Commit efab11b
feat!: Auth Schemes for all types + breaking interval-only time fields
Two related auth changes for 3.13.0:
1. Auth:Schemes — named additional authentication schemes (Cookies / BearerToken / Jwt)
New Auth:Schemes dict registers fully-fledged ASP.NET Core auth schemes
alongside the main one. Login functions select a scheme by returning the
scheme name in the `scheme` column. Use cases:
- short-lived single-session cookies for sensitive operations
- per-scope JWT signing keys (separate JwtSecret limits leak blast radius)
- multiple bearer-token APIs with different expirations / refresh paths
Schemes inherit any unset field from the root Auth section. Per-type
overrides:
- Cookies: CookieValid, CookieName, CookiePath, CookieDomain,
CookieMultiSessions, CookieHttpOnly
- BearerToken: BearerTokenExpire, BearerTokenRefreshPath
- Jwt: JwtExpire, JwtRefreshExpire, JwtSecret, JwtIssuer, JwtAudience,
JwtClockSkew, JwtRefreshPath, all four JwtValidate* flags
Validation at startup: scheme-name collision with main schemes, unsupported
Type, CookieName uniqueness, refresh-path uniqueness across all schemes,
JwtSecret >=32 chars, invalid interval strings.
JwtLoginHandler refactored from singleton to scheme-keyed dict so the
correct config + generator is resolved by scheme name from the login
function. Per-scheme refresh middlewares are constructed in Program.cs
from Builder.AdditionalBearerTokenConfigs / AdditionalJwtTokenConfigs.
2. BREAKING: legacy integer auth time fields removed
Auth:CookieValidDays, BearerTokenExpireHours, JwtExpireMinutes,
JwtRefreshExpireDays are removed in favor of interval notation
(Auth:CookieValid, BearerTokenExpire, JwtExpire, JwtRefreshExpire).
Fail-fast detection (Builder.DetectLegacyAuthTimeFields): any of the four
removed keys in user config throws at startup with a clear migration
message naming the offending field, replacement field, and example
interval. Silently ignoring would risk a "30-day cookies" intent flipping
to the new field's default of 14 days.
Default appsettings.json ships explicit values
("14 days" / "1 hour" / "60 minutes" / "7 days") rather than null, so
users see exactly what they get.
Tests (1932/1932 pass):
- 7 unit tests for simplified ResolveAuthTimeSpan
- 6 fail-fast tests for the four removed legacy fields
- 19 unit tests covering RegisterAuthSchemes across all three types
- 4 integration tests through the full HTTP login pipeline (cookie main,
cookie additional with session-only, JWT main, JWT additional with
per-scheme secret + 5-minute expire)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 105b40b commit efab11b
23 files changed
Lines changed: 1897 additions & 92 deletions
File tree
- NpgsqlRestClient
- NpgsqlRestTests
- AuthTests
- Setup
- changelog
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
266 | 266 | | |
267 | 267 | | |
268 | 268 | | |
269 | | - | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
270 | 272 | | |
271 | 273 | | |
272 | 274 | | |
273 | 275 | | |
274 | | - | |
275 | | - | |
276 | | - | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
277 | 284 | | |
278 | 285 | | |
279 | 286 | | |
280 | | - | |
281 | | - | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
282 | 291 | | |
283 | 292 | | |
284 | 293 | | |
285 | 294 | | |
286 | | - | |
| 295 | + | |
287 | 296 | | |
288 | 297 | | |
289 | 298 | | |
| |||
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
28 | 39 | | |
29 | 40 | | |
30 | 41 | | |
| |||
169 | 180 | | |
170 | 181 | | |
171 | 182 | | |
172 | | - | |
| 183 | + | |
173 | 184 | | |
174 | 185 | | |
175 | 186 | | |
176 | 187 | | |
177 | 188 | | |
178 | 189 | | |
179 | 190 | | |
180 | | - | |
| 191 | + | |
181 | 192 | | |
182 | 193 | | |
183 | 194 | | |
184 | 195 | | |
185 | 196 | | |
186 | 197 | | |
187 | | - | |
188 | | - | |
| 198 | + | |
| 199 | + | |
189 | 200 | | |
190 | 201 | | |
191 | 202 | | |
192 | 203 | | |
193 | 204 | | |
194 | 205 | | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
195 | 234 | | |
196 | 235 | | |
197 | 236 | | |
| |||
627 | 666 | | |
628 | 667 | | |
629 | 668 | | |
| 669 | + | |
| 670 | + | |
| 671 | + | |
| 672 | + | |
| 673 | + | |
| 674 | + | |
| 675 | + | |
| 676 | + | |
| 677 | + | |
| 678 | + | |
| 679 | + | |
| 680 | + | |
| 681 | + | |
| 682 | + | |
630 | 683 | | |
631 | 684 | | |
632 | 685 | | |
| |||
1240 | 1293 | | |
1241 | 1294 | | |
1242 | 1295 | | |
| 1296 | + | |
1243 | 1297 | | |
1244 | 1298 | | |
1245 | 1299 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
61 | 61 | | |
62 | 62 | | |
63 | 63 | | |
64 | | - | |
| 64 | + | |
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
72 | | - | |
| 72 | + | |
73 | 73 | | |
74 | 74 | | |
75 | 75 | | |
76 | 76 | | |
77 | 77 | | |
78 | 78 | | |
79 | | - | |
80 | | - | |
| 79 | + | |
| 80 | + | |
81 | 81 | | |
82 | 82 | | |
83 | 83 | | |
84 | 84 | | |
85 | 85 | | |
86 | 86 | | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
87 | 109 | | |
88 | 110 | | |
89 | 111 | | |
| |||
0 commit comments