code clean up; update Readme

changhuixu · changhuixu · commit c9dc9c827649 · 2020-07-24T17:01:06.000-05:00
diff --git a/README.md b/README.md
@@ -2,6 +2,12 @@
 
 This repository demos an ASP.NET Core web API application using JWT auth, and an integration testing project for a set of actions including login, logout, refresh token, impersonation, authentication, and authorization.
 
+## Medium Articles
+
+- [Using JWT in ASP.NET Core](https://codeburst.io/using-jwt-in-asp-net-core-148fb72bed03)
+
+  In this article, I will show you how to implement an ASP.NET Core web API application using JWT authentication and authorization.
+
 ## Solution Structure
 
 This repository includes two applications: an Angular SPA in the `angular` folder, and an ASP.NET Core web API app in the `webapi` folder. The SPA makes HTTP requests to the server side (the `webapi` app) using an API BaseURL `https://localhost:5001`. The API BaseURL is set in the `environment.ts` file and the `environment.prod.ts` file, which can be modified based on your situation.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -12,7 +12,7 @@ services:
   api:
     build: ./webapi
     ports:
-      - '5001'
+      - '5001:5001'
     environment:
       - ASPNETCORE_ENVIRONMENT=Development
       - ASPNETCORE_URLS=https://+:5001;http://+:5000
diff --git a/webapi/JwtAuthDemo.IntegrationTests/JwtAuthManagerTests.cs b/webapi/JwtAuthDemo.IntegrationTests/JwtAuthManagerTests.cs
@@ -64,9 +64,37 @@ public void ShouldThrowExceptionWhenRefreshTokenUsingAnExpiredToken()
                 new Claim(ClaimTypes.Name,userName),
                 new Claim(ClaimTypes.Role, UserRoles.Admin)
             };
-            var tokens = jwtAuthManager.GenerateTokens(userName, claims, now.AddMinutes(-jwtTokenConfig.RefreshTokenExpiration - 1));
 
-            var e = Assert.ThrowsException<SecurityTokenException>(() => jwtAuthManager.Refresh(tokens.RefreshToken.TokenString, tokens.AccessToken, now));
+            var jwtAuthResult1 = jwtAuthManager.GenerateTokens(userName, claims, now.AddMinutes(-jwtTokenConfig.AccessTokenExpiration - 1).AddSeconds(1));
+            jwtAuthManager.Refresh(jwtAuthResult1.RefreshToken.TokenString, jwtAuthResult1.AccessToken, now);
+
+            var jwtAuthResult2 = jwtAuthManager.GenerateTokens(userName, claims, now.AddMinutes(-jwtTokenConfig.AccessTokenExpiration - 1));
+            Assert.ThrowsException<SecurityTokenExpiredException>(() => jwtAuthManager.Refresh(jwtAuthResult2.RefreshToken.TokenString, jwtAuthResult2.AccessToken, now));
+        }
+
+        [TestMethod]
+        public void ShouldThrowExceptionWhenRefreshTokenIsForged()
+        {
+            var jwtAuthManager = _serviceProvider.GetRequiredService<IJwtAuthManager>();
+            var jwtTokenConfig = _serviceProvider.GetRequiredService<JwtTokenConfig>();
+            var now = DateTime.Now;
+
+            var claims1 = new[]
+            {
+                new Claim(ClaimTypes.Name,"admin"),
+                new Claim(ClaimTypes.Role, UserRoles.Admin)
+            };
+            var tokens1 = jwtAuthManager.GenerateTokens("admin", claims1, now.AddMinutes(-jwtTokenConfig.AccessTokenExpiration));
+
+            var claims2 = new[]
+            {
+                new Claim(ClaimTypes.Name,"test1"),
+                new Claim(ClaimTypes.Role, UserRoles.Admin)
+            };
+            var tokens2 = jwtAuthManager.GenerateTokens("test1", claims2, now.AddMinutes(-jwtTokenConfig.AccessTokenExpiration));
+
+            // forge a token: try to use the refresh token for "test1", but use the access token for "admin"
+            var e = Assert.ThrowsException<SecurityTokenException>(() => jwtAuthManager.Refresh(tokens2.RefreshToken.TokenString, tokens1.AccessToken, now));
             Assert.AreEqual("Invalid token", e.Message);
         }
     }
diff --git a/webapi/JwtAuthDemo.IntegrationTests/ValuesControllerTests.cs b/webapi/JwtAuthDemo.IntegrationTests/ValuesControllerTests.cs
@@ -12,6 +12,7 @@
 using JwtAuthDemo.Services;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
 namespace JwtAuthDemo.IntegrationTests
@@ -64,12 +65,10 @@ public async Task ShouldGetAllKeyValuePairsUsingSuccessLogin()
         public async Task ShouldReturn401ForInvalidToken()
         {
             const string invalidTokenString =
-                @"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiYWRtaW4iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbiIsImV4cCI6MTU5NDg1NzYxNSwiaXNzIjoiaHR0cHM6Ly9teXdlYmFwaS5jb20iLCJhdWQiOiJNeSBXZWJBcGkgVXNlcnMifQ.kjO-4siQxx3JVPVtV_jbmSP5fLp-SIJL92Zq3-weCIg";
+                @"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYW8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbiIsImV4cCI6MTU5NDg1NzYxNSwiaXNzIjoiaHR0cHM6Ly9teXdlYmFwaS5jb20iLCJhdWQiOiJNeSBXZWJBcGkgVXNlcnMifQ.kjO-4siQxx3JVPVtV_jbmSP5fLp-SIJL92Zq3-weCIg";
 
             var jwtAuthManager = _serviceProvider.GetRequiredService<IJwtAuthManager>();
-            var (principal, jwtSecurityToken) = jwtAuthManager.DecodeJwtToken(invalidTokenString);
-            Assert.AreEqual("admin", principal.Identity.Name);
-            Assert.IsNotNull(jwtSecurityToken);
+            Assert.ThrowsException<SecurityTokenInvalidSignatureException>(() => jwtAuthManager.DecodeJwtToken(invalidTokenString));
 
             _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, invalidTokenString);
             var response = await _httpClient.GetAsync("api/values");
@@ -90,7 +89,9 @@ public async Task ShouldReturn401ForExpiredToken()
 
             // expired token
             var jwtResult = jwtAuthManager.GenerateTokens(userName, claims, DateTime.Now.AddMinutes(-jwtTokenConfig.AccessTokenExpiration - 1));
-            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, jwtResult.AccessToken);
+            var invalidTokenString = jwtResult.AccessToken;
+            Assert.ThrowsException<SecurityTokenExpiredException>(() => jwtAuthManager.DecodeJwtToken(invalidTokenString));
+            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, invalidTokenString);
             var response = await _httpClient.GetAsync("api/values");
             Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
 
diff --git a/webapi/JwtAuthDemo/Infrastructure/JwtAuthManager.cs b/webapi/JwtAuthDemo/Infrastructure/JwtAuthManager.cs
@@ -104,6 +104,10 @@ public JwtAuthResult Refresh(string refreshToken, string accessToken, DateTime n
 
         public (ClaimsPrincipal, JwtSecurityToken) DecodeJwtToken(string token)
         {
+            if (string.IsNullOrWhiteSpace(token))
+            {
+                throw new SecurityTokenException("Invalid token");
+            }
             var principal = new JwtSecurityTokenHandler()
                 .ValidateToken(token,
                     new TokenValidationParameters
@@ -113,8 +117,9 @@ public JwtAuthResult Refresh(string refreshToken, string accessToken, DateTime n
                         ValidateIssuerSigningKey = true,
                         IssuerSigningKey = new SymmetricSecurityKey(_secret),
                         ValidAudience = _jwtTokenConfig.Audience,
-                        ValidateAudience = false,
-                        ValidateLifetime = false
+                        ValidateAudience = true,
+                        ValidateLifetime = true,
+                        ClockSkew = TimeSpan.FromMinutes(1)
                     },
                     out var validatedToken);
             return (principal, validatedToken as JwtSecurityToken);
diff --git a/webapi/JwtAuthDemo/Startup.cs b/webapi/JwtAuthDemo/Startup.cs
@@ -44,7 +44,7 @@ public void ConfigureServices(IServiceCollection services)
                     ValidateIssuerSigningKey = true,
                     IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtTokenConfig.Secret)),
                     ValidAudience = jwtTokenConfig.Audience,
-                    ValidateAudience = false,
+                    ValidateAudience = true,
                     ValidateLifetime = true,
                     ClockSkew = TimeSpan.FromMinutes(1)
                 };
@@ -73,10 +73,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 app.UseDeveloperExceptionPage();
             }
 
-            //if (Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER") != "true")
-            {
-                app.UseHttpsRedirection();
-            }
+            app.UseHttpsRedirection();
 
             app.UseSwagger();
             app.UseSwaggerUI(c =>
diff --git a/webapi/README.md b/webapi/README.md
@@ -14,5 +14,6 @@ This repository demos an ASP.NET Core web API application using JWT auth, and an
 
    ```Docker
    docker build -t jwtauthdemo_api .
-   docker run --rm -it jwtauthdemo_api
    ```
+
+   recommend to use the `docker-compose.yml` file in the parent directory to launch the app.
