Merge pull request 'Refactored CheckSameSite' (#127) from dataprotection into master

Reviewed-on: #127

LiteCharms.Features/Extensions/Api.cs

@@ -2,6 +2,7 @@
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Api.Sdk;
+using LiteCharms.Features.Postgres;
 
 namespace LiteCharms.Features.Extensions;
 
@@ -53,11 +54,13 @@ public static class Api
 
     public static IServiceCollection AddLiteCharmsWebSecurity(this IServiceCollection services, IConfiguration configuration)
     {
-        var keysFolder = Path.Combine("/app/shared-keys");
+        var certificate = X509CertificateLoader.LoadPkcs12(Convert.FromBase64String(configuration["DataProtection:Certificate"]!), configuration["DataProtection:Password"]);
 
-        services.AddDataProtection()
+        services.AddDataProtection().PersistKeysToDbContext<DataProtectionDbContext>()
-            .PersistKeysToFileSystem(new DirectoryInfo(keysFolder))
+            .ProtectKeysWithCertificate(certificate)
-            .SetApplicationName("MidrandBooks");
+            .SetApplicationName("LiteCharmsApp");
+
+        services.ConfigureCookieOidcSameSiteSupport();
 
         var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
 
@@ -71,17 +74,26 @@ public static class Api
             options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
         })
-        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
+        {
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.Cookie.SameSite = SameSiteMode.Lax;
+            options.Cookie.Name = "LiteCharmsApp.Session";
+        })
         .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
         {
             options.Authority = authOptions.Authority;
-
             options.ClientId = authOptions.ClientId;
             options.ClientSecret = authOptions.ClientSecret;
             options.ResponseType = "code";
         
             options.SaveTokens = true;
             options.GetClaimsFromUserInfoEndpoint = true;        
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
+        
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.NonceCookie.SameSite = SameSiteMode.None;
         
             options.ForwardSignOut = CookieAuthenticationDefaults.AuthenticationScheme;
         
@@ -114,6 +126,30 @@ public static class Api
         return services;
     }
 
+    private static void ConfigureCookieOidcSameSiteSupport(this IServiceCollection services) =>
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+            options.OnAppendCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+            options.OnDeleteCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+        });
+
+    private static void CheckSameSite(HttpContext httpContext, CookieOptions options)
+    {
+        if (options.SameSite == SameSiteMode.None)
+        {
+            bool isSecure = httpContext.Request.IsHttps;
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("X-Forwarded-Proto", out var proto))
+                isSecure = string.Equals(proto, "https", StringComparison.OrdinalIgnoreCase);
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("Forwarded", out var forwarded))
+                isSecure = forwarded.ToString().Contains("proto=https", StringComparison.OrdinalIgnoreCase);
+                        
+            if (!isSecure) options.SameSite = SameSiteMode.Unspecified;
+        }
+    }
+
     public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
         var configSection = configuration.GetSection(nameof(LiteCharmsSettings));

LiteCharms.Features/Extensions/Postgres.cs

@@ -1,6 +1,19 @@
-namespace LiteCharms.Features.Extensions;
+using LiteCharms.Features.Postgres;
+
+namespace LiteCharms.Features.Extensions;
 
 public static class Postgres
 {
     public const string SchedulerDbConfigName = "PostgresScheduler";
+    public const string DataProtectionDbConfigName = "PostgresDataProtection";
+
+    public static IServiceCollection AddDataProtectionDatabase(this IServiceCollection services, IConfiguration configuration)
+    {
+        var connectionString = configuration.GetConnectionString(DataProtectionDbConfigName);        
+
+        services.AddPooledDbContextFactory<DataProtectionDbContext>(options =>
+            options.UseNpgsql(connectionString));
+
+        return services;
+    }
 }

LiteCharms.Features/LiteCharms.Features.csproj

@@ -153,9 +153,11 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.9" />
 
     <!-- Global Usings -->
     <Using Include="Npgsql" />
+    <Using Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" />
     <Using Include="Microsoft.EntityFrameworkCore" />
     <Using Include="Microsoft.EntityFrameworkCore.Design" />
     <Using Include="Microsoft.EntityFrameworkCore.Metadata.Builders" />
@@ -195,6 +197,7 @@
   <!-- Shared Usings -->
   <ItemGroup>
     <Using Include="Microsoft.AspNetCore.DataProtection" />
+    <Using Include="System.Security.Cryptography.X509Certificates" />
     <Using Include="Microsoft.AspNetCore.Components.Server.ProtectedBrowserStorage" />
     <Using Include="System.Text.Json.Serialization" />
     <Using Include="System.Reflection" />

LiteCharms.Features/Postgres/DataProtectionDbContext.cs

@@ -0,0 +1,13 @@
+namespace LiteCharms.Features.Postgres;
+
+public class DataProtectionDbContext(DbContextOptions<DataProtectionDbContext> options) : DbContext(options), IDataProtectionKeyContext
+{
+    public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        base.OnModelCreating(modelBuilder);
+
+        modelBuilder.Entity<DataProtectionKey>(entity => entity.ToTable(nameof(DataProtectionKeys), schema: "security"));
+    }
+}

LiteCharms.Features/Postgres/DataProtectionDbContextFactory.cs

@@ -0,0 +1,20 @@
+using static LiteCharms.Features.Extensions.Postgres;
+
+namespace LiteCharms.Features.Postgres;
+
+public class DataProtectionDbContextFactory : IDesignTimeDbContextFactory<DataProtectionDbContext>
+{
+    public DataProtectionDbContext CreateDbContext(string[] args)
+    {
+        var configuration = new ConfigurationBuilder()
+            .SetBasePath(Directory.GetCurrentDirectory())
+            .AddUserSecrets(typeof(DataProtectionDbContext).Assembly)
+            .AddEnvironmentVariables()
+            .Build();
+
+        var optionsBuilder = new DbContextOptionsBuilder<DataProtectionDbContext>();
+        optionsBuilder.UseNpgsql(configuration.GetConnectionString(DataProtectionDbConfigName));
+
+        return new DataProtectionDbContext(optionsBuilder.Options);
+    }
+}

LiteCharms.Features/Postgres/Migrations/20260614075149_Init.Designer.cs

@@ -0,0 +1,48 @@
+// <auto-generated />
+using LiteCharms.Features.Postgres;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    [DbContext(typeof(DataProtectionDbContext))]
+    [Migration("20260614075149_Init")]
+    partial class Init
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.9")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys", "security");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

LiteCharms.Features/Postgres/Migrations/20260614075149_Init.cs

@@ -0,0 +1,41 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    /// <inheritdoc />
+    public partial class Init : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.EnsureSchema(
+                name: "security");
+
+            migrationBuilder.CreateTable(
+                name: "DataProtectionKeys",
+                schema: "security",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    FriendlyName = table.Column<string>(type: "text", nullable: true),
+                    Xml = table.Column<string>(type: "text", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DataProtectionKeys", x => x.Id);
+                });
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DataProtectionKeys",
+                schema: "security");
+        }
+    }
+}

LiteCharms.Features/Postgres/Migrations/DataProtectionDbContextModelSnapshot.cs

@@ -0,0 +1,45 @@
+// <auto-generated />
+using LiteCharms.Features.Postgres;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    [DbContext(typeof(DataProtectionDbContext))]
+    partial class DataProtectionDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.9")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys", "security");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}