Feature: Add token validation, basic confirmation workflow (#164)

src/Core/Service/Service.Auth/ConfirmationService.cs

@@ -0,0 +1,34 @@
+
+using Domain.Exceptions;
+using Infrastructure.Repository.Auth;
+
+namespace Service.Auth;
+
+public class ConfirmationService(
+    IAuthRepository authRepository,
+    ITokenService tokenService
+) : IConfirmationService
+{
+   public async Task<ConfirmationServiceReturn> ConfirmUserAsync(
+       string confirmationToken
+   )
+   {
+      var validatedToken = await tokenService.ValidateConfirmationTokenAsync(
+          confirmationToken
+      );
+
+      var user = await authRepository.ConfirmUserAccountAsync(
+          validatedToken.UserId
+      );
+
+      if (user == null)
+      {
+         throw new UnauthorizedException("User account not found");
+      }
+
+      return new ConfirmationServiceReturn(
+          DateTime.UtcNow,
+          user.UserAccountId
+      );
+   }
+}

src/Core/Service/Service.Auth/IConfirmationService.cs

@@ -0,0 +1,11 @@
+using Domain.Exceptions;
+using Infrastructure.Repository.Auth;
+
+namespace Service.Auth;
+
+public record ConfirmationServiceReturn(DateTime ConfirmedAt, Guid UserId);
+
+public interface IConfirmationService
+{
+    Task<ConfirmationServiceReturn> ConfirmUserAsync(string confirmationToken);
+}

src/Core/Service/Service.Auth/ILoginService.cs

@@ -2,6 +2,11 @@ using Domain.Entities;
 
 namespace Service.Auth;
 
+public record LoginServiceReturn(
+    UserAccount UserAccount,
+    string RefreshToken,
+    string AccessToken
+);
 public interface ILoginService
 {
     Task<LoginServiceReturn> LoginAsync(string username, string password);

src/Core/Service/Service.Auth/IRegisterService.cs

@@ -36,4 +36,4 @@ public interface IRegisterService
         UserAccount userAccount,
         string password
     );
-}
+}

src/Core/Service/Service.Auth/ITokenService.cs

@@ -1,34 +1,156 @@
+using System.Security.Claims;
+using System.IdentityModel.Tokens.Jwt;
 using Domain.Entities;
+using Domain.Exceptions;
 using Infrastructure.Jwt;
+using Infrastructure.Repository.Auth;
 
 namespace Service.Auth;
 
+public enum TokenType
+{
+    AccessToken,
+    RefreshToken,
+    ConfirmationToken,
+}
+
+public record ValidatedToken(Guid UserId, string Username, ClaimsPrincipal Principal);
+
+public record RefreshTokenResult(
+    UserAccount UserAccount,
+    string RefreshToken,
+    string AccessToken
+);
+
+public static class TokenServiceExpirationHours
+{
+    public const double AccessTokenHours = 1;
+    public const double RefreshTokenHours = 504; // 21 days
+    public const double ConfirmationTokenHours = 0.5; // 30 minutes
+}
+
 public interface ITokenService
 {
-    public string GenerateAccessToken(UserAccount user);
-    public string GenerateRefreshToken(UserAccount user);
+    string GenerateAccessToken(UserAccount user);
+    string GenerateRefreshToken(UserAccount user);
+    string GenerateConfirmationToken(UserAccount user);
+    string GenerateToken<T>(UserAccount user) where T : struct, Enum;
+    Task<ValidatedToken> ValidateAccessTokenAsync(string token);
+    Task<ValidatedToken> ValidateRefreshTokenAsync(string token);
+    Task<ValidatedToken> ValidateConfirmationTokenAsync(string token);
+    Task<RefreshTokenResult> RefreshTokenAsync(string refreshTokenString);
 }
 
-public class TokenService(ITokenInfrastructure tokenInfrastructure)
-    : ITokenService
+public class TokenService : ITokenService
 {
-    public string GenerateAccessToken(UserAccount userAccount)
+    private readonly ITokenInfrastructure _tokenInfrastructure;
+    private readonly IAuthRepository _authRepository;
+
+    private readonly string _accessTokenSecret;
+    private readonly string _refreshTokenSecret;
+    private readonly string _confirmationTokenSecret;
+
+    public TokenService(
+        ITokenInfrastructure tokenInfrastructure,
+        IAuthRepository authRepository
+    )
     {
-        var jwtExpiresAt = DateTime.UtcNow.AddHours(1);
-        return tokenInfrastructure.GenerateJwt(
-            userAccount.UserAccountId,
-            userAccount.Username,
-            jwtExpiresAt
-        );
+        _tokenInfrastructure = tokenInfrastructure;
+        _authRepository = authRepository;
+
+        _accessTokenSecret = Environment.GetEnvironmentVariable("ACCESS_TOKEN_SECRET")
+            ?? throw new InvalidOperationException("ACCESS_TOKEN_SECRET environment variable is not set");
+
+        _refreshTokenSecret = Environment.GetEnvironmentVariable("REFRESH_TOKEN_SECRET")
+            ?? throw new InvalidOperationException("REFRESH_TOKEN_SECRET environment variable is not set");
+
+        _confirmationTokenSecret = Environment.GetEnvironmentVariable("CONFIRMATION_TOKEN_SECRET")
+            ?? throw new InvalidOperationException("CONFIRMATION_TOKEN_SECRET environment variable is not set");
     }
 
-    public string GenerateRefreshToken(UserAccount userAccount)
+    public string GenerateAccessToken(UserAccount user)
     {
-        var jwtExpiresAt = DateTime.UtcNow.AddDays(21);
-        return tokenInfrastructure.GenerateJwt(
-            userAccount.UserAccountId,
-            userAccount.Username,
-            jwtExpiresAt
-        );
+        var expiresAt = DateTime.UtcNow.AddHours(TokenServiceExpirationHours.AccessTokenHours);
+        return _tokenInfrastructure.GenerateJwt(user.UserAccountId, user.Username, expiresAt, _accessTokenSecret);
+    }
+
+    public string GenerateRefreshToken(UserAccount user)
+    {
+        var expiresAt = DateTime.UtcNow.AddHours(TokenServiceExpirationHours.RefreshTokenHours);
+        return _tokenInfrastructure.GenerateJwt(user.UserAccountId, user.Username, expiresAt, _refreshTokenSecret);
+    }
+
+    public string GenerateConfirmationToken(UserAccount user)
+    {
+        var expiresAt = DateTime.UtcNow.AddHours(TokenServiceExpirationHours.ConfirmationTokenHours);
+        return _tokenInfrastructure.GenerateJwt(user.UserAccountId, user.Username, expiresAt, _confirmationTokenSecret);
+    }
+
+    public string GenerateToken<T>(UserAccount user) where T : struct, Enum
+    {
+        if (typeof(T) != typeof(TokenType))
+            throw new InvalidOperationException("Invalid token type");
+
+        var tokenTypeName = typeof(T).Name;
+        if (!Enum.TryParse(typeof(TokenType), tokenTypeName, out var parsed))
+            throw new InvalidOperationException("Invalid token type");
+
+        var tokenType = (TokenType)parsed;
+        return tokenType switch
+        {
+            TokenType.AccessToken => GenerateAccessToken(user),
+            TokenType.RefreshToken => GenerateRefreshToken(user),
+            TokenType.ConfirmationToken => GenerateConfirmationToken(user),
+            _ => throw new InvalidOperationException("Invalid token type"),
+        };
+    }
+
+    public async Task<ValidatedToken> ValidateAccessTokenAsync(string token)
+        => await ValidateTokenInternalAsync(token, _accessTokenSecret, "access");
+
+    public async Task<ValidatedToken> ValidateRefreshTokenAsync(string token)
+        => await ValidateTokenInternalAsync(token, _refreshTokenSecret, "refresh");
+
+    public async Task<ValidatedToken> ValidateConfirmationTokenAsync(string token)
+        => await ValidateTokenInternalAsync(token, _confirmationTokenSecret, "confirmation");
+
+    private async Task<ValidatedToken> ValidateTokenInternalAsync(string token, string secret, string tokenType)
+    {
+        try
+        {
+            var principal = await _tokenInfrastructure.ValidateJwtAsync(token, secret);
+
+            var userIdClaim = principal.FindFirst(JwtRegisteredClaimNames.Sub)?.Value;
+            var usernameClaim = principal.FindFirst(JwtRegisteredClaimNames.UniqueName)?.Value;
+
+            if (string.IsNullOrEmpty(userIdClaim) || string.IsNullOrEmpty(usernameClaim))
+                throw new UnauthorizedException($"Invalid {tokenType} token: missing required claims");
+
+            if (!Guid.TryParse(userIdClaim, out var userId))
+                throw new UnauthorizedException($"Invalid {tokenType} token: malformed user ID");
+
+            return new ValidatedToken(userId, usernameClaim, principal);
+        }
+        catch (UnauthorizedException)
+        {
+            throw;
+        }
+        catch (Exception e)
+        {
+            throw new UnauthorizedException($"Failed to validate {tokenType} token: {e.Message}");
+        }
+    }
+
+    public async Task<RefreshTokenResult> RefreshTokenAsync(string refreshTokenString)
+    {
+        var validated = await ValidateRefreshTokenAsync(refreshTokenString);
+        var user = await _authRepository.GetUserByIdAsync(validated.UserId);
+        if (user == null)
+            throw new UnauthorizedException("User account not found");
+
+        var newAccess = GenerateAccessToken(user);
+        var newRefresh = GenerateRefreshToken(user);
+
+        return new RefreshTokenResult(user, newRefresh, newAccess);
     }
 }

src/Core/Service/Service.Auth/LoginService.cs

@@ -5,11 +5,6 @@ using Infrastructure.Repository.Auth;
 
 namespace Service.Auth;
 
-public record LoginServiceReturn(
-    UserAccount UserAccount,
-    string RefreshToken,
-    string AccessToken
-);
 
 public class LoginService(
     IAuthRepository authRepo,

src/Core/Service/Service.Auth/RegisterService.cs

@@ -53,6 +53,7 @@ public class RegisterService(
 
         var accessToken = tokenService.GenerateAccessToken(createdUser);
         var refreshToken = tokenService.GenerateRefreshToken(createdUser);
+        var confirmationToken = tokenService.GenerateConfirmationToken(createdUser);
 
         if (
             string.IsNullOrEmpty(accessToken)
@@ -67,14 +68,15 @@ public class RegisterService(
         {
             // send confirmation email
             await emailService.SendRegistrationEmailAsync(
-                createdUser,
-                "some-confirmation-token"
+                createdUser, confirmationToken
             );
 
             emailSent = true;
         }
-        catch
+        catch (Exception ex)
         {
+            await Console.Error.WriteLineAsync(ex.Message);
+            Console.WriteLine("Could not send email.");
             // ignored
         }
 
@@ -85,4 +87,4 @@ public class RegisterService(
             emailSent
         );
     }
-}
+}

src/Core/Service/Service.Auth/Service.Auth.csproj

@@ -6,13 +6,17 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\Domain.Entities\Domain.Entities.csproj" />
-    <ProjectReference Include="..\..\Domain.Exceptions\Domain.Exceptions.csproj" />
-    <ProjectReference Include="..\..\Infrastructure\Infrastructure.Email\Infrastructure.Email.csproj" />
-    <ProjectReference Include="..\..\Infrastructure\Infrastructure.Email.Templates\Infrastructure.Email.Templates.csproj" />
+    <ProjectReference Include="..\..\Domain\Domain.Entities\Domain.Entities.csproj" />
+    <ProjectReference Include="..\..\Domain\Domain.Exceptions\Domain.Exceptions.csproj" />
+    <ProjectReference
+      Include="..\..\Infrastructure\Infrastructure.Email\Infrastructure.Email.csproj" />
+    <ProjectReference
+      Include="..\..\Infrastructure\Infrastructure.Email.Templates\Infrastructure.Email.Templates.csproj" />
     <ProjectReference Include="..\..\Infrastructure\Infrastructure.Jwt\Infrastructure.Jwt.csproj" />
-    <ProjectReference Include="..\..\Infrastructure\Infrastructure.Repository\Infrastructure.Repository.csproj" />
-    <ProjectReference Include="..\..\Infrastructure\Infrastructure.PasswordHashing\Infrastructure.PasswordHashing.csproj" />
+    <ProjectReference
+      Include="..\..\Infrastructure\Infrastructure.Repository\Infrastructure.Repository.csproj" />
+    <ProjectReference
+      Include="..\..\Infrastructure\Infrastructure.PasswordHashing\Infrastructure.PasswordHashing.csproj" />
     <ProjectReference Include="..\Service.Emails\Service.Emails.csproj" />
   </ItemGroup>
 </Project>