Completed EFCore Credential Store

Author: mckaragoz

src/CodeBeam.UltimateAuth.Server/Flows/Login/LoginOrchestrator.cs

@@ -21,8 +21,7 @@ namespace CodeBeam.UltimateAuth.Server.Flows;
 internal sealed class LoginOrchestrator : ILoginOrchestrator
 {
     private readonly ILoginIdentifierResolver _identifierResolver;
-    private readonly ICredentialStore _credentialStore; // authentication
-    private readonly ICredentialValidator _credentialValidator;
+    private readonly IEnumerable<ICredentialProvider> _credentialProviders; // authentication
     private readonly IUserRuntimeStateProvider _users; // eligible
     private readonly ILoginAuthority _authority;
     private readonly ISessionOrchestrator _sessionOrchestrator;
@@ -35,8 +34,7 @@ internal sealed class LoginOrchestrator : ILoginOrchestrator
 
     public LoginOrchestrator(
         ILoginIdentifierResolver identifierResolver,
-        ICredentialStore credentialStore,
-        ICredentialValidator credentialValidator,
+        IEnumerable<ICredentialProvider> credentialProviders,
         IUserRuntimeStateProvider users,
         ILoginAuthority authority,
         ISessionOrchestrator sessionOrchestrator,
@@ -48,8 +46,7 @@ public LoginOrchestrator(
         IOptions<UAuthServerOptions> options)
     {
         _identifierResolver = identifierResolver;
-        _credentialStore = credentialStore;
-        _credentialValidator = credentialValidator;
+        _credentialProviders = credentialProviders;
         _users = users;
         _authority = authority;
         _sessionOrchestrator = sessionOrchestrator;
@@ -99,21 +96,24 @@ public async Task<LoginResult> LoginAsync(AuthFlowContext flow, LoginRequest req
                     return LoginResult.Failed(AuthFailureReason.LockedOut, factorState.LockedUntil, 0);
                 }
 
-                var credentials = await _credentialStore.GetByUserAsync(request.Tenant, userKey.Value, ct);
-
-                // TODO: Add .Where(c => c.Type == request.Factor) when we support multiple factors per user
-                foreach (var credential in credentials.OfType<ICredentialDescriptor>())
+                foreach (var provider in _credentialProviders)
                 {
-                    if (!credential.Security.IsUsable(now))
-                        continue;
-
-                    var result = await _credentialValidator.ValidateAsync((ICredential)credential, request.Secret, ct);
+                    var credentials = await provider.GetByUserAsync(request.Tenant, userKey.Value, ct);
 
-                    if (result.IsValid)
+                    foreach (var credential in credentials)
                     {
-                        credentialsValid = true;
-                        break;
+                        if (credential.IsDeleted || !credential.Security.IsUsable(now))
+                            continue;
+
+                        if (await provider.ValidateAsync(credential, request.Secret, ct))
+                        {
+                            credentialsValid = true;
+                            break;
+                        }
                     }
+
+                    if (credentialsValid)
+                        break;
                 }
             }
         }

src/credentials/CodeBeam.UltimateAuth.Credentials.Contracts/Dtos/CredentialSecurityState.cs

@@ -9,7 +9,7 @@ public sealed class CredentialSecurityState
     public Guid SecurityStamp { get; }
 
     public bool IsRevoked => RevokedAt != null;
-    public bool IsExpired => ExpiresAt != null;
+    public bool IsExpired(DateTimeOffset now) => ExpiresAt != null && ExpiresAt <= now;
 
     public CredentialSecurityState(
         DateTimeOffset? revokedAt = null,
@@ -26,7 +26,7 @@ public CredentialSecurityStatus Status(DateTimeOffset now)
         if (RevokedAt is not null)
             return CredentialSecurityStatus.Revoked;
 
-        if (ExpiresAt is not null && ExpiresAt <= now)
+        if (IsExpired(now))
             return CredentialSecurityStatus.Expired;
 
         return CredentialSecurityStatus.Active;

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Abstractions/CredentialUserMapping.cs

@@ -25,6 +25,7 @@
 
 	<ItemGroup>
 		<ProjectReference Include="..\..\CodeBeam.UltimateAuth.Core\CodeBeam.UltimateAuth.Core.csproj" />
+		<ProjectReference Include="..\..\persistence\CodeBeam.UltimateAuth.EntityFrameworkCore.Abstractions\CodeBeam.UltimateAuth.EntityFrameworkCore.Abstractions.csproj" />
 		<ProjectReference Include="..\CodeBeam.UltimateAuth.Credentials.Contracts\CodeBeam.UltimateAuth.Credentials.Contracts.csproj" />
 		<ProjectReference Include="..\CodeBeam.UltimateAuth.Credentials.Reference\CodeBeam.UltimateAuth.Credentials.Reference.csproj" />
 		<ProjectReference Include="..\CodeBeam.UltimateAuth.Credentials\CodeBeam.UltimateAuth.Credentials.csproj" />

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore.csproj

@@ -0,0 +1,70 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.MultiTenancy;
+using CodeBeam.UltimateAuth.Credentials.Contracts;
+using CodeBeam.UltimateAuth.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+internal sealed class UAuthCredentialDbContext : DbContext
+{
+    public DbSet<PasswordCredentialProjection> PasswordCredentials => Set<PasswordCredentialProjection>();
+
+    private readonly TenantContext _tenant;
+
+    public UAuthCredentialDbContext(DbContextOptions<UAuthCredentialDbContext> options, TenantContext tenant)
+        : base(options)
+    {
+        _tenant = tenant;
+    }
+
+    protected override void OnModelCreating(ModelBuilder b)
+    {
+        ConfigurePasswordCredential(b);
+    }
+
+    private void ConfigurePasswordCredential(ModelBuilder b)
+    {
+        b.Entity<PasswordCredentialProjection>(e =>
+        {
+            e.HasKey(x => x.Id);
+
+            e.Property(x => x.Version).IsConcurrencyToken();
+
+            e.Property(x => x.Tenant)
+                .HasConversion(
+                    v => v.Value,
+                    v => TenantKey.FromInternal(v))
+                .HasMaxLength(128)
+                .IsRequired();
+
+            e.Property(x => x.UserKey)
+                .HasConversion(
+                    v => v.Value,
+                    v => UserKey.FromString(v))
+                .HasMaxLength(128)
+                .IsRequired();
+
+            e.Property(x => x.SecretHash)
+                .HasMaxLength(512)
+                .IsRequired();
+
+            e.Property(x => x.SecurityStamp).IsRequired();
+            e.Property(x => x.RevokedAt);
+            e.Property(x => x.ExpiresAt);
+            e.Property(x => x.LastUsedAt);
+            e.Property(x => x.Source).HasMaxLength(128);
+            e.Property(x => x.CreatedAt).IsRequired();
+            e.Property(x => x.UpdatedAt);
+            e.Property(x => x.DeletedAt);
+
+            e.HasIndex(x => new { x.Tenant, x.Id }).IsUnique();
+            e.HasIndex(x => new { x.Tenant, x.UserKey });
+            e.HasIndex(x => new { x.Tenant, x.UserKey, x.DeletedAt });
+            e.HasIndex(x => new { x.Tenant, x.RevokedAt });
+            e.HasIndex(x => new { x.Tenant, x.ExpiresAt });
+
+            e.HasQueryFilter(x => _tenant.IsGlobal || x.Tenant == _tenant.Tenant);
+        });
+    }
+}

src/credentials/CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore/Configuration/ConventionResolver.cs

@@ -0,0 +1,15 @@
+using CodeBeam.UltimateAuth.Credentials.Reference;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace CodeBeam.UltimateAuth.Credentials.EntityFrameworkCore;
+
+public static class ServiceCollectionExtensions
+{
+    public static IServiceCollection AddUltimateAuthEntityFrameworkCoreCredentials(this IServiceCollection services, Action<DbContextOptionsBuilder> configureDb)
+    {
+        services.AddDbContextPool<UAuthCredentialDbContext>(configureDb);
+        services.AddScoped<IPasswordCredentialStore, EfCorePasswordCredentialStore>();
+        return services;
+    }
+}