58edbd9c8f
TaxBaik CI/CD / build-and-deploy (push) Successful in 48s
**Implementation:**
- AuthService: Split token generation
* AccessToken: 15 minutes
* RefreshToken: 7 days (10080 minutes)
* New: GenerateTokenPair() method
* New: RefreshAccessTokenAsync() method
- AuthTokenPair: New record (accessToken, refreshToken, expiresIn)
- AuthController: New /api/auth/refresh endpoint
* POST /api/auth/refresh?refreshToken=...
* Response: { accessToken, refreshToken, expiresIn }
* RefreshTokenRequest DTO
- TokenRefreshHandler: New DelegatingHandler
* Automatic Bearer token injection
* 401 response handling
* Auto-refresh with retry
* localStorage sync (accessToken, refreshToken, tokenExpiry)
- CustomAuthenticationStateProvider: Token storage split
* Before: auth_token (single)
* After: accessToken, refreshToken, tokenExpiry
* LoginAsync signature updated
- Login.razor: Handle token pair
* LoginResponse: { accessToken, refreshToken, expiresIn }
* Call new LoginAsync(accessToken, refreshToken, expiresIn)
- Program.cs: TokenRefreshHandler registration
* AddScoped<TokenRefreshHandler>()
* AdminDashboardClient pipeline: .AddHttpMessageHandler<TokenRefreshHandler>()
**SOLID Principles:**
✓ S (Single Responsibility): TokenRefreshHandler handles only token refresh
✓ D (Dependency Inversion): DelegatingHandler abstracts HTTP concerns
✓ O (Open/Closed): Token lifetime extension without code changes
**Security Pattern:**
- Short-lived access tokens (15min) reduce theft window
- Refresh tokens (7d) enable persistence without storing secrets
- Automatic refresh is transparent to components
**Flow:**
Blazor → AdminDashboardClient → TokenRefreshHandler (auto-add Bearer)
→ 401 → RefreshTokenAsync() → POST /api/auth/refresh
→ Store new pair → Retry original request
Status: Token lifecycle complete, ready for SignalR integration (Phase 6)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
224 lines
8.2 KiB
C#
224 lines
8.2 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Security.Claims;
|
|
using System.Text;
|
|
using BCrypt.Net;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using TaxBaik.Domain.Entities;
|
|
using TaxBaik.Domain.Interfaces;
|
|
|
|
namespace TaxBaik.Web.Services;
|
|
|
|
public class AuthService
|
|
{
|
|
private readonly IAdminUserRepository _adminUserRepository;
|
|
private readonly ILogger<AuthService> _logger;
|
|
private readonly string _jwtSecretKey;
|
|
private readonly string? _passwordResetToken;
|
|
private readonly int _accessTokenExpirationMinutes = 15; // Access Token: 15분
|
|
private readonly int _refreshTokenExpirationMinutes = 10080; // Refresh Token: 7일
|
|
|
|
public AuthService(IAdminUserRepository adminUserRepository, ILogger<AuthService> logger, IConfiguration configuration)
|
|
{
|
|
_adminUserRepository = adminUserRepository;
|
|
_logger = logger;
|
|
_jwtSecretKey = configuration["Jwt:SecretKey"] ?? throw new InvalidOperationException("Missing 'Jwt:SecretKey' configuration.");
|
|
_passwordResetToken = configuration["Admin:PasswordResetToken"];
|
|
}
|
|
|
|
public async Task<AuthTokenPair?> AuthenticateAndGenerateTokenPairAsync(string username, string password)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
|
|
return null;
|
|
|
|
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
|
if (user == null)
|
|
{
|
|
_logger.LogWarning("로그인 시도: 존재하지 않는 사용자 '{Username}'", username);
|
|
return null;
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(user.PasswordHash))
|
|
{
|
|
_logger.LogError("로그인 실패: 사용자 '{Username}'의 PasswordHash가 비어 있습니다.", username);
|
|
return null;
|
|
}
|
|
|
|
if (!BCrypt.Net.BCrypt.Verify(password, user.PasswordHash))
|
|
{
|
|
_logger.LogWarning("로그인 시도: 잘못된 비밀번호 '{Username}'", username);
|
|
return null;
|
|
}
|
|
|
|
_logger.LogInformation("로그인 성공: {Username}", username);
|
|
await _adminUserRepository.UpdateLastLoginAtAsync(user.Id);
|
|
return GenerateTokenPair(user);
|
|
}
|
|
|
|
public async Task<AuthTokenPair?> RefreshAccessTokenAsync(string refreshToken)
|
|
{
|
|
try
|
|
{
|
|
var principal = ValidateRefreshToken(refreshToken);
|
|
if (principal == null)
|
|
{
|
|
_logger.LogWarning("Refresh token 검증 실패");
|
|
return null;
|
|
}
|
|
|
|
var username = principal.FindFirstValue(ClaimTypes.Name);
|
|
if (string.IsNullOrWhiteSpace(username))
|
|
return null;
|
|
|
|
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
|
if (user == null)
|
|
return null;
|
|
|
|
return GenerateTokenPair(user);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
_logger.LogError(ex, "Refresh token 처리 중 오류");
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public async Task<bool> ChangePasswordAsync(string username, string currentPassword, string newPassword)
|
|
{
|
|
if (!IsValidPassword(newPassword))
|
|
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
|
|
|
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
|
if (user == null || string.IsNullOrWhiteSpace(user.PasswordHash))
|
|
return false;
|
|
|
|
if (!BCrypt.Net.BCrypt.Verify(currentPassword, user.PasswordHash))
|
|
return false;
|
|
|
|
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
|
_logger.LogInformation("관리자 비밀번호 변경: {Username}", username);
|
|
return true;
|
|
}
|
|
|
|
public async Task<bool> ResetPasswordAsync(string username, string newPassword, string resetToken)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(_passwordResetToken))
|
|
throw new InvalidOperationException("Admin:PasswordResetToken is not configured.");
|
|
|
|
if (!TimeConstantEquals(resetToken, _passwordResetToken))
|
|
return false;
|
|
|
|
if (!IsValidPassword(newPassword))
|
|
throw new ArgumentException("새 비밀번호는 12자 이상이어야 합니다.", nameof(newPassword));
|
|
|
|
var user = await _adminUserRepository.GetByUsernameAsync(username);
|
|
if (user == null)
|
|
return false;
|
|
|
|
await _adminUserRepository.UpdatePasswordHashAsync(user.Id, BCrypt.Net.BCrypt.HashPassword(newPassword));
|
|
_logger.LogWarning("관리자 비밀번호 재설정 API 사용: {Username}", username);
|
|
return true;
|
|
}
|
|
|
|
private AuthTokenPair GenerateTokenPair(AdminUser user)
|
|
{
|
|
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
|
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
|
|
|
|
var claims = new[]
|
|
{
|
|
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
|
|
new Claim(ClaimTypes.Name, user.Username),
|
|
new Claim("username", user.Username)
|
|
};
|
|
|
|
var accessToken = new JwtSecurityToken(
|
|
issuer: "taxbaik-admin",
|
|
audience: "taxbaik-admin-client",
|
|
claims: claims,
|
|
expires: DateTime.UtcNow.AddMinutes(_accessTokenExpirationMinutes),
|
|
signingCredentials: creds);
|
|
|
|
var refreshToken = new JwtSecurityToken(
|
|
issuer: "taxbaik-admin",
|
|
audience: "taxbaik-admin-client",
|
|
claims: claims,
|
|
expires: DateTime.UtcNow.AddMinutes(_refreshTokenExpirationMinutes),
|
|
signingCredentials: creds);
|
|
|
|
return new AuthTokenPair(
|
|
new JwtSecurityTokenHandler().WriteToken(accessToken),
|
|
new JwtSecurityTokenHandler().WriteToken(refreshToken),
|
|
_accessTokenExpirationMinutes * 60
|
|
);
|
|
}
|
|
|
|
public ClaimsPrincipal? ValidateRefreshToken(string token)
|
|
{
|
|
try
|
|
{
|
|
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
|
var handler = new JwtSecurityTokenHandler();
|
|
var principal = handler.ValidateToken(token, new TokenValidationParameters
|
|
{
|
|
ValidateIssuerSigningKey = true,
|
|
IssuerSigningKey = key,
|
|
ValidateIssuer = true,
|
|
ValidIssuer = "taxbaik-admin",
|
|
ValidateAudience = true,
|
|
ValidAudience = "taxbaik-admin-client",
|
|
ValidateLifetime = true,
|
|
ClockSkew = TimeSpan.Zero
|
|
}, out SecurityToken validatedToken);
|
|
|
|
return principal;
|
|
}
|
|
catch
|
|
{
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public ClaimsPrincipal? ValidateToken(string token)
|
|
{
|
|
try
|
|
{
|
|
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_jwtSecretKey));
|
|
var handler = new JwtSecurityTokenHandler();
|
|
var principal = handler.ValidateToken(token, new TokenValidationParameters
|
|
{
|
|
ValidateIssuerSigningKey = true,
|
|
IssuerSigningKey = key,
|
|
ValidateIssuer = true,
|
|
ValidIssuer = "taxbaik-admin",
|
|
ValidateAudience = true,
|
|
ValidAudience = "taxbaik-admin-client",
|
|
ValidateLifetime = true,
|
|
ClockSkew = TimeSpan.Zero
|
|
}, out SecurityToken validatedToken);
|
|
|
|
return principal;
|
|
}
|
|
catch
|
|
{
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private static bool IsValidPassword(string password) => !string.IsNullOrWhiteSpace(password) && password.Length >= 12;
|
|
|
|
private static bool TimeConstantEquals(string value, string expected)
|
|
{
|
|
var valueBytes = Encoding.UTF8.GetBytes(value);
|
|
var expectedBytes = Encoding.UTF8.GetBytes(expected);
|
|
return valueBytes.Length == expectedBytes.Length
|
|
&& System.Security.Cryptography.CryptographicOperations.FixedTimeEquals(valueBytes, expectedBytes);
|
|
}
|
|
}
|
|
|
|
public class AuthTokenPair(string accessToken, string refreshToken, int expiresIn)
|
|
{
|
|
public string AccessToken { get; } = accessToken;
|
|
public string RefreshToken { get; } = refreshToken;
|
|
public int ExpiresIn { get; } = expiresIn;
|
|
}
|