        var compiled = registry.Build();
-        //        return new DefaultAccessPolicyProvider(compiled, sp);
-        //    });
-
-        //    services.TryAddScoped<IAccessAuthority>(sp =>
-        //    {
-        //        var invariants = sp.GetServices<IAccessInvariant>();
-        //        var globalPolicies = sp.GetServices<IAccessPolicy>();
-
-        //        return new DefaultAccessAuthority(invariants, globalPolicies);
-        //    });
-
-        //    services.TryAddScoped<IAccessOrchestrator, UAuthAccessOrchestrator>();
-
-
-        //    return services;
-        //}
-
         internal static IServiceCollection AddUltimateAuthPolicies(this IServiceCollection services, Action<AccessPolicyRegistry>? configure = null)
         {
             if (services.Any(d => d.ServiceType == typeof(AccessPolicyRegistry)))