feat(#478): replace cookie with storage

Author: Zonnex

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthController.cs

@@ -1,9 +1,13 @@
+using ActiveLogin.Authentication.BankId.AspNetCore.Auth;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Localization;
 
@@ -12,25 +16,30 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [Area(BankIdConstants.Routes.ActiveLoginAreaName)]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiAuthController : BankIdUiControllerBase
+public class BankIdUiAuthController(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdUiOptionsProtector uiOptionsProtector,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler,
+    IStateStorage<BankIdUiAuthState> stateStorage
+) : BankIdUiControllerBase<BankIdUiAuthState>(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler)
 {
-    public BankIdUiAuthController(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector
-    )
-        : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, bankIdUiStateProtector)
-    {
-
-    }
-
     [HttpGet]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdAuthControllerPath}")]
     public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string protectedUiOptions)
     {
         return Initialize(returnUrl, BankIdConstants.Routes.BankIdAuthApiControllerName, protectedUiOptions, "Init");
     }
+
+    protected override Task<BankIdUiAuthState?> GetUIState(BankIdUiOptions uiOptions)
+    {
+        var cookie = HttpContext.Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie is null)
+        {
+            return Task.FromResult<BankIdUiAuthState?>(null);
+        }
+        var stateKey = new StateKey(cookie);
+        return stateStorage.RemoveAsync(stateKey);
+    }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiControllerBase.cs

@@ -5,6 +5,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
@@ -14,30 +15,22 @@
 namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Controllers;
 
 [NonController]
-public abstract class BankIdUiControllerBase : Controller
+public abstract class BankIdUiControllerBase<T>(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdUiOptionsProtector uiOptionsProtector,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler
+) : Controller
+    where T : BankIdUiState
 {
-    private readonly IAntiforgery _antiforgery;
-    private readonly IStringLocalizer<ActiveLoginResources> _localizer;
-    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer;
-    private readonly IBankIdUiOptionsProtector _uiOptionsProtector;
-    private readonly IBankIdInvalidStateHandler _bankIdInvalidStateHandler;
-    private readonly IBankIdUiStateProtector _bankIdUiStateProtector;
-
-    protected BankIdUiControllerBase(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector)
-    {
-        _antiforgery = antiforgery;
-        _localizer = localizer;
-        _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
-        _uiOptionsProtector = uiOptionsProtector;
-        _bankIdInvalidStateHandler = bankIdInvalidStateHandler;
-        _bankIdUiStateProtector = bankIdUiStateProtector;
-    }
+    private readonly IAntiforgery _antiforgery = antiforgery;
+    private readonly IStringLocalizer<ActiveLoginResources> _localizer = localizer;
+    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
+    private readonly IBankIdUiOptionsProtector _uiOptionsProtector = uiOptionsProtector;
+    private readonly IBankIdInvalidStateHandler _bankIdInvalidStateHandler = bankIdInvalidStateHandler;
+
+    protected abstract Task<T?> GetUIState(BankIdUiOptions uiOptions);
 
     protected async Task<ActionResult> Initialize(string returnUrl, string apiControllerName, string protectedUiOptions, string viewName)
     {
@@ -58,32 +51,40 @@ protected async Task<ActionResult> Initialize(string returnUrl, string apiContro
             return new EmptyResult();
         }
 
-        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
+        var state = await GetUIState(uiOptions);
 
-        var protectedState = Request.Cookies[uiOptions.StateCookieName];
-        if(protectedState == null)
+        if (state == null)
         {
             var invalidStateContext = new BankIdInvalidStateContext(uiOptions.CancelReturnUrl);
             await _bankIdInvalidStateHandler.HandleAsync(invalidStateContext);
 
             return new EmptyResult();
         }
-        var state = _bankIdUiStateProtector.Unprotect(protectedState);
 
+        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
         var viewModel = GetUiViewModel(returnUrl, apiControllerName, protectedUiOptions, uiOptions, state, antiforgeryTokens);
 
         return View(viewName, viewModel);
     }
 
     private bool HasStateCookie(BankIdUiOptions uiOptions)
     {
-        if (string.IsNullOrEmpty(uiOptions.StateCookieName)
-            || !HttpContext.Request.Cookies.ContainsKey(uiOptions.StateCookieName))
+        if (string.IsNullOrEmpty(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (!HttpContext.Request.Cookies.ContainsKey(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateKeyCookieName]))
         {
             return false;
         }
 
-        return !string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateCookieName]);
+        return true;
     }
 
     private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerName, string protectedUiOptions, BankIdUiOptions unprotectedUiOptions, BankIdUiState uiState, AntiforgeryTokenSet antiforgeryTokens)
@@ -122,7 +123,7 @@ private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerN
         var localizedCancelButtonText = _localizer["Cancel_Button"];
         var localizedQrCodeImageAltText = _localizer["Qr_Code_Image"];
 
-        if(uiState is BankIdUiSignState signState)
+        if (uiState is BankIdUiSignState signState)
         {
             var uiSignData = new BankIdUiSignData
             {

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignApiController.cs

@@ -5,6 +5,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Helpers;
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Flow;
 using ActiveLogin.Authentication.BankId.Core.Models;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
@@ -19,24 +20,17 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [ApiController]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiSignApiController : BankIdUiApiControllerBase
+public class BankIdUiSignApiController(
+    IBankIdFlowService bankIdFlowService,
+    IBankIdUiOrderRefProtector orderRefProtector,
+    IBankIdQrStartStateProtector qrStartStateProtector,
+    IBankIdUiOptionsProtector uiOptionsProtector,
+    IBankIdUserMessage bankIdUserMessage,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdUiResultProtector uiAuthResultProtector,
+    IStateStorage<BankIdUiSignState> stateStorage
+) : BankIdUiApiControllerBase(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector)
 {
-    private readonly IBankIdUiStateProtector _bankIdUiStateProtector;
-
-    public BankIdUiSignApiController(
-        IBankIdFlowService bankIdFlowService,
-        IBankIdUiOrderRefProtector orderRefProtector,
-        IBankIdQrStartStateProtector qrStartStateProtector,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdUserMessage bankIdUserMessage,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiResultProtector uiAuthResultProtector,
-        IBankIdUiStateProtector bankIdUiStateProtector)
-        : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector)
-    {
-        _bankIdUiStateProtector = bankIdUiStateProtector;
-    }
-
     [ValidateAntiForgeryToken]
     [HttpPost(BankIdConstants.Routes.BankIdApiInitializeActionName)]
     public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankIdUiApiInitializeRequest request)
@@ -46,8 +40,8 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
 
         var uiOptions = UiOptionsProtector.Unprotect(request.UiOptions);
 
-        var state = GetStateFromCookie(uiOptions);
-        if(state == null)
+        var state = await GetState(uiOptions);
+        if (state == null)
         {
             throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidStateCookie);
         }
@@ -103,14 +97,15 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
         }
     }
 
-    private BankIdUiSignState? GetStateFromCookie(BankIdUiOptions uiOptions)
+    private Task<BankIdUiSignState?> GetState(BankIdUiOptions uiOptions)
     {
-        var protectedState = Request.Cookies[uiOptions.StateCookieName];
-        if (protectedState == null)
+        var cookie = Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie == null)
         {
-            throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidStateCookie);
+            return Task.FromResult<BankIdUiSignState?>(null);
         }
 
-        return _bankIdUiStateProtector.Unprotect(protectedState) as BankIdUiSignState;
+        var stateKey = new StateKey(cookie);
+        return stateStorage.ReadAsync(stateKey);
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignController.cs

@@ -1,9 +1,14 @@
+using ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Models;
+using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Localization;
 
@@ -12,26 +17,31 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [Area(BankIdConstants.Routes.ActiveLoginAreaName)]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiSignController : BankIdUiControllerBase
+public class BankIdUiSignController(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdUiOptionsProtector uiOptionsProtector,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler,
+    IStateStorage<BankIdUiSignState> stateStorage
+) : BankIdUiControllerBase<BankIdUiSignState>(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler)
 {
-    public BankIdUiSignController(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector
-    )
-        : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, bankIdUiStateProtector)
-    {
-
-    }
-
     [HttpGet]
     [AllowAnonymous]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdSignControllerPath}")]
     public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string protectedUiOptions)
     {
         return Initialize(returnUrl, BankIdConstants.Routes.BankIdSignApiControllerName, protectedUiOptions, "Init");
     }
+
+    protected override Task<BankIdUiSignState?> GetUIState(BankIdUiOptions uiOptions)
+    {
+        var cookie = HttpContext.Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie is null)
+        {
+            return Task.FromResult<BankIdUiSignState?>(null);
+        }
+        var stateKey = new StateKey(cookie);
+        return stateStorage.RemoveAsync(stateKey);
+    }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Auth/AuthenticationBuilderBankIdExtensions.cs

@@ -1,6 +1,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.ApplicationFeatureProviders;
 using ActiveLogin.Authentication.BankId.AspNetCore.ClaimsTransformation;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Requirements;
 using ActiveLogin.Authentication.BankId.Core.UserData;
@@ -72,7 +73,8 @@ private static void AddBankIdAuthDefaultServices(IBankIdAuthBuilder builder)
 
         BankIdCommonConfiguration.AddDefaultServices(services);
 
-        services.AddTransient<IBankIdUiStateProtector, BankIdUiStateProtector>();
+        // services.AddTransient<IBankIdUiStateProtector, BankIdUiStateProtector>();
+        services.AddSingleton<IStateStorage<BankIdUiAuthState>, InMemoryStateStorage<BankIdUiAuthState>>();
         services.AddTransient<IBankIdUiResultProtector, BankIdUiResultProtector>();
 
         builder.AddClaimsTransformer<BankIdDefaultClaimsTransformer>();