From 8445757f34882a0d457b71624a23c213bd837f24 Mon Sep 17 00:00:00 2001 From: TekH Date: Thu, 20 Nov 2025 10:32:32 +0100 Subject: [PATCH] feat: replace default cookie events with custom EnvelopeCookieManager and introduce custom auth cookie name (env_auth) --- EnvelopeGenerator.Web/Program.cs | 40 +++++++++----------------------- 1 file changed, 11 insertions(+), 29 deletions(-) diff --git a/EnvelopeGenerator.Web/Program.cs b/EnvelopeGenerator.Web/Program.cs index 51b71527..abb2bb5a 100644 --- a/EnvelopeGenerator.Web/Program.cs +++ b/EnvelopeGenerator.Web/Program.cs @@ -17,6 +17,7 @@ using EnvelopeGenerator.Web.Models.Annotation; using DigitalData.UserManager.DependencyInjection; using EnvelopeGenerator.Web.Middleware; using EnvelopeGenerator.Application.Common.Interfaces.Services; +using EnvelopeGenerator.Web; var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger(); logger.Info("Logging initialized!"); @@ -134,41 +135,22 @@ try options.ConsentCookie.Name = "cookie-consent-settings"; }); + var authCookieName = "env_auth"; builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) .AddCookie(options => { - options.Cookie.HttpOnly = true; // Makes the cookie inaccessible to client-side scripts for security - options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only - options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites + options.Cookie.Name = authCookieName; + options.CookieManager = new EnvelopeCookieManager(authCookieName); + options.Cookie.HttpOnly = true; + options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.Cookie.SameSite = SameSiteMode.Strict; options.ExpireTimeSpan = TimeSpan.FromMinutes(30); - - options.Events = new CookieAuthenticationEvents - { - OnRedirectToLogin = context => - { - // Dynamically calculate the redirection path, for example: - var envelopeReceiverId = context.HttpContext.Request.RouteValues["envelopeReceiverId"]; - context.RedirectUri = $"/EnvelopeKey/{envelopeReceiverId}"; - - context.Response.Redirect(context.RedirectUri); - return Task.CompletedTask; - }, - OnRedirectToLogout = context => - { - // Apply a similar redirection logic for logout - var envelopeReceiverId = context.HttpContext.Request.RouteValues["envelopeReceiverId"]; - context.RedirectUri = $"/EnvelopeKey/{envelopeReceiverId}"; - - context.Response.Redirect(context.RedirectUri); - return Task.CompletedTask; - } - }; }); builder.Services.AddSingleton(config.GetSection("ContactLink").Get() ?? new()); builder.Services.AddCookieBasedLocalizer(); - + builder.Services.AddSingleton(HtmlEncoder.Default); builder.Services.AddSingleton(UrlEncoder.Default); builder.Services.AddSanitizer(); @@ -249,7 +231,7 @@ try app.UseAuthorization(); var cultures = app.Services.GetRequiredService(); - if(!cultures.Any()) + if (!cultures.Any()) throw new InvalidOperationException(@"Languages section is missing in the appsettings. Please configure like following. Language is both a name of the culture and the name of the resx file such as Resource.de-DE.resx FIClass is the css class (in wwwroot/lib/flag-icons-main) for the flag of country. @@ -264,7 +246,7 @@ try } ]"); - if(!config.GetValue("DisableMultiLanguage")) + if (!config.GetValue("DisableMultiLanguage")) app.UseCookieBasedLocalizer(cultures.Languages.ToArray()); app.UseCors("SameOriginPolicy"); @@ -273,7 +255,7 @@ try app.MapFallbackToController("Error404", "Home"); app.Run(); } -catch(Exception ex) +catch (Exception ex) { logger.Error(ex, "Stopped program because of exception"); throw;