• Stars
    star
    121
  • Rank 293,924 (Top 6 %)
  • Language
    C#
  • License
    MIT License
  • Created over 2 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple jwt library for Asp.Net 6 that provides a set of minimal api endpoints to handle authentication actions

AuthEndpoints

nuget issues downloads workflow CodeFactor license

A simple jwt authentication library for ASP.Net 6. AuthEndpoints library provides a set of minimal api endpoints to handle basic web & JWT authentication actions such as registration, email verification, reset password, create jwt, etc. It works with custom identity user model.

swagger_authendpoints

Supported endpoints

  • Users API:
    • sign-up
    • email verification
    • user profile (retrieving)
    • reset password
    • change password
    • enable 2fa
    • login 2fa
  • TokenAuth:
    • Create (login)
    • Destroy (logout)
  • Simple JWT:
    • Create (login)
    • Refresh
    • Verify

Current limitations

  • Only works with IdentityUser & EfCore
  • 2fa via email

Installing via NuGet

The easiest way to install AuthEndpoints is via NuGet

Install the library using the following .net cli command:

dotnet add package AuthEndpoints

or in Visual Studio's Package Manager Console, enter the following command:

Install-Package AuthEndpoints

Quick start

// MyDbContext.cs


using AuthEndpoints.SimpleJwt.Core.Models;

public class MyDbContext : IdentityDbContext
{
  public DbSet<RefreshToken>? RefreshTokens { get; set; } // <--
  public MyDbContext(DbContextOptions<MyDbContext> options) : base(options) { }
}

Add migration and apply migration:

// using dotnet cli
$ dotnet ef migrations add CreateRefreshToken
$ dotnet ef database update

// or using package manager console in visual studio
PM> Add-Migration CreateRefreshToken
PM> Update-Database

Add endpoints and call app.MapEndpoints() before app.Run();

// Program.cs


// Required services
builder.Services.AddIdentityCore<IdentityUser>(); // <--

// Add core services & users api
builder.Services.AddAuthEndpointsCore<IdentityUser, MyDbContext>() // <--
                .AddUsersApiEndpoints()
                .Add2FAEndpoints();

// Add jwt endpoints
// When no options are provided
// AuthEndpoints will create a secret key and use a single security key (symmetric encryption)
// for each access jwt and refresh jwt.
// Secrets will be created under `keys/` directory.
builder.Services.AddSimpleJwtEndpoints<IdentityUser, MyDbContext>(); // <--

var app = builder.Build();

...

app.UseAuthentication(); // <--
app.UseAuthorization(); // <--

...

app.MapEndpoints(); // <--

app.Run();

Jwt endpoints (registered by AddSimpleJwtEndpoints<,>()) will return the access and refresh tokens to the client. During the authentication flow, we save the access and refresh tokens on the client storage, for instance web storage (localStorage / sessionStorage). We'll then attach the access token to the HTTP client on every request against the API. This approach does not require any backend for SPA hosting, so the SPA can be standalone. There is no SameSite requirement. Another advantage of this approach is its contents cannot be automatically sent anywhere. Therefore, immune to cross-site request forgery (CSRF) attacks. (Token storage and handling are all done on client side)

On the downside, this default approach often adds a level of complexity with potential security concerns. Let's say we store the tokens in web storage. Any JavaScript running on our site will have access to web storage. This make the tokens can be easily grabbed via cross-site scripting (XSS) attacks.

To avoid this issue, you can store the jwts inside httponly cookie instead of web storage. This adds a layer of protection to the jwts. HttpOnly flag on cookie mitigate the risk of client side script accessing the protected cookie. With this approach, token storage and handling are all done at the backend side.

To use this approach, you can simply:

builder.Services.AddSimpleJwtEndpoints<IdentityUser, MyDbContext>(options => 
{
  options.UseCookie = true;
});

When using UseCookie = true, jwts will be stored in httponly cookie with samesite flag set to lax by default. All jwt endpoints will return 204 NoContent instead of returning the access and refresh tokens to the client (tokens are no longer handled at the client side).

Keep in mind that storing jwts inside HttpOnly Cookie does not prevent XSS attacks. If site is vulnerable to XSS, with httponly cookie, attacker cannot grab the tokens. However, attacker can still make a request on of behalf of the user. Make sure to follow best practices against XSS including escaping contents.

Cookie is considered more secure, but it might be vulnerable to CSRF attacks. Antiforgery is not handled by default and so you might need some custom code to flow a CSRF token between the server and your client application.

Most of the times you may want to store JWTs in HttpOnly Cookie. It makes development process easier and considered more secure because tokens are no longer handled at the client side.

Documentations

Documentation is available at https://madeyoga.github.io/AuthEndpoints/ and in docs directory.

Contributing

Your contributions are always welcome! simply send a pull request! The up-for-grabs label is a great place to start. If you find a flaw, please open an issue or a PR and let's sort things out.

The project is far from perfect so every bit of help is more than welcome.

More Repositories

1

ytpy

Python asynchronous wrapper for searching for youtube videos.
Python
20
star
2

detect-manga-dialogue

Detect text dialogue on manga using YoloV3 model trained with Manga109 dataset
Jupyter Notebook
19
star
3

Handwritten-Text-Recognition

Train a Text Recognition CRNN model with Tensorflow2 & Keras & IAM Dataset. Convolutional Recurrent Neural Network. CTC.
Jupyter Notebook
19
star
4

YoutubeSearchApi.Net

A library for searching for youtube videos or youtube music
C#
17
star
5

chunchunmaru-mde

Markdown editor based on codemirror 6
TypeScript
14
star
6

Computer-Graphics

OpenGL (GLUT), Computer Graphics Algorithms
C++
11
star
7

Nano-Bot

Discord bot made in Python using discord.py
Python
11
star
8

Discord.Addons.Music

Audio player library for Discord.Net
C#
9
star
9

EMNIST-CNN

Handwritten Character Recognition. EMNIST dataset on Kaggle. Tensorflow2 - Keras - CNN - 0.85 evaluation.
Jupyter Notebook
7
star
10

face-recognition

Train SVM & KNN model for face recognition with the help of "The world's simplest facial recognition api for Python and the command line"
Python
7
star
11

train-yolov3-with-custom-dataset

Train yolov3 to detect custom object using Google Colab's Free GPU
Jupyter Notebook
5
star
12

Machine-Learning-Algorithms

Machine Learning Algorithms using Numpy
Python
4
star
13

Data-Structure

Data Structure, with c++ & a bit python.
C++
3
star
14

Online-Platformer-Game

Online Platformer Game, using Libgdx and Kryonet
Java
3
star
15

Virtualization-Technology

Vix API Implementation projects.
C
3
star
16

Learn-Data-Science

Learn Data Science with Python
Jupyter Notebook
3
star
17

darknet-python

Simple python script to load & use darknet yolov3 model using cv2.
Python
3
star
18

Machine-Learning

Tensorflow & scikit-learn examples
Python
3
star
19

Sorting-Visualization

Visualizing sorting algorithms with python.
Python
3
star
20

PortableAudioBot

Discord music bot that is easy for anyone to set up and run on their machine.
Java
3
star
21

VMController-WebService

Automate virtual machine operations and manipulate files within guest operating systems with VIX API and use Django WebFramework as the webservice backend.
C
3
star
22

multichannel-contacts

Shopee Code League 2021 Multiple Channel Contacts
Jupyter Notebook
3
star
23

MNIST

Train digit recognition model using Tensorflow and Keras with MNIST dataset
Jupyter Notebook
3
star
24

Sudoku

Sudoku Solver in C++/SFML using Backtrack Algorithm
C++
3
star
25

Nano.Net

Discord bot made in C# using Discord.Net wrapper
C#
2
star
26

to-mnist

Converts image to mnist like format
Python
2
star
27

test-read-osu-file

trying to read osu's .osz file, using C++,sfml
C++
2
star
28

NanoLine

Nano Bot on LINE, with a lot of weeb image command
Python
2
star
29

Address-Elements-Extraction

Shopee Code League 2021 #2 Data Science: Address Elements Extraction
Jupyter Notebook
1
star
30

test-vite

Creating Vue 3 project using Vite
Vue
1
star
31

CGM-App

Version control for CGM Web App
Python
1
star
32

Significant-Earthquakes-1965-2016

Data science exercise, Earthquake's Magnitude Classification
HTML
1
star
33

SortingAlgorithms

Sorting algorithms implementation in various languages
Python
1
star
34

vue-todolist

To do list app made in Javascript using Vue 2 & Vuetify & Vue.Draggable
Vue
1
star
35

TicTacToe-Unity

My first Unity project. TicTacToe Game
C#
1
star
36

MyAdmin

Automatic admin interface for aspnetcore.
C#
1
star
37

first-order-motion-model-demo

Demo for paper "First Order Motion Model for Image Animation"
Jupyter Notebook
1
star