JwtAuthProvider and killing the token

jezzsantos · January 12, 2017, 1:51am

We are using the JwtAuthProvider in a combo with a custom CredentialsAuthProvider.

The idea is that we (the API) gets the username+password from the user (in a special API) and then calls Authenticate on the CredentialsAuthProvider. The CredentialsAuthProvider does the actual credential validation and populates the Session.

Since we are also using the JwtAuthProvider, that guy auto-magically creates a ss-tok token cookie and we relay that to our client. As long as the token cookie is present the user is signed in.

On every request to the API we want check that the user’s session is still valid (special criteria external to the SS AuthFeature).
We need to verify these conditions every API call, and then either: expire the ss-tok, or logout, or otherwise get rid of the users sessions somehow - not sure which is the right action at this point.

I was hoping we could handle a PreAuthenticate type of event or some such thing on the JwtAuthProvider, and then run our code to figure out if the user’s session should still be valid, and if not invalidate it.
But don’t see how to do that anywhere.

Where is the best place to do that kind of thing? and what should be done in that context?

How would I also make sure that the ss-tok was deleted from the client?

jezzsantos · January 12, 2017, 8:38pm

As an idea, would it be valid to create a custom IAuthWithRequest provider that handles the PreAuthenticate(IRequest req, IResponse res), and does the necessary checks there?

If our checks pass, it does nothing.
If our checks fail, then call Logout() like this:

        public void PreAuthenticate(IRequest req, IResponse res)
        {
            var session = req.GetSession();

            if (session != null
                && session.FromToken
                && session.IsAuthenticated)
            {
                var username = session.UserName;
                if (!IsAccessIsValid(username))
                {
                    var authSvc = req.TryResolve<AuthenticateService>();
                    authSvc.Request = req;
                    Logout(authSvc, null);

                    throw new UnauthorizedAccessException();
                }
            }
        }

Seems to do most of the right things, but wanted to know if this is the right way to delete the session, and if that should work in that context? or if there is a better way?

mythz · January 13, 2017, 5:12pm

Note: the recommended way to resolve a Service is with:

using (var service = HostContext.ResolveService<AuthenticateService>(req))
{
   //..
}

But for if you just want to clear the Users Session you only need to call:

req.RemoveSession();

Which will remove it from the cache. If you also want to remove the existing Session Id Cookies you can call:

req.Response.DeleteSessionCookies();

jezzsantos · January 13, 2017, 7:40pm

OK, cool thanks. Good to know.

We are using IRequest.TryResolve<T> because it is more unit testable/mockable, than using the HostContext.ResolveService.

About the other hints: as I understand it, AuthProvider.Logout pretty much does the things you are recommending, as well as doing a req.Response.DeleteJwtCookie() which is also important to our scenario.

Is there any reason why I wouldn’t call AuthProvider.Logout() rather than roll my own code as you suggest?

jezzsantos · January 13, 2017, 8:07pm

@mythz is throwing the UnauthorizeAccessException still necessary to force a 401 in response to the API call?

mythz · January 14, 2017, 2:09pm

Throwing Exceptions should only be done in Services, in Filters you should write directly to the HTTP Response, e.g:

res.StatusCode = (int)HttpStatusCode.Unauthorized;
res.StatusDescription = "Unauthorized";
res.EndRequest();