Login Flow & Code Improvements

Author: mckaragoz

src/CodeBeam.UltimateAuth.Core/Abstractions/IClock.cs

@@ -0,0 +1,11 @@
+namespace CodeBeam.UltimateAuth.Core.Abstractions
+{
+    /// <summary>
+    /// Provides an abstracted time source for the system.
+    /// Used to improve testability and ensure consistent time handling.
+    /// </summary>
+    public interface IClock
+    {
+        DateTime UtcNow { get; }
+    }
+}

src/CodeBeam.UltimateAuth.Core/Abstractions/IUserAuthenticator.cs

@@ -0,0 +1,13 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Abstractions
+{
+    public interface IUserAuthenticator<TUserId>
+    {
+        Task<UserAuthenticationResult<TUserId>> AuthenticateAsync(
+            string? tenantId,
+            string identifier,
+            string secret,
+            CancellationToken cancellationToken = default);
+    }
+}

src/CodeBeam.UltimateAuth.Core/Abstractions/Issuers/ISessionIssuer.cs

@@ -8,6 +8,6 @@ namespace CodeBeam.UltimateAuth.Core.Abstractions
     /// </summary>
     public interface ISessionIssuer<TUserId>
     {
-        Task<IssuedSession<TUserId>> IssueAsync(SessionIssueContext<TUserId> context, UAuthSessionChain<TUserId> chain, CancellationToken cancellationToken = default);
+        Task<IssuedSession<TUserId>> IssueAsync(AuthenticatedSessionContext<TUserId> context, ISessionChain<TUserId> chain, CancellationToken cancellationToken = default);
     }
 }

src/CodeBeam.UltimateAuth.Core/Abstractions/Issuers/ITokenIssuer.cs

@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Core.Contexts;
+using CodeBeam.UltimateAuth.Core.Models;
 
 namespace CodeBeam.UltimateAuth.Core.Abstractions
 {
@@ -8,7 +9,7 @@ namespace CodeBeam.UltimateAuth.Core.Abstractions
     /// </summary>
     public interface ITokenIssuer
     {
-        Task<IssuedAccessToken> IssueAccessTokenAsync(TokenIssueContext context, CancellationToken cancellationToken = default);
-        Task<IssuedRefreshToken?> IssueRefreshTokenAsync(TokenIssueContext context, CancellationToken cancellationToken = default);
+        Task<AccessToken> IssueAccessTokenAsync(TokenIssuerContext context, CancellationToken cancellationToken = default);
+        Task<RefreshToken?> IssueRefreshTokenAsync(TokenIssuerContext context, CancellationToken cancellationToken = default);
     }
 }

src/CodeBeam.UltimateAuth.Core/Abstractions/Services/IUAuthSessionService.cs

@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Contexts;
+using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.Models;
 
 namespace CodeBeam.UltimateAuth.Core.Abstractions
@@ -38,9 +39,25 @@ Task RevokeChainAsync(
             ChainId chainId,
             DateTime at);
 
+        Task<ChainId?> ResolveChainIdAsync(
+            string? tenantId,
+            AuthSessionId sessionId);
+
+        Task RevokeAllChainsAsync(
+            string? tenantId,
+            TUserId userId,
+            ChainId? exceptChainId,
+            DateTime at);
+        
+        // Hard revoke - admin
         Task RevokeRootAsync(
             string? tenantId,
             TUserId userId,
             DateTime at);
+
+        Task<IssuedSession<TUserId>> IssueSessionAfterAuthenticationAsync(
+            string? tenantId,
+            AuthenticatedSessionContext<TUserId> context,
+            CancellationToken cancellationToken = default);
     }
 }

src/CodeBeam.UltimateAuth.Core/Abstractions/Services/IUAuthTokenService.cs

@@ -12,14 +12,14 @@ public interface IUAuthTokenService<TUserId>
         /// Issues access (and optionally refresh) tokens
         /// for a validated session.
         /// </summary>
-        Task<TokenIssueResult> IssueAsync(
+        Task<AuthTokens> CreateTokensAsync(
             TokenIssueContext<TUserId> context,
             CancellationToken cancellationToken = default);
 
         /// <summary>
         /// Refreshes tokens using a refresh token.
         /// </summary>
-        Task<TokenIssueResult> RefreshAsync(
+        Task<AuthTokens> RefreshAsync(
             TokenRefreshContext context,
             CancellationToken cancellationToken = default);
 

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/ISessionStoreKernel.cs

@@ -56,13 +56,6 @@ public interface ISessionStoreKernel<TUserId>
         /// <param name="chain">The chain to save.</param>
         Task SaveChainAsync(string? tenantId, ISessionChain<TUserId> chain);
 
-        /// <summary>
-        /// Updates an existing session chain, typically after session rotation or revocation. Implementations must preserve atomicity.
-        /// </summary>
-        /// <param name="tenantId">The tenant identifier, or <c>null</c>.</param>
-        /// <param name="chain">The updated session chain.</param>
-        Task UpdateChainAsync(string? tenantId, ISessionChain<TUserId> chain);
-
         /// <summary>
         /// Marks the entire session chain as revoked, invalidating all associated sessions for the device or app family.
         /// </summary>
@@ -135,6 +128,11 @@ public interface ISessionStoreKernel<TUserId>
         /// <param name="sessionId">The session identifier.</param>
         /// <returns>The chain identifier or <c>null</c>.</returns>
         Task<ChainId?> GetChainIdBySessionAsync(string? tenantId, AuthSessionId sessionId);
-    }
 
+        /// <summary>
+        /// Executes multiple store operations as a single atomic unit.
+        /// Implementations must ensure transactional consistency where supported.
+        /// </summary>
+        Task ExecuteAsync(Func<Task> action);
+    }
 }

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/IUAuthUserStore.cs

@@ -9,14 +9,9 @@ namespace CodeBeam.UltimateAuth.Core.Abstractions
     /// </summary>
     public interface IUAuthUserStore<TUserId>
     {
-        /// <summary>
-        /// Retrieves a user by identifier. Returns <c>null</c> if no such user exists.
-        /// </summary>
-        /// <param name="userId">The identifier of the user.</param>
-        /// <returns>The user instance or <c>null</c> if not found.</returns>
-        Task<IUser<TUserId>?> FindByIdAsync(TUserId userId);
+        Task<IUser<TUserId>?> FindByIdAsync(string? tenantId, TUserId userId, CancellationToken token = default);
 
-        Task<UserRecord<TUserId>?> FindByUsernameAsync(
+        Task<UserRecord<TUserId>?> FindByUsernameAsync(string? tenantId,
             string username,
             CancellationToken ct = default);
 

src/CodeBeam.UltimateAuth.Core/Contexts/AuthenticatedSessionContext.cs

@@ -0,0 +1,31 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contexts
+{
+    /// <summary>
+    /// Represents the context in which a session is issued
+    /// (login, refresh, reauthentication).
+    /// </summary>
+    public sealed class AuthenticatedSessionContext<TUserId>
+    {
+        public string? TenantId { get; init; }
+        public required TUserId UserId { get; init; }
+        public DeviceInfo DeviceInfo { get; init; }
+        public DateTime Now { get; init; }
+        public ClaimsSnapshot? Claims { get; init; }
+        public SessionMetadata Metadata { get; init; }
+
+        /// <summary>
+        /// Optional chain identifier.
+        /// If null, a new chain will be created.
+        /// If provided, session will be issued under the existing chain.
+        /// </summary>
+        public ChainId? ChainId { get; init; }
+
+        /// <summary>
+        /// Indicates that authentication has already been completed.
+        /// This context MUST NOT be constructed from raw credentials.
+        /// </summary>
+        public bool IsAuthenticated { get; init; } = true;
+    }
+}

…ore/Contexts/Issued/IssuedAccessToken.cs …Auth.Core/Contexts/Issued/AccessToken.cssrc/CodeBeam.UltimateAuth.Core/Contexts/Issued/IssuedAccessToken.cs renamed to src/CodeBeam.UltimateAuth.Core/Contexts/Issued/AccessToken.cs src/CodeBeam.UltimateAuth.Core/Contexts/Issued/IssuedAccessToken.cs renamed to src/CodeBeam.UltimateAuth.Core/Contexts/Issued/AccessToken.cs

@@ -3,7 +3,7 @@
     /// <summary>
     /// Represents an issued access token (JWT or opaque).
     /// </summary>
-    public sealed class IssuedAccessToken
+    public sealed class AccessToken
     {
         /// <summary>
         /// The actual token value sent to the client.
@@ -26,5 +26,7 @@ public sealed class IssuedAccessToken
         /// Optional session id this token is bound to (Hybrid / SemiHybrid).
         /// </summary>
         public string? SessionId { get; init; }
+
+        public string? Scope { get; init; }
     }
 }