startup improvements

ita-social-projects · Dec 11, 2024 · e277816 · e277816
1 parent 1dbf64d
commit e277816
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 27 deletions.
diff --git a/OutOfSchool/OutOfSchool.AuthCommon/AuthServerConstants.cs b/OutOfSchool/OutOfSchool.AuthCommon/AuthServerConstants.cs
@@ -2,6 +2,9 @@ namespace OutOfSchool.AuthCommon;
 
 public static class AuthServerConstants
 {
+    public const string LoginPath = "login";
+    public const string LogoutPath = "logout";
+    public const string AllowedUserNameCharacters = "абвгдеєжзиіклмнопрстуфхцчшщюяАБВГДЕЄЖЗИІКЛМНОПРСТУФХЦЧШЩЮЯabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+";
     public const string ExternalAuthSelectedRoleKey = "external_selected_role";
     public const string ExternalAuthUserIdKey = "external_user_id";
 

diff --git a/OutOfSchool/OutOfSchool.AuthCommon/Controllers/AccountController.cs b/OutOfSchool/OutOfSchool.AuthCommon/Controllers/AccountController.cs
@@ -12,7 +12,6 @@ namespace OutOfSchool.AuthCommon.Controllers;
 
 public class AccountController : Controller
 {
-    private const string ReturnUrl = "Login";
     private readonly SignInManager<User> signInManager;
     private readonly UserManager<User> userManager;
     private readonly IEmailSenderService emailSender;
@@ -46,7 +45,7 @@ public AccountController(
     [Authorize]
     [FeatureGate(AuthServerConstants.FeatureManagement.EmailManagement)]
     [Obsolete("Change email API is no longer supported. Exists only for testing purposes.")]
-    public IActionResult ChangeEmail(string returnUrl = "Login")
+    public IActionResult ChangeEmail(string returnUrl = AuthServerConstants.LoginPath)
     {
         return View("Email/ChangeEmail", new ChangeEmailViewModel() { ReturnUrl = returnUrl });
     }
@@ -194,7 +193,7 @@ public async Task<IActionResult> ReSendEmailConfirmation()
         var user = await userManager.FindByEmailAsync(User.Identity.Name);
         var token = await userManager.GenerateEmailConfirmationTokenAsync(user);
         var email = user.Email;
-        var passedData = new { token, email, ReturnUrl };
+        var passedData = new { token, email, AuthServerConstants.LoginPath };
 
         await SendConfirmEmailProcess(nameof(EmailConfirmation), user, RazorTemplates.ConfirmEmail, passedData);
 
@@ -257,7 +256,7 @@ public async Task<IActionResult> EmailConfirmation(string email, string token)
     [HttpGet]
     [FeatureGate(AuthServerConstants.FeatureManagement.PasswordManagement)]
     [Obsolete("Forgot password API is no longer supported. Exists only for testing purposes.")]
-    public IActionResult ForgotPassword(string returnUrl = "Login")
+    public IActionResult ForgotPassword(string returnUrl = AuthServerConstants.LoginPath)
     {
         return View("Password/ForgotPassword", new ForgotPasswordViewModel() { ReturnUrl = returnUrl });
     }
@@ -410,7 +409,7 @@ public async Task<IActionResult> ResetPassword(ResetPasswordViewModel model)
     [Authorize]
     [FeatureGate(AuthServerConstants.FeatureManagement.PasswordManagement)]
     [Obsolete("Change password API is no longer supported. Exists only for testing purposes.")]
-    public IActionResult ChangePassword(string returnUrl = "Login")
+    public IActionResult ChangePassword(string returnUrl = AuthServerConstants.LoginPath)
     {
         return View("Password/ChangePassword", new ChangePasswordViewModel() { ReturnUrl = returnUrl });
     }

diff --git a/OutOfSchool/OutOfSchool.AuthCommon/Controllers/AuthController.cs b/OutOfSchool/OutOfSchool.AuthCommon/Controllers/AuthController.cs
@@ -114,7 +114,7 @@ public async Task<IActionResult> Logout(string logoutId)
     /// <returns>A <see cref="Task{TResult}"/> representing the result of the asynchronous operation.</returns>
     [Route("~/login")]
     [HttpGet]
-    public async Task<IActionResult> Login(string returnUrl = "login", bool? providerRegistration = null)
+    public async Task<IActionResult> Login(string returnUrl = AuthServerConstants.LoginPath, bool? providerRegistration = null)
     {
         if (providerRegistration ?? GetProviderRegistrationFromUri(returnUrl))
         {
@@ -244,7 +244,7 @@ public async Task<IActionResult> Login(LoginViewModel model)
     [HttpGet]
     [Obsolete("Change password API is no longer supported. Exists only for testing purposes.")]
     [FeatureGate(AuthServerConstants.FeatureManagement.PasswordLogin)]
-    public IActionResult ChangePasswordLogin(string email, string returnUrl = "Login")
+    public IActionResult ChangePasswordLogin(string email, string returnUrl = AuthServerConstants.LoginPath)
     {
         return View(new ChangePasswordLoginViewModel { Email = email, ReturnUrl = returnUrl });
     }
@@ -325,7 +325,7 @@ await userManagerAdditionalService.ChangePasswordWithRequiredMustChangePasswordA
     [HttpGet]
     [FeatureGate(AuthServerConstants.FeatureManagement.PasswordRegistration)]
     [Obsolete("Registration API is no longer supported. Exists only for testing purposes.")]
-    public IActionResult Register(string returnUrl = "login", bool? providerRegistration = null)
+    public IActionResult Register(string returnUrl = AuthServerConstants.LoginPath, bool? providerRegistration = null)
     {
         return View(new RegisterViewModel
         {

diff --git a/OutOfSchool/OutOfSchool.AuthCommon/Controllers/ExternalAuthController.cs b/OutOfSchool/OutOfSchool.AuthCommon/Controllers/ExternalAuthController.cs
@@ -92,7 +92,7 @@ public async Task<IActionResult> ExternalLoginCallback()
             return this.View("~/Views/Auth/Login.cshtml", new LoginViewModel
             {
                 ExternalProviders = await signInManager.GetExternalAuthenticationSchemesAsync(),
-                ReturnUrl = result.Properties?.RedirectUri ?? "/login",
+                ReturnUrl = result.Properties?.RedirectUri ?? $"/{AuthServerConstants.LoginPath}",
             });
         }
 
@@ -137,7 +137,7 @@ public async Task<IActionResult> ExternalLoginCallback()
                 return View("~/Views/Auth/Login.cshtml", new LoginViewModel
                 {
                     ExternalProviders = await signInManager.GetExternalAuthenticationSchemesAsync(),
-                    ReturnUrl = result.Properties?.RedirectUri ?? "/login",
+                    ReturnUrl = result.Properties?.RedirectUri ?? $"/{AuthServerConstants.LoginPath}",
                 }) as IActionResult;
             },
             Task.FromResult);
@@ -195,7 +195,7 @@ private async Task<Either<IErrorResponse, IActionResult>> SignInUserAsync(
                     return this.View("~/Views/Auth/Login.cshtml", new LoginViewModel
                     {
                         ExternalProviders = await signInManager.GetExternalAuthenticationSchemesAsync(),
-                        ReturnUrl = result.Properties?.RedirectUri ?? "/login",
+                        ReturnUrl = result.Properties?.RedirectUri ?? $"/{AuthServerConstants.LoginPath}",
                     }) as ActionResult;
                 },
                 async properties =>
@@ -360,7 +360,7 @@ private async Task<Either<IErrorResponse, AuthenticationProperties>> SignInWithC
     {
         var properties = new AuthenticationProperties
         {
-            RedirectUri = result.Properties?.RedirectUri ?? "/login",
+            RedirectUri = result.Properties?.RedirectUri ?? $"/{AuthServerConstants.LoginPath}",
             IsPersistent = false,
         };
 

diff --git a/OutOfSchool/OutOfSchool.AuthorizationServer/Startup.cs b/OutOfSchool/OutOfSchool.AuthorizationServer/Startup.cs
@@ -87,7 +87,7 @@ await services.AddDefaultQuartz(
         services.AddIdentity<User, IdentityRole>(options =>
             {
                 options.User.RequireUniqueEmail = false;
-                options.User.AllowedUserNameCharacters = "абвгдеєжзиіклмнопрстуфхцчшщюяАБВГДЕЄЖЗИІКЛМНОПРСТУФХЦЧШЩЮЯabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+";
+                options.User.AllowedUserNameCharacters = AuthServerConstants.AllowedUserNameCharacters;
                 options.SignIn.RequireConfirmedAccount = false;
                 options.SignIn.RequireConfirmedEmail = false;
                 options.SignIn.RequireConfirmedPhoneNumber = false;
@@ -99,8 +99,8 @@ await services.AddDefaultQuartz(
         services.ConfigureApplicationCookie(c =>
         {
             c.Cookie.Name = "OpenIdDict.Cookie";
-            c.LoginPath = "/login";
-            c.LogoutPath = "/logout";
+            c.LoginPath = $"/{AuthServerConstants.LoginPath}";
+            c.LogoutPath = $"/{AuthServerConstants.LogoutPath}";
             c.ExpireTimeSpan = TimeSpan.FromDays(Convert.ToInt32(expireDaysStr));
         });
 
@@ -169,6 +169,7 @@ await services.AddDefaultQuartz(
                     options.AddEphemeralEncryptionKey()
                         .AddEphemeralSigningKey();
                     aspNetCoreBuilder.DisableTransportSecurityRequirement();
+                    options.DisableAccessTokenEncryption();
                 }
                 else
                 {
@@ -177,8 +178,6 @@ await services.AddDefaultQuartz(
                     options.AddSigningCertificate(certificate)
                         .AddEncryptionCertificate(certificate);
                 }
-
-                options.DisableAccessTokenEncryption(); //TODO: Maybe do encrypt? :)
             })
             .AddClient(options =>
             {
@@ -190,7 +189,7 @@ await services.AddDefaultQuartz(
                     RedirectUri = new Uri($"{config["Identity:Authority"]}/callback/idgovua"),
                     ProviderName = "IdGovUa",
                     ProviderDisplayName = "id.gov.ua",
-                    Scopes = { "profile" },
+                    Scopes = { OpenIddictConstants.Scopes.Profile },
 
                     // Token validation is not supported by id.gov.ua.
                     TokenValidationParameters =
@@ -212,19 +211,30 @@ await services.AddDefaultQuartz(
                     },
                 });
                 options.UseSystemNetHttp();
-                options.UseAspNetCore()
-                    .EnableRedirectionEndpointPassthrough()
-                    .EnablePostLogoutRedirectionEndpointPassthrough()
-                    //TODO: make development only
-                    .DisableTransportSecurityRequirement();
+
                 options
                     .AllowClientCredentialsFlow()
                     .AllowAuthorizationCodeFlow()
                     .AllowRefreshTokenFlow()
-                    .AddEventHandler(ExtractUserIdFromTokenResponseHandler.Descriptor)
-                    //TODO: make development only
-                    .AddDevelopmentSigningCertificate()
-                    .AddEphemeralEncryptionKey();
+                    .AddEventHandler(ExtractUserIdFromTokenResponseHandler.Descriptor);
+
+                var aspNetCoreBuilder = options.UseAspNetCore()
+                    .EnableRedirectionEndpointPassthrough()
+                    .EnablePostLogoutRedirectionEndpointPassthrough();
+
+                if (builder.Environment.IsDevelopment())
+                {
+                    options.AddDevelopmentSigningCertificate()
+                        .AddEphemeralEncryptionKey();
+                    aspNetCoreBuilder.DisableTransportSecurityRequirement();
+                }
+                else
+                {
+                    var certificate = ExternalCertificate.LoadCertificates(authorizationConfig.Certificate);
+                    // TODO: create two different certificates after testing this
+                    options.AddSigningCertificate(certificate)
+                        .AddEncryptionCertificate(certificate);
+                }
             })
             .AddValidation(options =>
             {