administrator/pas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Implement OAuth2 authentication with Microsoft, Google, and PocketId

Browse Source 
- Added JWT configuration to appsettings.json for secure token handling.
- Updated config.json to include OAuth provider details for Microsoft, Google, and PocketId.
- Added Microsoft icon SVG for UI representation.
- Refactored app.config.ts to use a custom AuthInterceptor for managing access tokens.
- Enhanced auth route guard to handle asynchronous authentication checks.
- Created new auth models for structured request and response handling.
- Developed a callback component to manage user login states and transitions.
- Updated side-login component to support multiple OAuth providers with loading states.
- Implemented authentication service methods for handling OAuth login flows and token management.
- Added error handling and user feedback for authentication processes.
This commit is contained in:
Marek Lesko
2025-11-07 19:23:21 +00:00
parent c14f62849f
commit f34d523413
23 changed files with 2090 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Api/Api.csproj
View File

@@ -22,6 +22,9 @@
<PackageReference Include="Microsoft.Identity.Web.DownstreamApi" Version="3.10.0" />
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.22.1" />
<PackageReference Include="Swashbuckle.AspNetCore" Version="9.0.3" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.12.1" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="8.0.18" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.MicrosoftAccount" Version="8.0.18" />
</ItemGroup>
</Project>

273
Api/Controllers/AuthController.cs Normal file
View File

@@ -0,0 +1,273 @@
using Api.Models;
using Api.Models.DTOs;
using Api.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
namespace Api.Controllers
{
[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase
{
private readonly AppDbContext _context;
private readonly IOAuthValidationService _oauthValidationService;
private readonly IJwtService _jwtService;
private readonly ILogger<AuthController> _logger;
public AuthController(
AppDbContext context,
IOAuthValidationService oauthValidationService,
IJwtService jwtService,
ILogger<AuthController> logger)
{
_context = context;
_oauthValidationService = oauthValidationService;
_jwtService = jwtService;
_logger = logger;
}
/// <summary>
/// Authenticates a user with an OAuth ID token and returns a custom access token
/// </summary>
/// <param name="request">Authentication request containing ID token and provider</param>
/// <returns>Custom access token and user information</returns>
[HttpPost("authenticate")]
public async Task<ActionResult<AuthenticateResponse>> AuthenticateAsync([FromBody] AuthenticateRequest request)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
try
{
// Validate the ID token with the specified provider
var (isValid, principal, errorMessage) = await _oauthValidationService
.ValidateIdTokenAsync(request.IdToken, request.Provider);
if (!isValid || principal == null)
{
_logger.LogWarning("Invalid ID token for provider {Provider}: {Error}", request.Provider, errorMessage);
return BadRequest(new { error = "invalid_token", message = errorMessage ?? "Invalid ID token" });
}
// Extract user information from the validated token
var userInfo = request.Provider.ToLowerInvariant() == "microsoft"
? await _oauthValidationService.ExtractUserInfoAsync(principal, request.Provider, request.IdToken, request.AccessToken)
: _oauthValidationService.ExtractUserInfo(principal, request.Provider);
if (string.IsNullOrEmpty(userInfo.Email))
{
_logger.LogWarning("No email found in {Provider} token", request.Provider);
return BadRequest(new { error = "invalid_token", message = "Email claim is required" });
}
// Parse the provider enum
if (!Enum.TryParse<OAuthProvider>(request.Provider, true, out var providerEnum))
{
return BadRequest(new { error = "invalid_provider", message = $"Unsupported provider: {request.Provider}" });
}
// Find or create user
var (user, isNewUser) = await FindOrCreateUserAsync(userInfo, providerEnum);
// Update last login time
user.LastLoginAt = DateTime.UtcNow;
// Update or create OAuth provider record
await UpdateUserOAuthProviderAsync(user, userInfo, providerEnum);
await _context.SaveChangesAsync();
// Generate custom access token
var accessToken = _jwtService.GenerateToken(user);
var expiresAt = _jwtService.GetTokenExpiration(accessToken);
// Prepare response
var userProfile = new UserProfile
{
Id = user.Id,
Email = user.Email,
FirstName = user.FirstName,
LastName = user.LastName,
ProfilePictureUrl = user.ProfilePictureUrl,
CreatedAt = user.CreatedAt,
LastLoginAt = user.LastLoginAt,
Providers = user.OAuthProviders.Select(p => p.Provider.ToString()).ToList()
};
var response = new AuthenticateResponse
{
AccessToken = accessToken,
ExpiresAt = expiresAt,
User = userProfile,
IsNewUser = isNewUser
};
_logger.LogInformation("User {Email} authenticated successfully with {Provider} (New: {IsNew})",
user.Email, request.Provider, isNewUser);
return Ok(response);
}
catch (Exception ex)
{
_logger.LogError(ex, "Authentication failed for provider {Provider}", request.Provider);
return StatusCode(500, new { error = "internal_error", message = "Authentication failed" });
}
}
/// <summary>
/// Gets the current user's profile information
/// </summary>
/// <returns>User profile information</returns>
[HttpGet("me")]
[Authorize]
public async Task<ActionResult<UserProfile>> GetCurrentUserAsync()
{
try
{
var userIdClaim = User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier);
if (userIdClaim == null || !int.TryParse(userIdClaim.Value, out var userId))
{
return Unauthorized(new { error = "invalid_token", message = "User ID not found in token" });
}
var user = await _context.Users
.Include(u => u.OAuthProviders)
.FirstOrDefaultAsync(u => u.Id == userId && u.IsActive);
if (user == null)
{
return NotFound(new { error = "user_not_found", message = "User not found or inactive" });
}
var userProfile = new UserProfile
{
Id = user.Id,
Email = user.Email,
FirstName = user.FirstName,
LastName = user.LastName,
ProfilePictureUrl = user.ProfilePictureUrl,
CreatedAt = user.CreatedAt,
LastLoginAt = user.LastLoginAt,
Providers = user.OAuthProviders.Select(p => p.Provider.ToString()).ToList()
};
return Ok(userProfile);
}
catch (Exception ex)
{
_logger.LogError(ex, "Error retrieving current user profile");
return StatusCode(500, new { error = "internal_error", message = "Failed to retrieve user profile" });
}
}
/// <summary>
/// Revokes the current access token (logout)
/// </summary>
/// <returns>Success message</returns>
[HttpPost("logout")]
[Authorize]
public IActionResult Logout()
{
// In a real application, you might want to maintain a blacklist of revoked tokens
// For now, we'll just return success as JWT tokens are stateless
_logger.LogInformation("User logged out");
return Ok(new { message = "Logged out successfully" });
}
private async Task<(User User, bool IsNewUser)> FindOrCreateUserAsync(
(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) userInfo,
OAuthProvider provider)
{
var existingUser = await _context.Users
.Include(u => u.OAuthProviders)
.FirstOrDefaultAsync(u => u.Email == userInfo.Email && u.IsActive);
if (existingUser != null)
{
// Update user information if it has changed
var hasChanges = false;
if (!string.IsNullOrEmpty(userInfo.FirstName) && existingUser.FirstName != userInfo.FirstName)
{
existingUser.FirstName = userInfo.FirstName;
hasChanges = true;
}
if (!string.IsNullOrEmpty(userInfo.LastName) && existingUser.LastName != userInfo.LastName)
{
existingUser.LastName = userInfo.LastName;
hasChanges = true;
}
if (!string.IsNullOrEmpty(userInfo.ProfilePictureUrl) && existingUser.ProfilePictureUrl != userInfo.ProfilePictureUrl)
{
existingUser.ProfilePictureUrl = userInfo.ProfilePictureUrl;
hasChanges = true;
}
if (hasChanges)
{
_logger.LogInformation("Updated user information for {Email}", userInfo.Email);
}
return (existingUser, false);
}
// Create new user
var newUser = new User
{
Email = userInfo.Email,
FirstName = userInfo.FirstName,
LastName = userInfo.LastName,
ProfilePictureUrl = userInfo.ProfilePictureUrl,
CreatedAt = DateTime.UtcNow,
IsActive = true
};
_context.Users.Add(newUser);
_logger.LogInformation("Created new user for {Email}", userInfo.Email);
return (newUser, true);
}
private async Task UpdateUserOAuthProviderAsync(
User user,
(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) userInfo,
OAuthProvider provider)
{
var existingProvider = user.OAuthProviders
.FirstOrDefault(p => p.Provider == provider);
if (existingProvider != null)
{
// Update existing provider record
existingProvider.ProviderEmail = userInfo.Email;
existingProvider.ProviderName = $"{userInfo.FirstName} {userInfo.LastName}".Trim();
existingProvider.LastUsedAt = DateTime.UtcNow;
}
else
{
// Create new provider record
var newProvider = new UserOAuthProvider
{
UserId = user.Id,
Provider = provider,
ProviderId = userInfo.ProviderId,
ProviderEmail = userInfo.Email,
ProviderName = $"{userInfo.FirstName} {userInfo.LastName}".Trim(),
CreatedAt = DateTime.UtcNow,
LastUsedAt = DateTime.UtcNow
};
user.OAuthProviders.Add(newProvider);
_logger.LogInformation("Added {Provider} OAuth provider for user {Email}", provider, user.Email);
}
await Task.CompletedTask; // Make the method actually async
}
}
}

189
Api/Migrations/20251107172421_AddUserAuthentication.Designer.cs generated Normal file
View File

@@ -0,0 +1,189 @@
// <auto-generated />
using System;
using Api.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Metadata;
using Microsoft.EntityFrameworkCore.Migrations;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
#nullable disable
namespace Api.Migrations
{
[DbContext(typeof(AppDbContext))]
[Migration("20251107172421_AddUserAuthentication")]
partial class AddUserAuthentication
{
/// <inheritdoc />
protected override void BuildTargetModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasAnnotation("ProductVersion", "8.0.18")
.HasAnnotation("Relational:MaxIdentifierLength", 128);
SqlServerModelBuilderExtensions.UseIdentityColumns(modelBuilder);
modelBuilder.Entity("Api.Models.Product", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<string>("Name")
.HasColumnType("nvarchar(max)");
b.Property<decimal>("Price")
.HasColumnType("decimal(18,2)");
b.HasKey("Id");
b.ToTable("Products");
b.HasData(
new
{
Id = 1,
Name = "Sample Product",
Price = 9.99m
});
});
modelBuilder.Entity("Api.Models.User", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<DateTime>("CreatedAt")
.HasColumnType("datetime2");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("FirstName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<bool>("IsActive")
.HasColumnType("bit");
b.Property<DateTime?>("LastLoginAt")
.HasColumnType("datetime2");
b.Property<string>("LastName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProfilePictureUrl")
.HasMaxLength(500)
.HasColumnType("nvarchar(500)");
b.HasKey("Id");
b.HasIndex("Email")
.IsUnique();
b.ToTable("Users");
});
modelBuilder.Entity("Api.Models.UserOAuthProvider", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<DateTime>("CreatedAt")
.HasColumnType("datetime2");
b.Property<DateTime?>("LastUsedAt")
.HasColumnType("datetime2");
b.Property<int>("Provider")
.HasColumnType("int");
b.Property<string>("ProviderEmail")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProviderId")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProviderName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<int>("UserId")
.HasColumnType("int");
b.HasKey("Id");
b.HasIndex("UserId");
b.HasIndex("Provider", "ProviderId")
.IsUnique();
b.ToTable("UserOAuthProviders");
});
modelBuilder.Entity("WebMessage", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<string>("Email")
.HasColumnType("nvarchar(max)");
b.Property<string>("Message")
.HasColumnType("nvarchar(max)");
b.Property<string>("Name")
.HasColumnType("nvarchar(max)");
b.Property<string>("Phone")
.HasColumnType("nvarchar(max)");
b.Property<string>("Subject")
.HasColumnType("nvarchar(max)");
b.Property<string>("Surname")
.HasColumnType("nvarchar(max)");
b.HasKey("Id");
b.ToTable("WebMessages");
});
modelBuilder.Entity("Api.Models.UserOAuthProvider", b =>
{
b.HasOne("Api.Models.User", "User")
.WithMany("OAuthProviders")
.HasForeignKey("UserId")
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.Navigation("User");
});
modelBuilder.Entity("Api.Models.User", b =>
{
b.Navigation("OAuthProviders");
});
#pragma warning restore 612, 618
}
}
}

86
Api/Migrations/20251107172421_AddUserAuthentication.cs Normal file
View File

@@ -0,0 +1,86 @@
using System;
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Api.Migrations
{
/// <inheritdoc />
public partial class AddUserAuthentication : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.CreateTable(
name: "Users",
columns: table => new
{
Id = table.Column<int>(type: "int", nullable: false)
.Annotation("SqlServer:Identity", "1, 1"),
Email = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: false),
FirstName = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: true),
LastName = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: true),
ProfilePictureUrl = table.Column<string>(type: "nvarchar(500)", maxLength: 500, nullable: true),
CreatedAt = table.Column<DateTime>(type: "datetime2", nullable: false),
LastLoginAt = table.Column<DateTime>(type: "datetime2", nullable: true),
IsActive = table.Column<bool>(type: "bit", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_Users", x => x.Id);
});
migrationBuilder.CreateTable(
name: "UserOAuthProviders",
columns: table => new
{
Id = table.Column<int>(type: "int", nullable: false)
.Annotation("SqlServer:Identity", "1, 1"),
UserId = table.Column<int>(type: "int", nullable: false),
Provider = table.Column<int>(type: "int", nullable: false),
ProviderId = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: false),
ProviderEmail = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: true),
ProviderName = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: true),
CreatedAt = table.Column<DateTime>(type: "datetime2", nullable: false),
LastUsedAt = table.Column<DateTime>(type: "datetime2", nullable: true)
},
constraints: table =>
{
table.PrimaryKey("PK_UserOAuthProviders", x => x.Id);
table.ForeignKey(
name: "FK_UserOAuthProviders_Users_UserId",
column: x => x.UserId,
principalTable: "Users",
principalColumn: "Id",
onDelete: ReferentialAction.Cascade);
});
migrationBuilder.CreateIndex(
name: "IX_UserOAuthProviders_Provider_ProviderId",
table: "UserOAuthProviders",
columns: new[] { "Provider", "ProviderId" },
unique: true);
migrationBuilder.CreateIndex(
name: "IX_UserOAuthProviders_UserId",
table: "UserOAuthProviders",
column: "UserId");
migrationBuilder.CreateIndex(
name: "IX_Users_Email",
table: "Users",
column: "Email",
unique: true);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropTable(
name: "UserOAuthProviders");
migrationBuilder.DropTable(
name: "Users");
}
}
}

102
Api/Migrations/AppDbContextModelSnapshot.cs
View File

@@ -1,4 +1,5 @@
// <auto-generated />
using System;
using Api.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
@@ -48,6 +49,91 @@ namespace Api.Migrations
});
});
modelBuilder.Entity("Api.Models.User", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<DateTime>("CreatedAt")
.HasColumnType("datetime2");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("FirstName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<bool>("IsActive")
.HasColumnType("bit");
b.Property<DateTime?>("LastLoginAt")
.HasColumnType("datetime2");
b.Property<string>("LastName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProfilePictureUrl")
.HasMaxLength(500)
.HasColumnType("nvarchar(500)");
b.HasKey("Id");
b.HasIndex("Email")
.IsUnique();
b.ToTable("Users");
});
modelBuilder.Entity("Api.Models.UserOAuthProvider", b =>
{
b.Property<int>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("int");
SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
b.Property<DateTime>("CreatedAt")
.HasColumnType("datetime2");
b.Property<DateTime?>("LastUsedAt")
.HasColumnType("datetime2");
b.Property<int>("Provider")
.HasColumnType("int");
b.Property<string>("ProviderEmail")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProviderId")
.IsRequired()
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<string>("ProviderName")
.HasMaxLength(255)
.HasColumnType("nvarchar(255)");
b.Property<int>("UserId")
.HasColumnType("int");
b.HasKey("Id");
b.HasIndex("UserId");
b.HasIndex("Provider", "ProviderId")
.IsUnique();
b.ToTable("UserOAuthProviders");
});
modelBuilder.Entity("WebMessage", b =>
{
b.Property<int>("Id")
@@ -78,6 +164,22 @@ namespace Api.Migrations
b.ToTable("WebMessages");
});
modelBuilder.Entity("Api.Models.UserOAuthProvider", b =>
{
b.HasOne("Api.Models.User", "User")
.WithMany("OAuthProviders")
.HasForeignKey("UserId")
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.Navigation("User");
});
modelBuilder.Entity("Api.Models.User", b =>
{
b.Navigation("OAuthProviders");
});
#pragma warning restore 612, 618
}
}

30
Api/Models/AppDbContext.cs
View File

@@ -14,12 +14,40 @@ namespace Api.Models
{
public AppDbContext(DbContextOptions<AppDbContext> options) : base(options) { }
public DbSet<Product> Products { get; set; }
public DbSet<WebMessage> WebMessages { get; set; }
public DbSet<User> Users { get; set; }
public DbSet<UserOAuthProvider> UserOAuthProviders { get; set; }
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Configure User entity
modelBuilder.Entity<User>(entity =>
{
entity.HasKey(e => e.Id);
entity.HasIndex(e => e.Email).IsUnique();
entity.Property(e => e.Email).IsRequired().HasMaxLength(255);
entity.Property(e => e.FirstName).HasMaxLength(255);
entity.Property(e => e.LastName).HasMaxLength(255);
entity.Property(e => e.ProfilePictureUrl).HasMaxLength(500);
});
// Configure UserOAuthProvider entity
modelBuilder.Entity<UserOAuthProvider>(entity =>
{
entity.HasKey(e => e.Id);
entity.HasIndex(e => new { e.Provider, e.ProviderId }).IsUnique();
entity.Property(e => e.ProviderId).IsRequired().HasMaxLength(255);
entity.Property(e => e.ProviderEmail).HasMaxLength(255);
entity.Property(e => e.ProviderName).HasMaxLength(255);
entity.HasOne(e => e.User)
.WithMany(u => u.OAuthProviders)
.HasForeignKey(e => e.UserId)
.OnDelete(DeleteBehavior.Cascade);
});
// Seed data
modelBuilder.Entity<Product>().HasData(
new Product { Id = 1, Name = "Sample Product", Price = 9.99M }

59
Api/Models/DTOs/AuthenticationDtos.cs Normal file
View File

@@ -0,0 +1,59 @@
using System.ComponentModel.DataAnnotations;
namespace Api.Models.DTOs
{
public class AuthenticateRequest
{
[Required]
public string IdToken { get; set; } = string.Empty;
[Required]
public string Provider { get; set; } = string.Empty; // "Microsoft", "Google", "PocketId"
/// <summary>
/// Optional access token for API calls (e.g., Microsoft Graph)
/// </summary>
public string? AccessToken { get; set; }
}
public class AuthenticateResponse
{
public string AccessToken { get; set; } = string.Empty;
public DateTime ExpiresAt { get; set; }
public UserProfile User { get; set; } = null!;
public bool IsNewUser { get; set; }
}
public class UserProfile
{
public int Id { get; set; }
public string Email { get; set; } = string.Empty;
public string? FirstName { get; set; }
public string? LastName { get; set; }
public string? ProfilePictureUrl { get; set; }
public DateTime CreatedAt { get; set; }
public DateTime? LastLoginAt { get; set; }
public List<string> Providers { get; set; } = new List<string>();
}
public class JwtSettings
{
public string SecretKey { get; set; } = string.Empty;
public string Issuer { get; set; } = string.Empty;
public string Audience { get; set; } = string.Empty;
public int ExpirationMinutes { get; set; } = 60;
}
public class OAuthProviderSettings
{
public Dictionary<string, ProviderConfig> Providers { get; set; } = new Dictionary<string, ProviderConfig>();
}
public class ProviderConfig
{
public string Authority { get; set; } = string.Empty;
public string ClientId { get; set; } = string.Empty;
public string? ClientSecret { get; set; }
public List<string> ValidAudiences { get; set; } = new List<string>();
}
}

72
Api/Models/User.cs Normal file
View File

@@ -0,0 +1,72 @@
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
namespace Api.Models
{
public class User
{
[Key]
public int Id { get; set; }
[Required]
[StringLength(255)]
public string Email { get; set; } = string.Empty;
[StringLength(255)]
public string? FirstName { get; set; }
[StringLength(255)]
public string? LastName { get; set; }
[StringLength(500)]
public string? ProfilePictureUrl { get; set; }
[Required]
public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
public DateTime? LastLoginAt { get; set; }
public bool IsActive { get; set; } = true;
// Navigation property for OAuth providers
public virtual ICollection<UserOAuthProvider> OAuthProviders { get; set; } = new List<UserOAuthProvider>();
}
public class UserOAuthProvider
{
[Key]
public int Id { get; set; }
[Required]
public int UserId { get; set; }
[Required]
public OAuthProvider Provider { get; set; }
[Required]
[StringLength(255)]
public string ProviderId { get; set; } = string.Empty;
[StringLength(255)]
public string? ProviderEmail { get; set; }
[StringLength(255)]
public string? ProviderName { get; set; }
public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
public DateTime? LastUsedAt { get; set; }
// Navigation property
[ForeignKey("UserId")]
public virtual User User { get; set; } = null!;
}
public enum OAuthProvider
{
Microsoft = 1,
Google = 2,
PocketId = 3
// Add more providers as needed
}
}

85
Api/Program.cs
View File

@@ -3,6 +3,9 @@ using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Abstractions;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.Resource;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using Api.Services;
namespace Api
{
@@ -17,6 +20,15 @@ namespace Api
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
// Configure JWT authentication for custom tokens
var jwtSettings = builder.Configuration.GetSection("Jwt");
var secretKey = jwtSettings["SecretKey"];
if (string.IsNullOrEmpty(secretKey))
{
throw new InvalidOperationException("JWT SecretKey must be configured");
}
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
@@ -24,14 +36,46 @@ namespace Api
})
.AddJwtBearer(options =>
{
options.Authority = builder.Configuration["Authentication:PocketId:Authority"];
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = builder.Configuration["Authentication:PocketId:ClientId"]?.Split(';').Select(i => i.Trim()).ToArray(),
ValidIssuers = builder.Configuration["Authentication:PocketId:Authority"]?.Split(';').Select(i => i.Trim()).ToArray()
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secretKey)),
ValidateIssuer = true,
ValidIssuer = jwtSettings["Issuer"],
ValidateAudience = true,
ValidAudience = jwtSettings["Audience"],
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = context =>
{
var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
.CreateLogger("JwtAuthentication");
logger.LogWarning("JWT authentication failed: {Exception}", context.Exception.Message);
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
.CreateLogger("JwtAuthentication");
var userId = context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
logger.LogInformation("JWT token validated for user {UserId}", userId);
return Task.CompletedTask;
}
};
});
// Add authorization
builder.Services.AddAuthorization();
// Register custom services
builder.Services.AddHttpClient<IOAuthValidationService, OAuthValidationService>();
builder.Services.AddScoped<IJwtService, JwtService>();
builder.Services.AddScoped<IOAuthValidationService, OAuthValidationService>();
builder.Services.AddCors(options =>
{
options.AddPolicy("Default", policy =>
@@ -43,27 +87,52 @@ namespace Api
policy
.WithOrigins(allowedHostsConfiguration ?? new[] { "*" })
.AllowAnyHeader()
.AllowAnyMethod();
.AllowAnyMethod()
.AllowCredentials(); // Allow credentials for JWT tokens
});
});
builder.Services.AddControllers();
// Add DbContext with SQL Server
// Allow connection string to be set via environment variable (e.g., in Docker)
builder.Services.AddDbContext<AppDbContext>(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddSwaggerGen(options =>
{
options.AddSecurityDefinition("Bearer", new Microsoft.OpenApi.Models.OpenApiSecurityScheme
{
Name = "Authorization",
Type = Microsoft.OpenApi.Models.SecuritySchemeType.Http,
Scheme = "Bearer",
BearerFormat = "JWT",
In = Microsoft.OpenApi.Models.ParameterLocation.Header,
Description = "JWT Authorization header using the Bearer scheme."
});
options.AddSecurityRequirement(new Microsoft.OpenApi.Models.OpenApiSecurityRequirement
{
{
new Microsoft.OpenApi.Models.OpenApiSecurityScheme
{
Reference = new Microsoft.OpenApi.Models.OpenApiReference
{
Type = Microsoft.OpenApi.Models.ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
Array.Empty<string>()
}
});
});
var app = builder.Build();
app.UseSwagger();
app.UseSwaggerUI();
if (!app.Environment.IsDevelopment())
{
app.UseHttpsRedirection();

139
Api/Services/JwtService.cs Normal file
View File

@@ -0,0 +1,139 @@
using Api.Models;
using Api.Models.DTOs;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
namespace Api.Services
{
public interface IJwtService
{
string GenerateToken(User user);
ClaimsPrincipal? ValidateToken(string token);
DateTime GetTokenExpiration(string token);
}
public class JwtService : IJwtService
{
private readonly JwtSettings _jwtSettings;
private readonly ILogger<JwtService> _logger;
private readonly SymmetricSecurityKey _key;
public JwtService(IConfiguration configuration, ILogger<JwtService> logger)
{
_jwtSettings = configuration.GetSection("Jwt").Get<JwtSettings>()
?? throw new InvalidOperationException("JWT settings not configured");
_logger = logger;
_key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSettings.SecretKey));
}
public string GenerateToken(User user)
{
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var credentials = new SigningCredentials(_key, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Email, user.Email),
new Claim("jti", Guid.NewGuid().ToString()),
new Claim("iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
};
// Add optional claims if available
if (!string.IsNullOrEmpty(user.FirstName))
{
claims.Add(new Claim(ClaimTypes.GivenName, user.FirstName));
}
if (!string.IsNullOrEmpty(user.LastName))
{
claims.Add(new Claim(ClaimTypes.Surname, user.LastName));
}
// Add provider information
var providers = user.OAuthProviders.Select(p => p.Provider.ToString()).ToList();
if (providers.Any())
{
claims.Add(new Claim("providers", string.Join(",", providers)));
}
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddMinutes(_jwtSettings.ExpirationMinutes),
SigningCredentials = credentials,
Issuer = _jwtSettings.Issuer,
Audience = _jwtSettings.Audience
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
catch (Exception ex)
{
_logger.LogError(ex, "Error generating JWT token for user {UserId}", user.Id);
throw new InvalidOperationException("Failed to generate access token", ex);
}
}
public ClaimsPrincipal? ValidateToken(string token)
{
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = _key,
ValidateIssuer = true,
ValidIssuer = _jwtSettings.Issuer,
ValidateAudience = true,
ValidAudience = _jwtSettings.Audience,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5) // Allow 5 minutes clock skew
};
var principal = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken);
// Ensure the token is a JWT token with the correct algorithm
if (validatedToken is not JwtSecurityToken jwtToken ||
!jwtToken.Header.Alg.Equals(SecurityAlgorithms.HmacSha256, StringComparison.InvariantCultureIgnoreCase))
{
return null;
}
return principal;
}
catch (SecurityTokenException ex)
{
_logger.LogWarning(ex, "Invalid token validation attempt");
return null;
}
catch (Exception ex)
{
_logger.LogError(ex, "Error validating JWT token");
return null;
}
}
public DateTime GetTokenExpiration(string token)
{
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var jsonToken = tokenHandler.ReadJwtToken(token);
return jsonToken.ValidTo;
}
catch (Exception ex)
{
_logger.LogError(ex, "Error reading token expiration");
throw new InvalidOperationException("Invalid token format", ex);
}
}
}
}

507
Api/Services/OAuthValidationService.cs Normal file
View File

@@ -0,0 +1,507 @@
using Api.Models;
using Api.Models.DTOs;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text.Json;
namespace Api.Services
{
public interface IOAuthValidationService
{
Task<(bool IsValid, ClaimsPrincipal? Principal, string? ErrorMessage)> ValidateIdTokenAsync(string idToken, string provider);
(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) ExtractUserInfo(ClaimsPrincipal principal, string provider);
Task<(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId)> ExtractUserInfoAsync(ClaimsPrincipal principal, string provider, string? idToken = null, string? accessToken = null);
}
public class OAuthValidationService : IOAuthValidationService
{
private readonly OAuthProviderSettings _providerSettings;
private readonly ILogger<OAuthValidationService> _logger;
private readonly HttpClient _httpClient;
private readonly JwtSecurityTokenHandler _tokenHandler;
public OAuthValidationService(
IConfiguration configuration,
ILogger<OAuthValidationService> logger,
HttpClient httpClient)
{
_providerSettings = configuration.GetSection("OAuth").Get<OAuthProviderSettings>()
?? throw new InvalidOperationException("OAuth provider settings not configured");
_logger = logger;
_httpClient = httpClient;
_tokenHandler = new JwtSecurityTokenHandler();
}
public async Task<(bool IsValid, ClaimsPrincipal? Principal, string? ErrorMessage)> ValidateIdTokenAsync(string idToken, string provider)
{
try
{
if (!_providerSettings.Providers.TryGetValue(provider.ToLowerInvariant(), out var config))
{
return (false, null, $"Unsupported OAuth provider: {provider}");
}
return provider.ToLowerInvariant() switch
{
"microsoft" => await ValidateMicrosoftTokenAsync(idToken, config),
"google" => await ValidateGoogleTokenAsync(idToken, config),
"pocketid" => await ValidatePocketIdTokenAsync(idToken, config),
_ => (false, null, $"Provider {provider} validation not implemented")
};
}
catch (Exception ex)
{
_logger.LogError(ex, "Error validating {Provider} ID token", provider);
return (false, null, "Token validation failed due to internal error");
}
}
private async Task<(bool IsValid, ClaimsPrincipal? Principal, string? ErrorMessage)> ValidateMicrosoftTokenAsync(string idToken, ProviderConfig config)
{
try
{
// For Microsoft, we need to validate against their OIDC discovery document
var discoveryUrl = $"{config.Authority}/.well-known/openid-configuration";
var discovery = await GetDiscoveryDocumentAsync(discoveryUrl);
if (discovery == null)
{
return (false, null, "Failed to retrieve Microsoft discovery document");
}
var validationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeys = await GetSigningKeysAsync(discovery.JwksUri),
ValidateIssuer = true,
ValidIssuer = discovery.Issuer,
ValidateAudience = true,
ValidAudiences = config.ValidAudiences,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
var principal = _tokenHandler.ValidateToken(idToken, validationParameters, out var validatedToken);
return (true, principal, null);
}
catch (SecurityTokenException ex)
{
_logger.LogWarning(ex, "Microsoft token validation failed");
return (false, null, "Invalid Microsoft ID token");
}
}
private async Task<(bool IsValid, ClaimsPrincipal? Principal, string? ErrorMessage)> ValidateGoogleTokenAsync(string idToken, ProviderConfig config)
{
try
{
// For Google, use their discovery document
var discoveryUrl = "https://accounts.google.com/.well-known/openid-configuration";
var discovery = await GetDiscoveryDocumentAsync(discoveryUrl);
if (discovery == null)
{
return (false, null, "Failed to retrieve Google discovery document");
}
var validationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeys = await GetSigningKeysAsync(discovery.JwksUri),
ValidateIssuer = true,
ValidIssuers = new[] { "https://accounts.google.com", "accounts.google.com" },
ValidateAudience = true,
ValidAudiences = config.ValidAudiences,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
var principal = _tokenHandler.ValidateToken(idToken, validationParameters, out var validatedToken);
return (true, principal, null);
}
catch (SecurityTokenException ex)
{
_logger.LogWarning(ex, "Google token validation failed");
return (false, null, "Invalid Google ID token");
}
}
private async Task<(bool IsValid, ClaimsPrincipal? Principal, string? ErrorMessage)> ValidatePocketIdTokenAsync(string idToken, ProviderConfig config)
{
try
{
var discoveryUrl = $"{config.Authority}/.well-known/openid-configuration";
var discovery = await GetDiscoveryDocumentAsync(discoveryUrl);
if (discovery == null)
{
return (false, null, "Failed to retrieve PocketId discovery document");
}
var validationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKeys = await GetSigningKeysAsync(discovery.JwksUri),
ValidateIssuer = true,
ValidIssuer = discovery.Issuer,
ValidateAudience = true,
ValidAudiences = config.ValidAudiences,
ValidateLifetime = true,
ClockSkew = TimeSpan.FromMinutes(5)
};
var principal = _tokenHandler.ValidateToken(idToken, validationParameters, out var validatedToken);
return (true, principal, null);
}
catch (SecurityTokenException ex)
{
_logger.LogWarning(ex, "PocketId token validation failed");
return (false, null, "Invalid PocketId token");
}
}
private async Task<DiscoveryDocument?> GetDiscoveryDocumentAsync(string discoveryUrl)
{
try
{
var response = await _httpClient.GetStringAsync(discoveryUrl);
return JsonSerializer.Deserialize<DiscoveryDocument>(response, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower
});
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to retrieve discovery document from {DiscoveryUrl}", discoveryUrl);
return null;
}
}
private async Task<IEnumerable<SecurityKey>> GetSigningKeysAsync(string jwksUri)
{
try
{
var response = await _httpClient.GetStringAsync(jwksUri);
var jwks = new JsonWebKeySet(response);
return jwks.Keys;
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to retrieve signing keys from {JwksUri}", jwksUri);
return Enumerable.Empty<SecurityKey>();
}
}
public (string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) ExtractUserInfo(ClaimsPrincipal principal, string provider)
{
return provider.ToLowerInvariant() switch
{
"microsoft" => ExtractMicrosoftUserInfo(principal),
"google" => ExtractGoogleUserInfo(principal),
"pocketid" => ExtractPocketIdUserInfo(principal),
_ => throw new ArgumentException($"Unsupported provider: {provider}")
};
}
public async Task<(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId)> ExtractUserInfoAsync(ClaimsPrincipal principal, string provider, string? idToken = null, string? accessToken = null)
{
return provider.ToLowerInvariant() switch
{
"microsoft" => await ExtractMicrosoftUserInfoAsync(principal, idToken, accessToken),
"google" => ExtractGoogleUserInfo(principal),
"pocketid" => ExtractPocketIdUserInfo(principal),
_ => throw new ArgumentException($"Unsupported provider: {provider}")
};
}
private async Task<(string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId)> ExtractMicrosoftUserInfoAsync(ClaimsPrincipal principal, string? idToken = null, string? accessToken = null)
{
var email = principal.FindFirst("email")?.Value ?? principal.FindFirst(ClaimTypes.Email)?.Value ?? "";
var firstName = principal.FindFirst("given_name")?.Value ?? principal.FindFirst(ClaimTypes.GivenName)?.Value;
var lastName = principal.FindFirst("family_name")?.Value ?? principal.FindFirst(ClaimTypes.Surname)?.Value;
var providerId = principal.FindFirst("sub")?.Value ?? principal.FindFirst("oid")?.Value ?? "";
var profilePicture = principal.FindFirst("picture")?.Value;
// Log available claims for debugging
_logger.LogInformation("Microsoft token claims: {Claims}",
string.Join(", ", principal.Claims.Select(c => $"{c.Type}={c.Value}")));
// Try to get additional info from Microsoft Graph using access token
if ((string.IsNullOrEmpty(firstName) || string.IsNullOrEmpty(lastName) || string.IsNullOrEmpty(profilePicture)))
{
string? tokenToUse = null;
// Prefer access token over ID token for Microsoft Graph API calls
if (!string.IsNullOrEmpty(accessToken))
{
tokenToUse = accessToken;
_logger.LogInformation("Using access token for Microsoft Graph API calls");
}
else if (!string.IsNullOrEmpty(idToken))
{
tokenToUse = idToken;
_logger.LogWarning("Using ID token for Microsoft Graph API calls (access token preferred)");
}
if (!string.IsNullOrEmpty(tokenToUse))
{
try
{
var graphProfile = await GetMicrosoftGraphProfileAsync(tokenToUse);
if (graphProfile != null)
{
firstName ??= graphProfile.GivenName;
lastName ??= graphProfile.Surname;
email = string.IsNullOrEmpty(email) ? (graphProfile.Mail ?? graphProfile.UserPrincipalName ?? email) : email;
// Try to get profile picture
if (string.IsNullOrEmpty(profilePicture))
{
profilePicture = await GetMicrosoftGraphProfilePictureUrlAsync(tokenToUse);
}
}
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to get additional user info from Microsoft Graph using {TokenType}",
!string.IsNullOrEmpty(accessToken) ? "access token" : "ID token");
}
}
}
// If we still don't have name information from the token, try to extract from other claims
if (string.IsNullOrEmpty(firstName) && string.IsNullOrEmpty(lastName))
{
// Try the 'name' claim first
var name = principal.FindFirst("name")?.Value ?? principal.FindFirst(ClaimTypes.Name)?.Value;
if (!string.IsNullOrEmpty(name))
{
var nameParts = name.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (nameParts.Length >= 2)
{
firstName = nameParts[0];
lastName = string.Join(" ", nameParts.Skip(1));
}
else if (nameParts.Length == 1)
{
firstName = nameParts[0];
}
}
else if (!string.IsNullOrEmpty(email))
{
// Extract name from email as fallback
var emailName = email.Split('@')[0];
var emailParts = emailName.Split('.', StringSplitOptions.RemoveEmptyEntries);
if (emailParts.Length >= 2)
{
firstName = FormatNameFromEmail(emailParts[0]);
lastName = FormatNameFromEmail(emailParts[1]);
}
else if (emailParts.Length == 1)
{
firstName = FormatNameFromEmail(emailName);
}
}
}
return (email, firstName, lastName, profilePicture, providerId);
}
private async Task<MicrosoftGraphProfile?> GetMicrosoftGraphProfileAsync(string token)
{
try
{
// Try using the token as Authorization Bearer
using var request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
var response = await _httpClient.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
_logger.LogWarning("Microsoft Graph API call failed with status {StatusCode}: {ReasonPhrase}",
response.StatusCode, response.ReasonPhrase);
return null;
}
var responseContent = await response.Content.ReadAsStringAsync();
var profile = JsonSerializer.Deserialize<MicrosoftGraphProfile>(responseContent, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
_logger.LogInformation("Successfully retrieved Microsoft Graph profile: {DisplayName}", profile?.DisplayName);
return profile;
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to get Microsoft Graph profile");
return null;
}
}
private async Task<string?> GetMicrosoftGraphProfilePictureUrlAsync(string token)
{
try
{
// Try to get the photo directly - 404 is normal if user has no photo
using var photoRequest = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me/photo/$value");
photoRequest.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
var photoResponse = await _httpClient.SendAsync(photoRequest);
if (photoResponse.StatusCode == System.Net.HttpStatusCode.NotFound)
{
_logger.LogDebug("User has no profile picture in Microsoft Graph (404 - normal behavior)");
return null;
}
if (!photoResponse.IsSuccessStatusCode)
{
_logger.LogDebug("Microsoft Graph photo API call failed with status {StatusCode}: {ReasonPhrase}",
photoResponse.StatusCode, photoResponse.ReasonPhrase);
return null;
}
// Get the photo bytes and convert to base64 data URL
var photoBytes = await photoResponse.Content.ReadAsByteArrayAsync();
// Check if we got valid image data
if (photoBytes == null || photoBytes.Length == 0)
{
_logger.LogDebug("Microsoft Graph returned empty photo data");
return null;
}
var contentType = photoResponse.Content.Headers.ContentType?.MediaType ?? "image/jpeg";
var base64Photo = Convert.ToBase64String(photoBytes);
var dataUrl = $"data:{contentType};base64,{base64Photo}";
_logger.LogInformation("Successfully retrieved Microsoft Graph profile picture as base64 data URL ({Size} bytes, type: {ContentType})",
photoBytes.Length, contentType);
return dataUrl;
}
catch (HttpRequestException ex) when (ex.Message.Contains("404"))
{
_logger.LogDebug("User has no profile picture in Microsoft Graph (404)");
return null;
}
catch (Exception ex)
{
_logger.LogDebug(ex, "Failed to get Microsoft Graph profile picture");
return null;
}
}
private (string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) ExtractMicrosoftUserInfo(ClaimsPrincipal principal)
{
var email = principal.FindFirst("email")?.Value ?? principal.FindFirst(ClaimTypes.Email)?.Value ?? "";
var firstName = principal.FindFirst("given_name")?.Value ?? principal.FindFirst(ClaimTypes.GivenName)?.Value;
var lastName = principal.FindFirst("family_name")?.Value ?? principal.FindFirst(ClaimTypes.Surname)?.Value;
var providerId = principal.FindFirst("sub")?.Value ?? principal.FindFirst("oid")?.Value ?? "";
var profilePicture = principal.FindFirst("picture")?.Value;
// Log available claims for debugging
_logger.LogInformation("Microsoft token claims: {Claims}",
string.Join(", ", principal.Claims.Select(c => $"{c.Type}={c.Value}")));
// If we don't have name information from the token, try to extract from other claims
if (string.IsNullOrEmpty(firstName) && string.IsNullOrEmpty(lastName))
{
// Try the 'name' claim first
var name = principal.FindFirst("name")?.Value ?? principal.FindFirst(ClaimTypes.Name)?.Value;
if (!string.IsNullOrEmpty(name))
{
var nameParts = name.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (nameParts.Length >= 2)
{
firstName = nameParts[0];
lastName = string.Join(" ", nameParts.Skip(1));
}
else if (nameParts.Length == 1)
{
firstName = nameParts[0];
}
}
else if (!string.IsNullOrEmpty(email))
{
// Extract name from email as fallback
var emailName = email.Split('@')[0];
var emailParts = emailName.Split('.', StringSplitOptions.RemoveEmptyEntries);
if (emailParts.Length >= 2)
{
firstName = FormatNameFromEmail(emailParts[0]);
lastName = FormatNameFromEmail(emailParts[1]);
}
else if (emailParts.Length == 1)
{
firstName = FormatNameFromEmail(emailName);
}
}
}
return (email, firstName, lastName, profilePicture, providerId);
}
private static string FormatNameFromEmail(string emailPart)
{
if (string.IsNullOrEmpty(emailPart)) return emailPart;
// Remove numbers and special characters, capitalize first letter
var cleaned = new string(emailPart.Where(c => char.IsLetter(c)).ToArray());
if (string.IsNullOrEmpty(cleaned)) return emailPart;
return char.ToUpper(cleaned[0]) + cleaned[1..].ToLower();
}
private (string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) ExtractGoogleUserInfo(ClaimsPrincipal principal)
{
var email = principal.FindFirst("email")?.Value ?? principal.FindFirst(ClaimTypes.Email)?.Value ?? "";
var firstName = principal.FindFirst("given_name")?.Value ?? principal.FindFirst(ClaimTypes.GivenName)?.Value;
var lastName = principal.FindFirst("family_name")?.Value ?? principal.FindFirst(ClaimTypes.Surname)?.Value;
var providerId = principal.FindFirst("sub")?.Value ?? "";
var profilePicture = principal.FindFirst("picture")?.Value;
return (email, firstName, lastName, profilePicture, providerId);
}
private (string Email, string? FirstName, string? LastName, string? ProfilePictureUrl, string ProviderId) ExtractPocketIdUserInfo(ClaimsPrincipal principal)
{
var email = principal.FindFirst("email")?.Value ?? principal.FindFirst(ClaimTypes.Email)?.Value ?? "";
var firstName = principal.FindFirst("given_name")?.Value ?? principal.FindFirst(ClaimTypes.GivenName)?.Value;
var lastName = principal.FindFirst("family_name")?.Value ?? principal.FindFirst(ClaimTypes.Surname)?.Value;
var providerId = principal.FindFirst("sub")?.Value ?? "";
var profilePicture = principal.FindFirst("picture")?.Value;
return (email, firstName, lastName, profilePicture, providerId);
}
}
public class DiscoveryDocument
{
public string Issuer { get; set; } = string.Empty;
public string JwksUri { get; set; } = string.Empty;
public string AuthorizationEndpoint { get; set; } = string.Empty;
public string TokenEndpoint { get; set; } = string.Empty;
public string UserinfoEndpoint { get; set; } = string.Empty;
}
public class MicrosoftGraphProfile
{
public string? GivenName { get; set; }
public string? Surname { get; set; }
public string? DisplayName { get; set; }
public string? Mail { get; set; }
public string? UserPrincipalName { get; set; }
public string? Id { get; set; }
public string? JobTitle { get; set; }
public string? MobilePhone { get; set; }
public string? OfficeLocation { get; set; }
public string? PreferredLanguage { get; set; }
// Note: Microsoft Graph doesn't provide direct profile picture URLs in the /me endpoint
// Profile pictures must be retrieved separately via /me/photo/$value
}
}

26
Api/appsettings.json
View File

@@ -1,4 +1,29 @@
{
"Jwt": {
"SecretKey": "your-very-secure-secret-key-that-should-be-at-least-32-characters-long",
"Issuer": "https://api.yourapp.com",
"Audience": "https://yourapp.com",
"ExpirationMinutes": 60
},
"OAuth": {
"Providers": {
"microsoft": {
"Authority": "https://login.microsoftonline.com/4a0d328f-1f94-4920-b67e-4275737d02a5/v2.0",
"ClientId": "eb03f08b-280a-46c7-9700-b012caa46000",
"ValidAudiences": ["eb03f08b-280a-46c7-9700-b012caa46000"]
},
"google": {
"Authority": "https://accounts.google.com",
"ClientId": "1000025801082-09ikmt61a9c9vbdjhpdab9b0ui3vdnij.apps.googleusercontent.com",
"ValidAudiences": ["1000025801082-09ikmt61a9c9vbdjhpdab9b0ui3vdnij.apps.googleusercontent.com"]
},
"pocketid": {
"Authority": "https://identity.lesko.me",
"ClientId": "21131567-fea1-42a2-8907-21abd874eff8",
"ValidAudiences": ["21131567-fea1-42a2-8907-21abd874eff8"]
}
}
},
"Authentication": {
"PocketId": {
"Authority": "https://identity.lesko.me",
@@ -16,5 +41,4 @@
},
"AllowedHosts": "localhost",
"CorsOrigins": "https://localhost:5001,http://localhost:4200,http://localhost:5000"
}