feat: harden auth ops and deployment baseline
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
namespace TaxBaik.Web.Services;
|
||||
|
||||
using Microsoft.AspNetCore.Components;
|
||||
using System.Text.Json;
|
||||
|
||||
public interface IApiClient
|
||||
@@ -14,11 +15,13 @@ public interface IApiClient
|
||||
public class ApiClient : IApiClient
|
||||
{
|
||||
private readonly HttpClient _httpClient;
|
||||
private readonly NavigationManager _navigationManager;
|
||||
private string? _authToken;
|
||||
|
||||
public ApiClient(HttpClient httpClient)
|
||||
public ApiClient(HttpClient httpClient, NavigationManager navigationManager)
|
||||
{
|
||||
_httpClient = httpClient;
|
||||
_navigationManager = navigationManager;
|
||||
}
|
||||
|
||||
public async Task SetAuthToken(string? token)
|
||||
@@ -34,7 +37,7 @@ public class ApiClient : IApiClient
|
||||
{
|
||||
try
|
||||
{
|
||||
var response = await _httpClient.GetAsync($"/taxbaik/api/{endpoint}");
|
||||
var response = await _httpClient.GetAsync(BuildApiUri(endpoint));
|
||||
if (!response.IsSuccessStatusCode)
|
||||
return default;
|
||||
|
||||
@@ -53,7 +56,7 @@ public class ApiClient : IApiClient
|
||||
{
|
||||
var json = JsonSerializer.Serialize(data);
|
||||
var content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
|
||||
var response = await _httpClient.PostAsync($"/taxbaik/api/{endpoint}", content);
|
||||
var response = await _httpClient.PostAsync(BuildApiUri(endpoint), content);
|
||||
|
||||
if (!response.IsSuccessStatusCode)
|
||||
return default;
|
||||
@@ -73,7 +76,7 @@ public class ApiClient : IApiClient
|
||||
{
|
||||
var json = JsonSerializer.Serialize(data);
|
||||
var content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
|
||||
var response = await _httpClient.PutAsync($"/taxbaik/api/{endpoint}", content);
|
||||
var response = await _httpClient.PutAsync(BuildApiUri(endpoint), content);
|
||||
|
||||
if (!response.IsSuccessStatusCode)
|
||||
return default;
|
||||
@@ -91,11 +94,17 @@ public class ApiClient : IApiClient
|
||||
{
|
||||
try
|
||||
{
|
||||
await _httpClient.DeleteAsync($"/taxbaik/api/{endpoint}");
|
||||
await _httpClient.DeleteAsync(BuildApiUri(endpoint));
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Ignore
|
||||
}
|
||||
}
|
||||
|
||||
private Uri BuildApiUri(string endpoint)
|
||||
{
|
||||
var relative = $"api/{endpoint.TrimStart('/')}";
|
||||
return new Uri(new Uri(_navigationManager.BaseUri), relative);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ public class AuthService
|
||||
private readonly IAdminUserRepository _adminUserRepository;
|
||||
private readonly ILogger<AuthService> _logger;
|
||||
private readonly string _jwtSecretKey;
|
||||
private readonly string? _passwordResetToken;
|
||||
private readonly int _tokenExpirationMinutes = 480; // 8시간
|
||||
|
||||
public AuthService(IAdminUserRepository adminUserRepository, ILogger<AuthService> logger, IConfiguration configuration)
|
||||
@@ -20,6 +21,7 @@ public class AuthService
|
||||
_adminUserRepository = adminUserRepository;
|
||||
_logger = logger;
|
||||
_jwtSecretKey = configuration["Jwt:SecretKey"] ?? throw new InvalidOperationException("Missing 'Jwt:SecretKey' configuration.");
|
||||
_passwordResetToken = configuration["Admin:PasswordResetToken"];
|
||||
}
|
||||
|
||||
public async Task<string?> AuthenticateAndGenerateTokenAsync(string username, string password)
|
||||
@@ -49,9 +51,47 @@ public class AuthService
|
||||
}
|
||||
|
||||
_logger.LogInformation("로그인 성공: {Username}", username);
|
||||
await _adminUserRepository.UpdateLastLoginAtAsync(user.Id);
|
||||
return GenerateJwtToken(user);
|
||||
}
|
||||
|
||||
public async Task<bool> ChangePasswordAsync(string username, string currentPassword, string newPassword)
|
||||
{
|
||||
if (!IsValidPassword(newPassword))
|
||||
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null || string.IsNullOrWhiteSpace(user.PasswordHash))
|
||||
return false;
|
||||
|
||||
if (!BCrypt.Net.BCrypt.Verify(currentPassword, user.PasswordHash))
|
||||
return false;
|
||||
|
||||
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
||||
_logger.LogInformation("관리자 비밀번호 변경: {Username}", username);
|
||||
return true;
|
||||
}
|
||||
|
||||
public async Task<bool> ResetPasswordAsync(string username, string newPassword, string resetToken)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(_passwordResetToken))
|
||||
throw new InvalidOperationException("Admin:PasswordResetToken is not configured.");
|
||||
|
||||
if (!TimeConstantEquals(resetToken, _passwordResetToken))
|
||||
return false;
|
||||
|
||||
if (!IsValidPassword(newPassword))
|
||||
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
||||
|
||||
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
||||
if (user == null)
|
||||
return false;
|
||||
|
||||
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
||||
_logger.LogWarning("관리자 비밀번호 재설정 API 사용: {Username}", username);
|
||||
return true;
|
||||
}
|
||||
|
||||
private string GenerateJwtToken(AdminUser user)
|
||||
{
|
||||
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
||||
@@ -99,4 +139,14 @@ public class AuthService
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static bool IsValidPassword(string password) => !string.IsNullOrWhiteSpace(password) && password.Length >= 12;
|
||||
|
||||
private static bool TimeConstantEquals(string value, string expected)
|
||||
{
|
||||
var valueBytes = Encoding.UTF8.GetBytes(value);
|
||||
var expectedBytes = Encoding.UTF8.GetBytes(expected);
|
||||
return valueBytes.Length == expectedBytes.Length
|
||||
&& System.Security.Cryptography.CryptographicOperations.FixedTimeEquals(valueBytes, expectedBytes);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user