sec: to establish the ownership of the token for the first one who received it

2024-12-28 08:30:56 +03:00 · 2024-12-28 08:30:56 +03:00 · 6358410f18
commit 6358410f18
parent e79ddf220f
2 changed files with 35 additions and 2 deletions
--- a/Security/Common/Domain/Caching/OAuthUserExtension.cs
+++ b/Security/Common/Domain/Caching/OAuthUserExtension.cs
@ -5,5 +5,8 @@ internal class OAuthUserExtension
    public string? Message { get; set; }
    public bool IsSuccess { get; set; }
    public required OAuthProvider? Provider { get; set; }
    public string? UserAgent { get; set; } = null;
    public string? Ip { get; set; } = null;
    public string? Fingerprint { get; set; } = null;
    public OAuthUser? User { get; set; }
 }
--- a/Security/Services/OAuthService.cs
+++ b/Security/Services/OAuthService.cs
@ -369,8 +369,6 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
            return (null, "Invalid or expired token.", false, null);
        }
        await cache.RemoveAsync(tokenFailedKey, cancellation);
        const string log = "Cache data retrieved for token: {Token}. Fingerprint: {Fingerprint}.";
        if (result.User != null)
@ -387,6 +385,38 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
        else
            logger.LogInformation(log, token, requestInfo.Fingerprint);
        if ((!string.IsNullOrEmpty(result.Fingerprint) &&
            result.Fingerprint != requestInfo.Fingerprint) ||
            (!string.IsNullOrEmpty(result.UserAgent) &&
             result.UserAgent != requestInfo.UserAgent &&
            !string.IsNullOrEmpty(result.Ip)) &&
            result.Ip != requestInfo.Ip)
        {
            logger.LogWarning(
                "Potential token compromise detected. " +
                "Token {Token} has been used from different location. " +
                "Fingerprint: {ExpectedFingerprint} -> {ProvidedFingerprint}, " +
                "UserAgent: {ExpectedUserAgent} -> {ProvidedUserAgent}, " +
                "Ip: {ExpectedUserIp} -> {ProvidedIp}",
                token,
                result.Fingerprint,
                requestInfo.Fingerprint,
                result.UserAgent,
                requestInfo.UserAgent,
                result.Ip,
                requestInfo.Ip);
            await cache.RemoveAsync(token, cancellation);
            return (null, "Invalid or expired token.", false, null);
        }
        await cache.RemoveAsync(tokenFailedKey, cancellation);
        result.Ip = requestInfo.Ip;
        result.UserAgent = requestInfo.UserAgent;
        result.Fingerprint = requestInfo.Fingerprint;
        return (result.User, result.Message, result.IsSuccess, result.Provider);
    }
 }