Merge pull request #17 from Shuttle/session-token-claim

Session token claim

Author: eben-roux

Shuttle.Access.Application/.package/package.nuspec

@@ -1,30 +1,32 @@
 <?xml version="1.0"?>
 
 <package>
-	<metadata>
-		<id>Shuttle.Access.Application</id>
-		<version>6.0.0</version>
-		<authors>Eben Roux</authors>
-		<owners>Eben Roux</owners>
-		<license type="expression">BSD-3-Clause</license>
-		<requireLicenseAcceptance>false</requireLicenseAcceptance>
-		<icon>images\logo.png</icon>
-		<repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
-		<projectUrl>https://github.com/shuttle/Shuttle.Access</projectUrl>
-		<description>A client component that calls the Shuttle.Access.WebApi to interact with the Shuttle.Access Identity and Access Management domain.</description>
-		<copyright>Copyright (c) 2025, Eben Roux</copyright>
-		<tags>iam identity authorization authentication security permissions</tags>
-		<dependencies>
-      <dependency id="Microsoft.CSharp" version="4.7.0" />
+  <metadata>
+    <id>Shuttle.Access.Application</id>
+    <version>6.0.2</version>
+    <authors>Eben Roux</authors>
+    <owners>Eben Roux</owners>
+    <license type="expression">BSD-3-Clause</license>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <icon>images\logo.png</icon>
+    <readme>docs\README.md</readme>
+    <repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
+    <projectUrl>https://github.com/shuttle/Shuttle.Access</projectUrl>
+    <description>Application concern implementations such as Shuttle.Core.Mediator participants.</description>
+    <copyright>Copyright (c) 2025, Eben Roux</copyright>
+    <tags>iam identity authorization authentication security permissions</tags>
+    <dependencies>
+            <dependency id="Microsoft.CSharp" version="4.7.0" />
       <dependency id="Shuttle.Core.Contract" version="20.0.0" />
       <dependency id="Shuttle.Core.Mediator" version="20.0.0" />
       <dependency id="Shuttle.Esb" version="20.0.0" />
       <dependency id="Shuttle.Recall" version="20.0.0" />
       <dependency id="Shuttle.Recall.Sql.Storage" version="20.0.0" />
-		</dependencies>
-	</metadata>
-	<files>
-		<file src="..\..\..\.media\logo.png" target="images" />
-		<file src="lib\**\*.*" target="lib" />
-	</files>
+    </dependencies>
+  </metadata>
+  <files>
+    <file src="..\..\..\.media\logo.png" target="images" />
+    <file src="..\..\..\README.md" target="docs\" />
+    <file src="lib\**\*.*" target="lib" />
+  </files>
 </package>

Shuttle.Access.Application/.package/package.nuspec.template

@@ -1,25 +1,27 @@
 <?xml version="1.0"?>
 
 <package>
-	<metadata>
-		<id>Shuttle.Access.Application</id>
-		<version>#{SemanticVersion}#</version>
-		<authors>Eben Roux</authors>
-		<owners>Eben Roux</owners>
-		<license type="expression">BSD-3-Clause</license>
-		<requireLicenseAcceptance>false</requireLicenseAcceptance>
-		<icon>images\logo.png</icon>
-		<repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
-		<projectUrl>https://github.com/shuttle/Shuttle.Access</projectUrl>
-		<description>A client component that calls the Shuttle.Access.WebApi to interact with the Shuttle.Access Identity and Access Management domain.</description>
-		<copyright>Copyright (c) #{Year}#, Eben Roux</copyright>
-		<tags>iam identity authorization authentication security permissions</tags>
-		<dependencies>
-#{Dependencies}#
-		</dependencies>
-	</metadata>
-	<files>
-		<file src="..\..\..\.media\logo.png" target="images" />
-		<file src="lib\**\*.*" target="lib" />
-	</files>
+  <metadata>
+    <id>Shuttle.Access.Application</id>
+    <version>#{SemanticVersion}#</version>
+    <authors>Eben Roux</authors>
+    <owners>Eben Roux</owners>
+    <license type="expression">BSD-3-Clause</license>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <icon>images\logo.png</icon>
+    <readme>docs\README.md</readme>
+    <repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
+    <projectUrl>https://github.com/shuttle/Shuttle.Access</projectUrl>
+    <description>Application concern implementations such as Shuttle.Core.Mediator participants.</description>
+    <copyright>Copyright (c) #{Year}#, Eben Roux</copyright>
+    <tags>iam identity authorization authentication security permissions</tags>
+    <dependencies>
+      #{Dependencies}#
+    </dependencies>
+  </metadata>
+  <files>
+    <file src="..\..\..\.media\logo.png" target="images" />
+    <file src="..\..\..\README.md" target="docs\" />
+    <file src="lib\**\*.*" target="lib" />
+  </files>
 </package>

Shuttle.Access.Application/ActivateIdentityParticipant.cs

@@ -25,7 +25,7 @@ public async Task ProcessMessageAsync(IParticipantContext<RequestResponseMessage
         Guard.AgainstNull(context);
 
         var message = context.Message.Request;
-        var now = DateTime.UtcNow;
+        var now = DateTimeOffset.UtcNow;
 
         var specification = new DataAccess.Identity.Specification();
 

Shuttle.Access.Application/ConfigureApplicationParticipant.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using Castle.Core.Logging;
 using Microsoft.Extensions.Logging;
 using Shuttle.Access.DataAccess;
 using Shuttle.Access.Messages.v1;
@@ -66,9 +65,9 @@ public async Task ProcessMessageAsync(IParticipantContext<ConfigureApplication>
 
             await _mediator.SendAsync(registerRoleMessage);
 
-            var timeout = DateTime.Now.AddSeconds(15);
+            var timeout = DateTimeOffset.Now.AddSeconds(15);
 
-            while (await _roleQuery.CountAsync(roleSpecification) == 0 && DateTime.Now < timeout)
+            while (await _roleQuery.CountAsync(roleSpecification) == 0 && DateTimeOffset.Now < timeout)
             {
                 Task.Delay(TimeSpan.FromMilliseconds(500), context.CancellationToken).Wait();
             }

Shuttle.Access.Application/Properties/AssemblyInfo.cs

@@ -9,10 +9,10 @@
 [assembly: AssemblyTitle(".NET Unified Platform")]
 #endif
 
-[assembly: AssemblyVersion("6.0.0.0")]
+[assembly: AssemblyVersion("6.0.2.0")]
 [assembly: AssemblyCopyright("Copyright (c) 2025, Eben Roux")]
 [assembly: AssemblyProduct("Shuttle.Access.Application")]
 [assembly: AssemblyCompany("Eben Roux")]
 [assembly: AssemblyConfiguration("Release")]
-[assembly: AssemblyInformationalVersion("6.0.0")]
+[assembly: AssemblyInformationalVersion("6.0.2")]
 [assembly: ComVisible(false)]

Shuttle.Access.Application/RefreshSessionParticipant.cs

@@ -63,7 +63,7 @@ public async Task ProcessMessageAsync(IParticipantContext<RefreshSession> contex
 
         await _sessionRepository.SaveAsync(session);
 
-        _accessService.Flush(session.Token);
+        await _accessService.RemoveAsync(session.Token);
 
         await _serviceBus.PublishAsync(new SessionRefreshed
         {

Shuttle.Access.Application/RegisterSessionParticipant.cs

@@ -106,9 +106,9 @@ public async Task ProcessMessageAsync(IParticipantContext<RegisterSession> conte
                 return;
             }
 
-            if (session.ExpiryDate.Add(_accessOptions.SessionRenewalTolerance) > DateTime.UtcNow)
+            if (session.ExpiryDate.Add(_accessOptions.SessionRenewalTolerance) > DateTimeOffset.UtcNow)
             {
-                session.Renew(DateTime.UtcNow.Add(_accessOptions.SessionDuration));
+                session.Renew(DateTimeOffset.UtcNow.Add(_accessOptions.SessionDuration));
 
                 await SaveAsync();
 
@@ -120,7 +120,7 @@ public async Task ProcessMessageAsync(IParticipantContext<RegisterSession> conte
 
         if (message.RegistrationType != SessionRegistrationType.Token)
         {
-            var now = DateTime.UtcNow;
+            var now = DateTimeOffset.UtcNow;
 
             session = new(Guid.NewGuid(), await _identityQuery.IdAsync(message.IdentityName, context.CancellationToken), message.IdentityName, now, now.Add(_accessOptions.SessionDuration));
 
@@ -142,7 +142,7 @@ async Task SaveAsync()
 
             if (message.HasKnownApplicationOptions)
             {
-                var sessionTokenExchange = new SessionTokenExchange(Guid.NewGuid(), session.Token, DateTime.UtcNow.Add(_accessOptions.SessionTokenExchangeValidityTimeSpan));
+                var sessionTokenExchange = new SessionTokenExchange(Guid.NewGuid(), session.Token, DateTimeOffset.UtcNow.Add(_accessOptions.SessionTokenExchangeValidityTimeSpan));
 
                 await _sessionTokenExchangeRepository.SaveAsync(sessionTokenExchange, context.CancellationToken);
 

Shuttle.Access.AspNetCore/.package/package.nuspec

@@ -1,28 +1,28 @@
 <?xml version="1.0"?>
 
 <package>
-	<metadata>
-		<id>Shuttle.Access.AspNetCore</id>
-		<version>6.0.0</version>
-		<authors>Eben Roux</authors>
-		<owners>Eben Roux</owners>
-		<license type="expression">BSD-3-Clause</license>
-		<requireLicenseAcceptance>false</requireLicenseAcceptance>
-		<icon>images\logo.png</icon>
-		<readme>docs\README.md</readme>
-		<repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
-		<projectUrl>https://github.com/Shuttle/Shuttle.Access</projectUrl>
-		<description>Authorization middleware for web API endpoints using Shuttle.Access.</description>
-		<copyright>Copyright (c) 2025, Eben Roux</copyright>
-		<tags>iam middleware authorization permissions</tags>
-		<dependencies>
-      <dependency id="Shuttle.Access" version="6.0.0" />
+  <metadata>
+    <id>Shuttle.Access.AspNetCore</id>
+    <version>6.0.2</version>
+    <authors>Eben Roux</authors>
+    <owners>Eben Roux</owners>
+    <license type="expression">BSD-3-Clause</license>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <icon>images\logo.png</icon>
+    <readme>docs\README.md</readme>
+    <repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
+    <projectUrl>https://github.com/Shuttle/Shuttle.Access</projectUrl>
+    <description>Authorization middleware for web API endpoints using Shuttle.Access.</description>
+    <copyright>Copyright (c) 2025, Eben Roux</copyright>
+    <tags>iam middleware authorization permissions</tags>
+    <dependencies>
+            <dependency id="Shuttle.Access" version="6.0.2" />
       <dependency id="Shuttle.Core.Contract" version="20.0.0" />
-		</dependencies>
-	</metadata>
-	<files>
-		<file src="..\..\..\.media\logo.png" target="images" />
-		<file src="..\..\..\README.md" target="docs" />
-		<file src="lib\**\*.*" target="lib" />
-	</files>
+    </dependencies>
+  </metadata>
+  <files>
+    <file src="..\..\..\.media\logo.png" target="images" />
+    <file src="..\..\..\README.md" target="docs" />
+    <file src="lib\**\*.*" target="lib" />
+  </files>
 </package>

Shuttle.Access.AspNetCore/.package/package.nuspec.template

@@ -1,27 +1,27 @@
 <?xml version="1.0"?>
 
 <package>
-	<metadata>
-		<id>Shuttle.Access.AspNetCore</id>
-		<version>#{SemanticVersion}#</version>
-		<authors>Eben Roux</authors>
-		<owners>Eben Roux</owners>
-		<license type="expression">BSD-3-Clause</license>
-		<requireLicenseAcceptance>false</requireLicenseAcceptance>
-		<icon>images\logo.png</icon>
-		<readme>docs\README.md</readme>
-		<repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
-		<projectUrl>https://github.com/Shuttle/Shuttle.Access</projectUrl>
-		<description>Authorization middleware for web API endpoints using Shuttle.Access.</description>
-		<copyright>Copyright (c) #{Year}#, Eben Roux</copyright>
-		<tags>iam middleware authorization permissions</tags>
-		<dependencies>
-#{Dependencies}#
-		</dependencies>
-	</metadata>
-	<files>
-		<file src="..\..\..\.media\logo.png" target="images" />
-		<file src="..\..\..\README.md" target="docs" />
-		<file src="lib\**\*.*" target="lib" />
-	</files>
+  <metadata>
+    <id>Shuttle.Access.AspNetCore</id>
+    <version>#{SemanticVersion}#</version>
+    <authors>Eben Roux</authors>
+    <owners>Eben Roux</owners>
+    <license type="expression">BSD-3-Clause</license>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <icon>images\logo.png</icon>
+    <readme>docs\README.md</readme>
+    <repository type="git" url="https://github.com/Shuttle/Shuttle.Access.git" />
+    <projectUrl>https://github.com/Shuttle/Shuttle.Access</projectUrl>
+    <description>Authorization middleware for web API endpoints using Shuttle.Access.</description>
+    <copyright>Copyright (c) #{Year}#, Eben Roux</copyright>
+    <tags>iam middleware authorization permissions</tags>
+    <dependencies>
+      #{Dependencies}#
+    </dependencies>
+  </metadata>
+  <files>
+    <file src="..\..\..\.media\logo.png" target="images" />
+    <file src="..\..\..\README.md" target="docs" />
+    <file src="lib\**\*.*" target="lib" />
+  </files>
 </package>

Shuttle.Access.AspNetCore/AccessAuthenticationHandler.cs

@@ -0,0 +1,94 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using System.Text.RegularExpressions;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Shuttle.Core.Contract;
+
+namespace Shuttle.Access.AspNetCore;
+
+public class AccessAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    private readonly IAccessService _accessService;
+    public static readonly string AuthenticationScheme = "Shuttle.Access";
+    public const string SessionTokenClaimType = "http://shuttle.org/claims/session/token";
+    public static readonly Regex TokenExpression = new(@"token\s*=\s*(?<token>[0-9a-fA-F-]{36})", RegexOptions.IgnoreCase);
+    private const string Type = "https://tools.ietf.org/html/rfc9110#section-15.5.2";
+
+    public AccessAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder, IAccessService accessService) : base(options, logger, encoder)
+    {
+        _accessService = Guard.AgainstNull(accessService);
+    }
+
+    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        await Task.CompletedTask;
+
+        var header = Request.Headers["Authorization"].FirstOrDefault();
+
+        if (header == null)
+        {
+            return AuthenticateResult.NoResult();
+        }
+
+        if (!header.StartsWith("Shuttle.Access ", StringComparison.OrdinalIgnoreCase))
+        {
+            return AuthenticateResult.NoResult();
+        }
+
+        var match = TokenExpression.Match(header["Shuttle.Access ".Length..].Trim());
+
+        if (!match.Success ||
+            !Guid.TryParse(match.Groups["token"].Value, out var sessionToken))
+        {
+            return AuthenticateResult.Fail(Resources.InvalidAuthenticationHeader);
+        }
+
+        var session = await _accessService.FindSessionAsync(sessionToken);
+
+        if (session == null)
+        {
+            return AuthenticateResult.Fail(Resources.InvalidAuthenticationHeader);
+        }
+
+        Context.SetPrincipalAccessSessionToken(sessionToken);
+
+        List<Claim> claims =
+        [
+            new(ClaimTypes.NameIdentifier, session.IdentityName),
+            new(ClaimTypes.Name, session.IdentityName),
+            new(nameof(session.IdentityName), session.IdentityName),
+            new(SessionTokenClaimType, $"{session.Token:D}")
+        ];
+
+        return AuthenticateResult.Success(new(new(new ClaimsIdentity(claims, Scheme.Name)), Scheme.Name));
+    }
+
+    protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        var authenticateResult = await HandleAuthenticateOnceAsync();
+
+        if (authenticateResult.Succeeded)
+        {
+            return;
+        }
+        
+        Response.StatusCode = StatusCodes.Status401Unauthorized;
+        Response.Headers.WWWAuthenticate = "Shuttle.Access";
+
+        var problemDetails = new ProblemDetails
+        {
+            Type = Type,
+            Title = ReasonPhrases.GetReasonPhrase(StatusCodes.Status401Unauthorized),
+            Status = StatusCodes.Status401Unauthorized,
+            Detail = authenticateResult.Failure?.Message
+        };
+
+        await Response.WriteAsJsonAsync(problemDetails, (JsonSerializerOptions?)null, "application/problem+json");
+    }
+}

Shuttle.Access.AspNetCore/AccessAuthorizationMiddleware.cs

@@ -1,5 +1,4 @@
 using System.Security.Claims;
-using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;