From 65ad9e6da005dca2c726b440590c25a4afdb3b36 Mon Sep 17 00:00:00 2001 From: Developer 02 Date: Fri, 25 Oct 2024 01:45:17 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20Cookie-basierte=20Authentifizierung=20z?= =?UTF-8?q?ur=20Anwendung=20hinzuf=C3=BCgen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - `CookieAuthenticationDefaults.AuthenticationScheme` zur Benutzerauthentifizierung integriert. - Cookie-Einstellungen konfiguriert, um die Sicherheit zu erhöhen: - `HttpOnly`-Flag gesetzt, um den Zugriff von clientseitigen Skripten zu verhindern. - `SecurePolicy` so eingestellt, dass Cookies nur über HTTPS-Anfragen gesendet werden. - `SameSite` auf `Strict` gesetzt, um CSRF-Angriffe zu mindern. - Benutzerdefinierte Anmelde-(`/api/auth/login`) und Abmeldepfade (`/api/auth/logout`) definiert. --- WorkFlow.API/Program.cs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/WorkFlow.API/Program.cs b/WorkFlow.API/Program.cs index 06e70e8..49a1e42 100644 --- a/WorkFlow.API/Program.cs +++ b/WorkFlow.API/Program.cs @@ -2,6 +2,7 @@ using WorkFlow.Application; using DigitalData.UserManager.Application; using Microsoft.EntityFrameworkCore; using WorkFlow.Infrastructure; +using Microsoft.AspNetCore.Authentication.Cookies; var builder = WebApplication.CreateBuilder(args); var config = builder.Configuration; @@ -12,7 +13,17 @@ builder.Services.AddDbContext(options => options.UseSqlServer(cnn_s builder.Services.AddWorkFlow().AddUserManager(); builder.Services.AddControllers(); -// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle + +builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) + .AddCookie(options => + { + options.Cookie.HttpOnly = true; // Makes the cookie inaccessible to client-side scripts for security + options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only + options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites + options.LoginPath = "/api/auth/login"; + options.LogoutPath = "/api/auth/logout"; + }); + builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(); @@ -27,6 +38,8 @@ if (app.Environment.IsDevelopment()) app.UseHttpsRedirection(); +app.UseAuthentication(); + app.UseAuthorization(); app.MapControllers();