Session & Token Options and Validators

Author: mckaragoz

samples/blazor-server/CodeBeam.UltimateAuth.Sample.BlazorServer/Program.cs

@@ -60,7 +60,6 @@
     //o.Session.MaxLifetime = TimeSpan.FromSeconds(32);
     //o.Session.TouchInterval = TimeSpan.FromSeconds(9);
     //o.Session.IdleTimeout = TimeSpan.FromSeconds(15);
-    o.Login.MaxFailedAttempts = 2;
 })
     .AddUltimateAuthUsersInMemory()
     .AddUltimateAuthUsersReference()

src/CodeBeam.UltimateAuth.Core/Abstractions/Issuers/IOpaqueTokenGenerator.cs

@@ -6,5 +6,6 @@
 /// </summary>
 public interface IOpaqueTokenGenerator
 {
-    string Generate(int byteLength = 32);
+    string Generate();
+    string GenerateJwtId();
 }

src/CodeBeam.UltimateAuth.Core/Extensions/ServiceCollectionExtensions.cs

@@ -91,6 +91,7 @@ private static IServiceCollection AddUltimateAuthInternal(this IServiceCollectio
         services.AddSingleton<IValidateOptions<UAuthOptions>, UAuthOptionsValidator>();
         services.AddSingleton<IValidateOptions<UAuthSessionOptions>, UAuthSessionOptionsValidator>();
         services.AddSingleton<IValidateOptions<UAuthTokenOptions>, UAuthTokenOptionsValidator>();
+        services.AddSingleton<IValidateOptions<UAuthLoginOptions>, UAuthLoginOptionsValidator>();
         services.AddSingleton<IValidateOptions<UAuthPkceOptions>, UAuthPkceOptionsValidator>();
         services.AddSingleton<IValidateOptions<UAuthMultiTenantOptions>, UAuthMultiTenantOptionsValidator>();
 
@@ -101,32 +102,6 @@ private static IServiceCollection AddUltimateAuthInternal(this IServiceCollectio
         services.TryAddSingleton<IUAuthProductInfoProvider, UAuthProductInfoProvider>();
         services.TryAddSingleton<SeedRunner>();
 
-        //services.PostConfigure<UAuthOptions>(options =>
-        //{
-        //    var hasRuntimeMarker = services.Any(sd => sd.ServiceType == typeof(IUAuthRuntimeMarker));
-
-        //    if (hasRuntimeMarker && options.AllowDirectCoreConfiguration)
-        //    {
-        //        throw new InvalidOperationException(
-        //            "Direct core configuration is not allowed in server-hosted applications. " +
-        //            "Configure authentication policies via AddUltimateAuthServer instead.");
-        //    }
-        //});
-
-        //services.PostConfigure<UAuthOptions, DirectCoreConfigurationMarker>(
-        //(options, marker) =>
-        //{
-        //    if (!options.AllowDirectCoreConfiguration && marker.IsConfigured)
-        //    {
-        //        throw new InvalidOperationException(
-        //            "Direct core configuration is not allowed. " +
-        //            "Set AllowDirectCoreConfiguration = true only for advanced, non-server scenarios, " +
-        //            "or configure authentication policies via AddUltimateAuthServer.");
-        //    }
-        //});
-
-
-
         return services;
     }
 }

src/CodeBeam.UltimateAuth.Core/Options/UAuthPkceOptions.cs

@@ -21,5 +21,4 @@ public sealed class UAuthPkceOptions
         AuthorizationCodeLifetimeSeconds = AuthorizationCodeLifetimeSeconds,
         MaxVerificationAttempts = MaxVerificationAttempts,
     };
-
 }

src/CodeBeam.UltimateAuth.Core/Options/UAuthSessionOptions.cs

@@ -4,14 +4,13 @@ namespace CodeBeam.UltimateAuth.Core.Options;
 
 // TODO: Add rotate on refresh (especially for Hybrid). Default behavior should be single session in chain for Hybrid, but can be configured.
 // And add RotateAsync method.
+// Implement all options.
 
 /// <summary>
-/// Defines configuration settings that control the lifecycle,
-/// security behavior, and device constraints of UltimateAuth
+/// Defines configuration settings that control the lifecycle, security behavior, and device constraints of UltimateAuth
 /// session management.
 /// 
-/// These values influence how sessions are created, refreshed,
-/// expired, revoked, and grouped into device chains.
+/// These values influence how sessions are created, refreshed, expired, revoked, and grouped into device chains.
 /// </summary>
 public sealed class UAuthSessionOptions
 {
@@ -50,45 +49,78 @@ public sealed class UAuthSessionOptions
     /// <summary>
     /// Maximum number of device session chains a single user may have.
     /// Set to zero to indicate no user-level chain limit.
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public int MaxChainsPerUser { get; set; } = 0;
 
     /// <summary>
     /// Maximum number of session rotations within a single chain.
     /// Used for cleanup, replay protection, and analytics.
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public int MaxSessionsPerChain { get; set; } = 100;
 
     /// <summary>
     /// Optional limit on the number of session chains allowed per platform
     /// (e.g. "web" = 1, "mobile" = 1).
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public Dictionary<string, int>? MaxChainsPerPlatform { get; set; }
 
     /// <summary>
     /// Defines platform categories that map multiple platforms
     /// into a single abstract group (e.g. mobile: [ "ios", "android", "tablet" ]).
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public Dictionary<string, string[]>? PlatformCategories { get; set; }
 
     /// <summary>
     /// Limits how many session chains can exist per platform category
     /// (e.g. mobile = 1, desktop = 2).
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public Dictionary<string, int>? MaxChainsPerCategory { get; set; }
 
     /// <summary>
     /// Enables binding sessions to the user's IP address.
     /// When enabled, IP mismatches can invalidate a session.
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public bool EnableIpBinding { get; set; } = false;
 
     /// <summary>
     /// Enables binding sessions to the user's User-Agent header.
     /// When enabled, UA mismatches can invalidate a session.
+    /// 
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
     /// </summary>
     public bool EnableUserAgentBinding { get; set; } = false;
 
+    /// <summary>
+    /// NOTE:
+    /// Enforcement is not active in v0.0.1.
+    /// This option is reserved for future security policies.
+    /// </summary>
     public DeviceMismatchBehavior DeviceMismatchBehavior { get; set; } = DeviceMismatchBehavior.Reject;
 
     internal UAuthSessionOptions Clone() => new()

src/CodeBeam.UltimateAuth.Core/Options/UAuthSessionOptionsValidator.cs

@@ -0,0 +1,24 @@
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Core.Options;
+
+internal sealed class UAuthLoginOptionsValidator : IValidateOptions<UAuthLoginOptions>
+{
+    public ValidateOptionsResult Validate(string? name, UAuthLoginOptions options)
+    {
+        var errors = new List<string>();
+
+        if (options.MaxFailedAttempts < 0)
+            errors.Add("Login.MaxFailedAttempts cannot be negative.");
+
+        if (options.MaxFailedAttempts > 100)
+            errors.Add("Login.MaxFailedAttempts cannot exceed 100. Use 0 to disable lockout.");
+
+        if (options.MaxFailedAttempts > 0 && options.LockoutMinutes <= 0)
+            errors.Add("Login.LockoutMinutes must be greater than zero when lockout is enabled.");
+
+        return errors.Count == 0
+            ? ValidateOptionsResult.Success
+            : ValidateOptionsResult.Fail(errors);
+    }
+}

src/CodeBeam.UltimateAuth.Core/Options/Validators/UAuthLoginOptionsValidator.cs

@@ -0,0 +1,97 @@
+using Microsoft.Extensions.Options;
+
+namespace CodeBeam.UltimateAuth.Core.Options;
+
+internal sealed class UAuthSessionOptionsValidator : IValidateOptions<UAuthSessionOptions>
+{
+    public ValidateOptionsResult Validate(string? name, UAuthSessionOptions options)
+    {
+        var errors = new List<string>();
+
+        if (options.Lifetime <= TimeSpan.Zero)
+            errors.Add("Session.Lifetime must be greater than zero.");
+
+        if (options.MaxLifetime < options.Lifetime)
+            errors.Add("Session.MaxLifetime must be greater than or equal to Session.Lifetime.");
+
+        if (options.IdleTimeout.HasValue && options.IdleTimeout < TimeSpan.Zero)
+            errors.Add("Session.IdleTimeout cannot be negative.");
+
+        if (options.IdleTimeout.HasValue && options.IdleTimeout > TimeSpan.Zero && options.IdleTimeout > options.MaxLifetime)
+        {
+            errors.Add("Session.IdleTimeout cannot exceed Session.MaxLifetime.");
+        }
+
+        //if (options.MaxChainsPerUser <= 0)
+        //    errors.Add("Session.MaxChainsPerUser must be at least 1.");
+
+        //if (options.MaxSessionsPerChain <= 0)
+        //    errors.Add("Session.MaxSessionsPerChain must be at least 1.");
+
+        //if (options.MaxChainsPerPlatform != null)
+        //{
+        //    foreach (var kv in options.MaxChainsPerPlatform)
+        //    {
+        //        if (string.IsNullOrWhiteSpace(kv.Key))
+        //            errors.Add("Session.MaxChainsPerPlatform contains an empty platform key.");
+
+        //        if (kv.Value <= 0)
+        //            errors.Add($"Session.MaxChainsPerPlatform['{kv.Key}'] must be >= 1.");
+        //    }
+        //}
+
+        //if (options.PlatformCategories != null)
+        //{
+        //    foreach (var cat in options.PlatformCategories)
+        //    {
+        //        var categoryName = cat.Key;
+        //        var platforms = cat.Value;
+
+        //        if (string.IsNullOrWhiteSpace(categoryName))
+        //            errors.Add("Session.PlatformCategories contains an empty category name.");
+
+        //        if (platforms == null || platforms.Length == 0)
+        //            errors.Add($"Session.PlatformCategories['{categoryName}'] must contain at least one platform.");
+
+        //        var duplicates = platforms?
+        //            .GroupBy(p => p)
+        //            .Where(g => g.Count() > 1)
+        //            .Select(g => g.Key);
+        //        if (duplicates?.Any() == true)
+        //        {
+        //            errors.Add($"Session.PlatformCategories['{categoryName}'] contains duplicate platforms: {string.Join(", ", duplicates)}");
+        //        }
+        //    }
+        //}
+
+        //if (options.MaxChainsPerCategory != null)
+        //{
+        //    foreach (var kv in options.MaxChainsPerCategory)
+        //    {
+        //        if (string.IsNullOrWhiteSpace(kv.Key))
+        //            errors.Add("Session.MaxChainsPerCategory contains an empty category key.");
+
+        //        if (kv.Value <= 0)
+        //            errors.Add($"Session.MaxChainsPerCategory['{kv.Key}'] must be >= 1.");
+        //    }
+        //}
+
+        //if (options.PlatformCategories != null && options.MaxChainsPerCategory != null)
+        //{
+        //    foreach (var category in options.PlatformCategories.Keys)
+        //    {
+        //        if (!options.MaxChainsPerCategory.ContainsKey(category))
+        //        {
+        //            errors.Add(
+        //                $"Session.MaxChainsPerCategory must define a limit for category '{category}' " +
+        //                "because it exists in Session.PlatformCategories.");
+        //        }
+        //    }
+        //}
+
+        if (errors.Count == 0)
+            return ValidateOptionsResult.Success;
+
+        return ValidateOptionsResult.Fail(errors);
+    }
+}