UDT-002: Logout + Refresh Token con rotación y chain revocation #3
@@ -1,7 +1,11 @@
|
||||
using System.IdentityModel.Tokens.Jwt;
|
||||
using FluentValidation;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Auth.Login;
|
||||
using SIGCM2.Application.Auth.Logout;
|
||||
using SIGCM2.Application.Auth.Refresh;
|
||||
|
||||
namespace SIGCM2.Api.Controllers;
|
||||
|
||||
@@ -10,19 +14,22 @@ namespace SIGCM2.Api.Controllers;
|
||||
public sealed class AuthController : ControllerBase
|
||||
{
|
||||
private readonly IDispatcher _dispatcher;
|
||||
private readonly IValidator<LoginCommand> _validator;
|
||||
private readonly IValidator<LoginCommand> _loginValidator;
|
||||
private readonly IValidator<RefreshCommand> _refreshValidator;
|
||||
|
||||
public AuthController(IDispatcher dispatcher, IValidator<LoginCommand> validator)
|
||||
public AuthController(
|
||||
IDispatcher dispatcher,
|
||||
IValidator<LoginCommand> loginValidator,
|
||||
IValidator<RefreshCommand> refreshValidator)
|
||||
{
|
||||
_dispatcher = dispatcher;
|
||||
_validator = validator;
|
||||
_loginValidator = loginValidator;
|
||||
_refreshValidator = refreshValidator;
|
||||
}
|
||||
|
||||
/// <summary>Authenticates a user and returns a JWT access token.</summary>
|
||||
/// <response code="200">Returns access token and refresh token.</response>
|
||||
/// <response code="400">Validation error — missing or empty fields.</response>
|
||||
/// <response code="401">Invalid credentials.</response>
|
||||
/// <summary>Authenticates a user and returns a JWT access token + refresh token.</summary>
|
||||
[HttpPost("login")]
|
||||
[AllowAnonymous]
|
||||
[ProducesResponseType(typeof(LoginResponseDto), StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
@@ -30,7 +37,7 @@ public sealed class AuthController : ControllerBase
|
||||
{
|
||||
var command = new LoginCommand(request.Username ?? string.Empty, request.Password ?? string.Empty);
|
||||
|
||||
var validation = await _validator.ValidateAsync(command);
|
||||
var validation = await _loginValidator.ValidateAsync(command);
|
||||
if (!validation.IsValid)
|
||||
{
|
||||
var errors = validation.Errors
|
||||
@@ -42,7 +49,56 @@ public sealed class AuthController : ControllerBase
|
||||
var result = await _dispatcher.Send<LoginCommand, LoginResponseDto>(command);
|
||||
return Ok(result);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Rotates a refresh token pair. Accepts an expired access token to extract the user identity.
|
||||
/// Returns a new access + refresh token pair. Does NOT require Authorization header.
|
||||
/// </summary>
|
||||
[HttpPost("refresh")]
|
||||
[AllowAnonymous]
|
||||
[ProducesResponseType(typeof(RefreshResponseDto), StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
public async Task<IActionResult> Refresh([FromBody] RefreshRequest request)
|
||||
{
|
||||
var command = new RefreshCommand(
|
||||
request.AccessToken ?? string.Empty,
|
||||
request.RefreshToken ?? string.Empty);
|
||||
|
||||
var validation = await _refreshValidator.ValidateAsync(command);
|
||||
if (!validation.IsValid)
|
||||
{
|
||||
var errors = validation.Errors
|
||||
.GroupBy(e => e.PropertyName)
|
||||
.ToDictionary(g => g.Key, g => g.Select(e => e.ErrorMessage).ToArray());
|
||||
return BadRequest(new { errors });
|
||||
}
|
||||
|
||||
var result = await _dispatcher.Send<RefreshCommand, RefreshResponseDto>(command);
|
||||
return Ok(result);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Revokes all active refresh tokens for the authenticated user.
|
||||
/// Requires a valid Bearer access token. Client must discard local tokens after this call.
|
||||
/// </summary>
|
||||
[HttpPost("logout")]
|
||||
[Authorize]
|
||||
[ProducesResponseType(typeof(LogoutResponseDto), StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
public async Task<IActionResult> Logout()
|
||||
{
|
||||
var sub = User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value;
|
||||
if (!int.TryParse(sub, out var userId))
|
||||
return Unauthorized();
|
||||
|
||||
var result = await _dispatcher.Send<LogoutCommand, LogoutResponseDto>(new LogoutCommand(userId));
|
||||
return Ok(result);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Login request body — nullable to catch missing field scenarios.</summary>
|
||||
public sealed record LoginRequest(string? Username, string? Password);
|
||||
|
||||
/// <summary>Refresh request body.</summary>
|
||||
public sealed record RefreshRequest(string? AccessToken, string? RefreshToken);
|
||||
|
||||
Reference in New Issue
Block a user