96c53d9dab
Why: provide service-side canonical login/refresh orchestration for session-based web auth. What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs. Rule: preserve thalos identity ownership and keep transport adapters at service edge.
50 lines
1.6 KiB
C#
50 lines
1.6 KiB
C#
using BuildingBlock.Identity.Contracts.Conventions;
|
|
using Thalos.Service.Application.Secrets;
|
|
using Thalos.Service.Application.Sessions;
|
|
|
|
namespace Thalos.Service.Application.UnitTests;
|
|
|
|
public class HmacIdentitySessionTokenCodecTests
|
|
{
|
|
[Fact]
|
|
public void EncodeAndTryDecode_WhenTokenValid_RoundTripsDescriptor()
|
|
{
|
|
var codec = new HmacIdentitySessionTokenCodec(new FakeSecretMaterialProvider());
|
|
var descriptor = new IdentitySessionDescriptor(
|
|
"user-9",
|
|
"tenant-9",
|
|
IdentityAuthProvider.AzureAd,
|
|
DateTimeOffset.UtcNow.AddMinutes(5));
|
|
|
|
var token = codec.Encode(descriptor);
|
|
var ok = codec.TryDecode(token, out var decoded);
|
|
|
|
Assert.True(ok);
|
|
Assert.Equal("user-9", decoded.SubjectId);
|
|
Assert.Equal("tenant-9", decoded.TenantId);
|
|
Assert.Equal(IdentityAuthProvider.AzureAd, decoded.Provider);
|
|
}
|
|
|
|
[Fact]
|
|
public void TryDecode_WhenTokenTampered_ReturnsFalse()
|
|
{
|
|
var codec = new HmacIdentitySessionTokenCodec(new FakeSecretMaterialProvider());
|
|
var descriptor = new IdentitySessionDescriptor(
|
|
"user-9",
|
|
"tenant-9",
|
|
IdentityAuthProvider.InternalJwt,
|
|
DateTimeOffset.UtcNow.AddMinutes(5));
|
|
|
|
var token = codec.Encode(descriptor) + "tamper";
|
|
|
|
var ok = codec.TryDecode(token, out _);
|
|
|
|
Assert.False(ok);
|
|
}
|
|
|
|
private sealed class FakeSecretMaterialProvider : IIdentitySecretMaterialProvider
|
|
{
|
|
public string GetSecret(string secretKey) => "unit-test-secret";
|
|
}
|
|
}
|