jwt refresh token implemented

Author: ajayvishu

ReactwithDotnetCore/Controllers/LoginController.cs

@@ -7,6 +7,7 @@
 using System.Data;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
+using System.Security.Cryptography;
 using System.Text;
 
 namespace ReactwithDotnetCore.Controllers
@@ -17,14 +18,14 @@ public class LoginController(IConfiguration configuration) : Controller
 
         [AllowAnonymous]
         [HttpPost("userlogin")]
-        public IActionResult UserLogin([FromBody] User login)
+        public async Task<IActionResult> UserLogin([FromBody] User login)
         {
             IActionResult response = Unauthorized();
-            var user = AuthenticateUser(login);
+            var user = await AuthenticateUser(login);
             if (user != null)
             {
-                var tokenString = GenerateJSONWebToken(user);
-                response = Ok(new { message = "success", token = tokenString });
+                var (tokenString, refreshToken) = GenerateTokens(user);
+                response = Ok(new { message = "success", token = tokenString, refreshToken });
             }
             return response;
         }
@@ -56,10 +57,50 @@ public async Task<IActionResult> UserRegister([FromBody] User register)
             }
         }
 
-        private string GenerateJSONWebToken(User userInfo)
+        /// <summary>
+        /*
+         * 
+        The purpose of a refresh token is to provide a way to obtain a new access token without requiring the
+        user to re-enter their credentials.Access tokens have a limited lifespan, and when they expire, the 
+        user would typically need to log in again to get a new access token.
+
+        With a refresh token mechanism, when the access token expires, the client can use the refresh token 
+        to obtain a new access token without requiring the user's credentials. This helps in maintaining a 
+        balance between security and user convenience. The refresh token is a long-lived token that can 
+        be securely stored by the client and used to request new access tokens as needed.
+        *
+        */
+        /// </summary>
+        /// <param name="refreshTokenRequest"></param>
+        /// <returns></returns>
+        [AllowAnonymous]
+        [HttpPost("refreshtoken")]
+        public IActionResult RefreshToken([FromBody] RefreshTokenRequest refreshTokenRequest)
+        {
+            IActionResult response = BadRequest("Invalid token");
+            var principal = GetPrincipalFromExpiredToken(refreshTokenRequest.Token);
+
+            if (principal != null)
+            {
+                var username = principal?.Claims?.FirstOrDefault(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier")?.Value;
+                if (username != null)
+                {
+                    var user = GetUserByUsername(username);
+
+                    if (user != null && refreshTokenRequest.RefreshToken == user.RefreshToken)
+                    {
+                        var (tokenString, newRefreshToken) = GenerateTokens(user);
+                        response = Ok(new { token = tokenString, refreshToken = newRefreshToken });
+                    }
+                }
+            }
+
+            return response;
+        }
+
+        private (string tokenString, string refreshToken) GenerateTokens(User userInfo)
         {
-            // Ensure the key has at least 256 bits
-            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration?["Jwt:Key"]?.PadRight(32)));
+            var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:Key"]?.PadRight(32) ?? string.Empty));
             var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
 
             var claims = new[] {
@@ -75,20 +116,74 @@ private string GenerateJSONWebToken(User userInfo)
                 expires: DateTime.Now.AddMinutes(120),
                 signingCredentials: credentials);
 
-            return new JwtSecurityTokenHandler().WriteToken(token);
+            var refreshToken = GenerateRefreshToken();
+            userInfo.RefreshToken = refreshToken; // Save refresh token to user in your data store
+
+            // Update the refresh token in the database
+            UpdateRefreshTokenInDatabase(userInfo.Username, refreshToken);
+
+            return (new JwtSecurityTokenHandler().WriteToken(token), refreshToken);
         }
 
-        private User AuthenticateUser(User login)
+        private static string GenerateRefreshToken()
+        {
+            // Generate a random refresh token (you may use a more sophisticated method)
+            var randomNumber = new byte[32];
+            using var rng = RandomNumberGenerator.Create();
+            rng.GetBytes(randomNumber);
+            return Convert.ToBase64String(randomNumber);
+        }
+
+        private ClaimsPrincipal GetPrincipalFromExpiredToken(string token)
+        {
+            var tokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuer = true,
+                ValidateAudience = true,
+                ValidateLifetime = false, // This will allow an expired token to be parsed
+                ValidateIssuerSigningKey = true,
+                ValidIssuer = configuration["Jwt:Issuer"],
+                ValidAudience = configuration["Jwt:Audience"],
+                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:Key"] ?? string.Empty))
+            };
+
+            var tokenHandler = new JwtSecurityTokenHandler();
+
+            // The following line will throw an exception if the token is expired
+            var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out SecurityToken securityToken);
+
+            return principal;
+        }
+
+        private async Task<User> AuthenticateUser(User login)
         {
             using IDbConnection dbConnection = new SqlConnection(_connectionString);
             dbConnection.Open();
 
-            // Example: Authenticate user based on Username and Password
             string query = "SELECT * FROM TBLB_User WITH(NOLOCK) WHERE Username = @Username AND Password = @Password";
-            var users = dbConnection.Query<User>(query, new { login.Username, login.Password });
+            var users = await dbConnection.QueryAsync<User>(query, new { login.Username, login.Password });
+
+            return users.FirstOrDefault() ?? new User();
+        }
+
+        private User GetUserByUsername(string username)
+        {
+            using IDbConnection dbConnection = new SqlConnection(_connectionString);
+            dbConnection.Open();
+
+            string query = "SELECT * FROM TBLB_User WITH(NOLOCK) WHERE Username = @Username";
+            var user = dbConnection.Query<User>(query, new { Username = username }).FirstOrDefault();
+
+            return user ?? new User();
+        }
+
+        private void UpdateRefreshTokenInDatabase(string username, string newRefreshToken)
+        {
+            using IDbConnection dbConnection = new SqlConnection(_connectionString);
+            dbConnection.Open();
 
-            // Assuming there should be only one matching user
-            return users.FirstOrDefault();
+            string updateQuery = "UPDATE TBLB_User SET RefreshToken = @RefreshToken WHERE Username = @Username";
+            dbConnection.Execute(updateQuery, new { RefreshToken = newRefreshToken, Username = username });
         }
     }
 }

ReactwithDotnetCore/Model/User.cs

@@ -6,5 +6,13 @@ public class User
         public string Password { get; set; } = string.Empty;
         public string EmailAddress { get; set; } = string.Empty;
         public DateTime DateOfJoin { get; set; } = DateTime.Now;
+        public string RefreshToken { get; set; } = string.Empty;
     }
+
+    public class RefreshTokenRequest
+    {
+        public string Token { get; set; } = string.Empty;
+        public string RefreshToken { get; set; } = string.Empty;
+    }
+
 }

ReactwithDotnetCore/Program.cs

@@ -4,7 +4,7 @@
 using Microsoft.OpenApi.Models;
 using System.Text;
 
-const string CorsPolicyName = "_myCorsPolicy";
+const string CorsPolicyName = "_APIPolicy";
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -17,11 +17,11 @@
         {
             ValidateIssuer = true,
             ValidateAudience = true,
-            ValidateLifetime = true,
+            ValidateLifetime = false, // This will allow an expired token to be parsed
             ValidateIssuerSigningKey = true,
             ValidIssuer = builder.Configuration["Jwt:Issuer"],
             ValidAudience = builder.Configuration["Jwt:Audience"],
-            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
+            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"] ?? string.Empty))
         };
     });
 

ReactwithDotnetCore/ReactwithDotnetCore.csproj

@@ -11,9 +11,9 @@
 
   <ItemGroup>
     <PackageReference Include="Dapper" Version="2.1.28" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.2" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.5" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
   </ItemGroup>
 
 </Project>