Finalize Server Project's Layers

Author: mckaragoz

src/CodeBeam.UltimateAuth.Core/Abstractions/Infrastructure/IRefreshTokenResolver.cs

@@ -0,0 +1,10 @@
+using CodeBeam.UltimateAuth.Core.Contracts;
+
+namespace CodeBeam.UltimateAuth.Core.Abstractions
+{
+    public interface IRefreshTokenResolver<TUserId>
+    {
+        Task<ResolvedRefreshSession<TUserId>?> ResolveAsync(string? tenantId, string refreshToken, DateTimeOffset now, CancellationToken ct = default);
+    }
+
+}

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/ITokenStore.cs

@@ -1,4 +1,5 @@
-using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
 
 namespace CodeBeam.UltimateAuth.Core.Abstractions
 {
@@ -22,11 +23,11 @@ Task StoreRefreshTokenAsync(
         /// Validates a provided refresh token against the stored hash.
         /// Returns true if valid and not expired or revoked.
         /// </summary>
-        Task<bool> ValidateRefreshTokenAsync(
+        Task<RefreshTokenValidationResult<TUserId>> ValidateRefreshTokenAsync(
             string? tenantId,
-            TUserId userId,
-            AuthSessionId sessionId,
-            string providedRefreshToken);
+            string providedRefreshToken,
+            DateTimeOffset now);
+
 
         /// <summary>
         /// Revokes the refresh token associated with the specified session.

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/ITokenStoreFactory.cs

@@ -0,0 +1,7 @@
+namespace CodeBeam.UltimateAuth.Core.Abstractions
+{
+    public interface ITokenStoreFactory
+    {
+        ITokenStoreKernel Create(string? tenantId);
+    }
+}

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/ITokenStoreKernel.cs

@@ -0,0 +1,47 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Abstractions
+{
+    /// <summary>
+    /// Low-level persistence abstraction for token-related data.
+    /// Handles refresh tokens and optional access token identifiers (jti).
+    /// </summary>
+    public interface ITokenStoreKernel
+    {
+        Task SaveRefreshTokenAsync(
+            string? tenantId,
+            StoredRefreshToken token);
+
+        Task<StoredRefreshToken?> GetRefreshTokenAsync(
+            string? tenantId,
+            string tokenHash);
+
+        Task RevokeRefreshTokenAsync(
+            string? tenantId,
+            string tokenHash,
+            DateTimeOffset at);
+
+        Task RevokeAllRefreshTokensAsync(
+            string? tenantId,
+            string? userId,
+            DateTimeOffset at);
+
+        Task DeleteExpiredRefreshTokensAsync(
+            string? tenantId,
+            DateTimeOffset now);
+
+        Task StoreTokenIdAsync(
+            string? tenantId,
+            string jti,
+            DateTimeOffset expiresAt);
+
+        Task<bool> IsTokenIdRevokedAsync(
+            string? tenantId,
+            string jti);
+
+        Task RevokeTokenIdAsync(
+            string? tenantId,
+            string jti,
+            DateTimeOffset at);
+    }
+}

src/CodeBeam.UltimateAuth.Core/Contracts/Session/ResolvedRefreshSession.cs

@@ -0,0 +1,38 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts
+{
+    public sealed record ResolvedRefreshSession<TUserId>
+    {
+        public bool IsValid { get; init; }
+        public bool IsReuseDetected { get; init; }
+
+        public ISession<TUserId>? Session { get; init; }
+        public ISessionChain<TUserId>? Chain { get; init; }
+
+        private ResolvedRefreshSession() { }
+
+        public static ResolvedRefreshSession<TUserId> Invalid()
+            => new()
+            {
+                IsValid = false
+            };
+
+        public static ResolvedRefreshSession<TUserId> Reused()
+            => new()
+            {
+                IsValid = false,
+                IsReuseDetected = true
+            };
+
+        public static ResolvedRefreshSession<TUserId> Valid(
+            ISession<TUserId> session,
+            ISessionChain<TUserId> chain)
+            => new()
+            {
+                IsValid = true,
+                Session = session,
+                Chain = chain
+            };
+    }
+}

src/CodeBeam.UltimateAuth.Core/Contracts/Session/SessionRefreshResult.cs

@@ -1,10 +1,21 @@
-using CodeBeam.UltimateAuth.Core.Contracts;
-
-namespace CodeBeam.UltimateAuth.Core.Contracts
+namespace CodeBeam.UltimateAuth.Core.Contracts
 {
     public sealed record SessionRefreshResult
     {
         public AccessToken AccessToken { get; init; } = default!;
         public RefreshToken? RefreshToken { get; init; }
+
+        public bool IsValid => AccessToken is not null;
+
+        private SessionRefreshResult() { }
+
+        public static SessionRefreshResult Success(AccessToken accessToken, RefreshToken? refreshToken)
+            => new()
+            {
+                AccessToken = accessToken,
+                RefreshToken = refreshToken
+            };
+
+        public static SessionRefreshResult Invalid() => new();
     }
 }

src/CodeBeam.UltimateAuth.Core/Contracts/Token/RefreshTokenFailureReason.cs

@@ -0,0 +1,10 @@
+namespace CodeBeam.UltimateAuth.Core.Contracts
+{
+    public enum RefreshTokenFailureReason
+    {
+        Invalid,
+        Expired,
+        Revoked,
+        Reused
+    }
+}

src/CodeBeam.UltimateAuth.Core/Contracts/Token/RefreshTokenValidationResult.cs

@@ -0,0 +1,31 @@
+using CodeBeam.UltimateAuth.Core.Domain;
+
+namespace CodeBeam.UltimateAuth.Core.Contracts
+{
+    public sealed record RefreshTokenValidationResult<TUserId>
+    {
+        public bool IsValid { get; init; }
+
+        public TUserId? UserId { get; init; }
+
+        public AuthSessionId? SessionId { get; init; }
+
+        private RefreshTokenValidationResult() { }
+
+        public static RefreshTokenValidationResult<TUserId> Invalid()
+            => new()
+            {
+                IsValid = false
+            };
+
+        public static RefreshTokenValidationResult<TUserId> Valid(
+            TUserId userId,
+            AuthSessionId sessionId)
+            => new()
+            {
+                IsValid = true,
+                UserId = userId,
+                SessionId = sessionId
+            };
+    }
+}

src/CodeBeam.UltimateAuth.Core/Domain/Token/StoredRefreshToken.cs

@@ -0,0 +1,19 @@
+namespace CodeBeam.UltimateAuth.Core.Domain
+{
+    /// <summary>
+    /// Represents a persisted refresh token bound to a session.
+    /// Stored as a hashed value for security reasons.
+    /// </summary>
+    public sealed record StoredRefreshToken
+    {
+        public string TokenHash { get; init; } = default!;
+
+        public AuthSessionId SessionId { get; init; } = default!;
+
+        public DateTimeOffset ExpiresAt { get; init; }
+
+        public DateTimeOffset? RevokedAt { get; init; }
+
+        public bool IsRevoked => RevokedAt.HasValue;
+    }
+}

src/CodeBeam.UltimateAuth.Core/Infrastructure/UAuthRefreshTokenResolver.cs

@@ -0,0 +1,83 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+
+namespace CodeBeam.UltimateAuth.Core.Infrastructure
+{
+    internal sealed class StoreRefreshTokenResolver<TUserId>
+        : IRefreshTokenResolver<TUserId>
+    {
+        private readonly ISessionStoreFactory _sessionStoreFactory;
+        private readonly ITokenStoreFactory _tokenStoreFactory;
+        private readonly ITokenHasher _hasher;
+
+        public StoreRefreshTokenResolver(
+            ISessionStoreFactory sessionStoreFactory,
+            ITokenStoreFactory tokenStoreFactory,
+            ITokenHasher hasher)
+        {
+            _sessionStoreFactory = sessionStoreFactory;
+            _tokenStoreFactory = tokenStoreFactory;
+            _hasher = hasher;
+        }
+
+        public async Task<ResolvedRefreshSession<TUserId>?> ResolveAsync(
+            string? tenantId,
+            string refreshToken,
+            DateTimeOffset now,
+            CancellationToken ct = default)
+        {
+            var tokenHash = _hasher.Hash(refreshToken);
+
+            var tokenStore = _tokenStoreFactory.Create(tenantId);
+            var sessionStore = _sessionStoreFactory.Create<TUserId>(tenantId);
+
+            var stored = await tokenStore.GetRefreshTokenAsync(
+                tenantId,
+                tokenHash);
+
+            if (stored is null)
+                return null;
+
+            if (stored.IsRevoked)
+            {
+                return ResolvedRefreshSession<TUserId>.Reused();
+            }
+
+            if (stored.ExpiresAt <= now)
+            {
+                await tokenStore.RevokeRefreshTokenAsync(
+                    tenantId,
+                    tokenHash,
+                    now);
+
+                return ResolvedRefreshSession<TUserId>.Invalid();
+            }
+
+            var session = await sessionStore.GetSessionAsync(
+                tenantId,
+                stored.SessionId);
+
+            if (session is null)
+                return null;
+
+            if (session.IsRevoked || session.ExpiresAt <= now)
+                return null;
+
+            var chain = await sessionStore.GetChainAsync(
+                tenantId,
+                session.ChainId);
+
+            if (chain is null || chain.IsRevoked)
+                return null;
+
+            await tokenStore.RevokeRefreshTokenAsync(
+                tenantId,
+                tokenHash,
+                now);
+
+            return ResolvedRefreshSession<TUserId>.Valid(
+                session,
+                chain);
+        }
+    }
+}