feat(#478): replace cookie with storage

Author: Zonnex

samples/Standalone.MvcSample/Standalone.MvcSample.csproj

@@ -31,6 +31,6 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
+        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0" />
     </ItemGroup>
 </Project>

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiApiControllerBase.cs

@@ -8,6 +8,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
 using ActiveLogin.Authentication.BankId.AspNetCore.Helpers;
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Flow;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
@@ -25,6 +26,7 @@ public abstract class BankIdUiApiControllerBase : ControllerBase
     protected readonly IBankIdUiOrderRefProtector OrderRefProtector;
     protected readonly IBankIdQrStartStateProtector QrStartStateProtector;
     protected readonly IBankIdUiOptionsProtector UiOptionsProtector;
+    protected readonly IStateStorage _stateStorage;
 
     private readonly IBankIdUserMessage _bankIdUserMessage;
     private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer;
@@ -38,7 +40,8 @@ protected BankIdUiApiControllerBase(
 
         IBankIdUserMessage bankIdUserMessage,
         IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiResultProtector uiAuthResultProtector
+        IBankIdUiResultProtector uiAuthResultProtector,
+        IStateStorage stateStorage
 
     )
     {
@@ -50,6 +53,7 @@ IBankIdUiResultProtector uiAuthResultProtector
         _bankIdUserMessage = bankIdUserMessage;
         _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
         _uiAuthResultProtector = uiAuthResultProtector;
+        _stateStorage = stateStorage;
     }
 
     [ValidateAntiForgeryToken]

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthApiController.cs

@@ -6,7 +6,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.Core.Flow;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
-
+using ActiveLogin.Authentication.BankId.Core;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -26,8 +26,10 @@ public BankIdUiAuthApiController(
         IBankIdUiOptionsProtector uiOptionsProtector,
         IBankIdUserMessage bankIdUserMessage,
         IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiResultProtector uiAuthResultProtector)
-        : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector)
+        IBankIdUiResultProtector uiAuthResultProtector,
+        IStateStorage stateStorage
+        )
+        : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector, stateStorage)
     {
     }
 

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthController.cs

@@ -1,9 +1,13 @@
+using ActiveLogin.Authentication.BankId.AspNetCore.Auth;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Localization;
 
@@ -12,21 +16,15 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [Area(BankIdConstants.Routes.ActiveLoginAreaName)]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiAuthController : BankIdUiControllerBase
+public class BankIdUiAuthController(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdUiOptionsProtector uiOptionsProtector,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler,
+    IStateStorage stateStorage
+) : BankIdUiControllerBase<BankIdUiAuthState>(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, stateStorage)
 {
-    public BankIdUiAuthController(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector
-    )
-        : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, bankIdUiStateProtector)
-    {
-
-    }
-
     [HttpGet]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdAuthControllerPath}")]
     public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string protectedUiOptions)

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiControllerBase.cs

@@ -5,6 +5,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
@@ -14,29 +15,42 @@
 namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Controllers;
 
 [NonController]
-public abstract class BankIdUiControllerBase : Controller
+public abstract class BankIdUiControllerBase<T> : Controller
+    where T : BankIdUiState
 {
     private readonly IAntiforgery _antiforgery;
     private readonly IStringLocalizer<ActiveLoginResources> _localizer;
     private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer;
     private readonly IBankIdUiOptionsProtector _uiOptionsProtector;
     private readonly IBankIdInvalidStateHandler _bankIdInvalidStateHandler;
-    private readonly IBankIdUiStateProtector _bankIdUiStateProtector;
+    private readonly IStateStorage stateStorage;
 
-    protected BankIdUiControllerBase(
+    public BankIdUiControllerBase(
         IAntiforgery antiforgery,
         IStringLocalizer<ActiveLoginResources> localizer,
         IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
         IBankIdUiOptionsProtector uiOptionsProtector,
         IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector)
+        IStateStorage stateStorage
+)
     {
+        this.stateStorage = stateStorage;
         _antiforgery = antiforgery;
         _localizer = localizer;
         _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
         _uiOptionsProtector = uiOptionsProtector;
         _bankIdInvalidStateHandler = bankIdInvalidStateHandler;
-        _bankIdUiStateProtector = bankIdUiStateProtector;
+    }
+
+    protected async Task<T?> GetUIState(BankIdUiOptions uiOptions)
+    {
+        var cookie = HttpContext.Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie is null)
+        {
+            return default;
+        }
+        var stateKey = new StateKey(cookie);
+        return await stateStorage.GetAsync<T>(stateKey);
     }
 
     protected async Task<ActionResult> Initialize(string returnUrl, string apiControllerName, string protectedUiOptions, string viewName)
@@ -58,32 +72,40 @@ protected async Task<ActionResult> Initialize(string returnUrl, string apiContro
             return new EmptyResult();
         }
 
-        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
+        var state = await GetUIState(uiOptions);
 
-        var protectedState = Request.Cookies[uiOptions.StateCookieName];
-        if(protectedState == null)
+        if (state == null)
         {
             var invalidStateContext = new BankIdInvalidStateContext(uiOptions.CancelReturnUrl);
             await _bankIdInvalidStateHandler.HandleAsync(invalidStateContext);
 
             return new EmptyResult();
         }
-        var state = _bankIdUiStateProtector.Unprotect(protectedState);
 
+        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
         var viewModel = GetUiViewModel(returnUrl, apiControllerName, protectedUiOptions, uiOptions, state, antiforgeryTokens);
 
         return View(viewName, viewModel);
     }
 
     private bool HasStateCookie(BankIdUiOptions uiOptions)
     {
-        if (string.IsNullOrEmpty(uiOptions.StateCookieName)
-            || !HttpContext.Request.Cookies.ContainsKey(uiOptions.StateCookieName))
+        if (string.IsNullOrEmpty(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (!HttpContext.Request.Cookies.ContainsKey(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateKeyCookieName]))
         {
             return false;
         }
 
-        return !string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateCookieName]);
+        return true;
     }
 
     private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerName, string protectedUiOptions, BankIdUiOptions unprotectedUiOptions, BankIdUiState uiState, AntiforgeryTokenSet antiforgeryTokens)
@@ -122,7 +144,7 @@ private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerN
         var localizedCancelButtonText = _localizer["Cancel_Button"];
         var localizedQrCodeImageAltText = _localizer["Qr_Code_Image"];
 
-        if(uiState is BankIdUiSignState signState)
+        if (uiState is BankIdUiSignState signState)
         {
             var uiSignData = new BankIdUiSignData
             {

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignApiController.cs

@@ -5,6 +5,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Helpers;
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Flow;
 using ActiveLogin.Authentication.BankId.Core.Models;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
@@ -21,8 +22,6 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [NonController]
 public class BankIdUiSignApiController : BankIdUiApiControllerBase
 {
-    private readonly IBankIdUiStateProtector _bankIdUiStateProtector;
-
     public BankIdUiSignApiController(
         IBankIdFlowService bankIdFlowService,
         IBankIdUiOrderRefProtector orderRefProtector,
@@ -31,10 +30,9 @@ public BankIdUiSignApiController(
         IBankIdUserMessage bankIdUserMessage,
         IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
         IBankIdUiResultProtector uiAuthResultProtector,
-        IBankIdUiStateProtector bankIdUiStateProtector)
-        : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector)
+        IStateStorage stateStorage
+    ) : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector, stateStorage)
     {
-        _bankIdUiStateProtector = bankIdUiStateProtector;
     }
 
     [ValidateAntiForgeryToken]
@@ -46,8 +44,8 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
 
         var uiOptions = UiOptionsProtector.Unprotect(request.UiOptions);
 
-        var state = GetStateFromCookie(uiOptions);
-        if(state == null)
+        var state = await GetState(uiOptions);
+        if (state == null)
         {
             throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidStateCookie);
         }
@@ -105,14 +103,15 @@ public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankId
         }
     }
 
-    private BankIdUiSignState? GetStateFromCookie(BankIdUiOptions uiOptions)
+    private Task<BankIdUiSignState?> GetState(BankIdUiOptions uiOptions)
     {
-        var protectedState = Request.Cookies[uiOptions.StateCookieName];
-        if (protectedState == null)
+        var cookie = Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie == null)
         {
-            throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidStateCookie);
+            return Task.FromResult<BankIdUiSignState?>(null);
         }
 
-        return _bankIdUiStateProtector.Unprotect(protectedState) as BankIdUiSignState;
+        var stateKey = new StateKey(cookie);
+        return _stateStorage.GetAsync<BankIdUiSignState>(stateKey);
     }
 }

src/ActiveLogin.Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiSignController.cs

@@ -1,9 +1,14 @@
+using ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Models;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Models;
+using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Localization;
 
@@ -12,19 +17,17 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [Area(BankIdConstants.Routes.ActiveLoginAreaName)]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiSignController : BankIdUiControllerBase
+public class BankIdUiSignController : BankIdUiControllerBase<BankIdUiSignState>
 {
     public BankIdUiSignController(
         IAntiforgery antiforgery,
         IStringLocalizer<ActiveLoginResources> localizer,
         IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
         IBankIdUiOptionsProtector uiOptionsProtector,
         IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector
-    )
-        : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, bankIdUiStateProtector)
+        IStateStorage stateStorage
+    ) : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, stateStorage)
     {
-
     }
 
     [HttpGet]

src/ActiveLogin.Authentication.BankId.AspNetCore/Auth/AuthenticationBuilderBankIdExtensions.cs

@@ -1,6 +1,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.ApplicationFeatureProviders;
 using ActiveLogin.Authentication.BankId.AspNetCore.ClaimsTransformation;
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
+using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Requirements;
 using ActiveLogin.Authentication.BankId.Core.UserData;
@@ -72,7 +73,7 @@ private static void AddBankIdAuthDefaultServices(IBankIdAuthBuilder builder)
 
         BankIdCommonConfiguration.AddDefaultServices(services);
 
-        services.AddTransient<IBankIdUiStateProtector, BankIdUiStateProtector>();
+        services.AddSingleton<IStateStorage, InMemoryStateStorage>();
         services.AddTransient<IBankIdUiResultProtector, BankIdUiResultProtector>();
 
         builder.AddClaimsTransformer<BankIdDefaultClaimsTransformer>();