oliverbooth.dev/OliverBooth/Services/UserService.cs

using System.Collections.Concurrent;
using System.Diagnostics.CodeAnalysis;
using System.Security.Cryptography;
using Microsoft.EntityFrameworkCore;
using OliverBooth.Data.Web;
using BC = BCrypt.Net.BCrypt;
using Timer = System.Timers.Timer;

namespace OliverBooth.Services;

/// <summary>
///     Represents an implementation of <see cref="IUserService" />.
/// </summary>
internal sealed class UserService : BackgroundService, IUserService
{
    private static readonly RandomNumberGenerator RandomNumberGenerator = RandomNumberGenerator.Create();
    private readonly IDbContextFactory<WebContext> _dbContextFactory;
    private readonly ConcurrentDictionary<Guid, IUser> _userCache = new();
    private readonly ConcurrentDictionary<string, MfaToken> _tokenCache = new();
    private readonly Timer _tokenClearTimer = new();

    /// <summary>
    ///     Initializes a new instance of the <see cref="UserService" /> class.
    /// </summary>
    /// <param name="dbContextFactory">
    ///     The <see cref="IDbContextFactory{TContext}" /> used to create a <see cref="WebContext" />.
    /// </param>
    public UserService(IDbContextFactory<WebContext> dbContextFactory)
    {
        _dbContextFactory = dbContextFactory;

        _tokenClearTimer.Interval = TimeSpan.FromMinutes(5).TotalMilliseconds;
        _tokenClearTimer.Elapsed += (_, _) => ClearExpiredTokens();
    }

    /// <inheritdoc />
    public void ClearExpiredTokens()
    {
        DateTimeOffset now = DateTimeOffset.UtcNow;
        var keysToRemove = new string[_tokenCache.Count];
        var insertionIndex = 0;

        foreach (var (key, token) in _tokenCache)
        {
            if (token.Expires <= now)
            {
                keysToRemove[insertionIndex++] = key;
            }
        }

        for (var index = 0; index < insertionIndex; index++)
        {
            _tokenCache.TryRemove(keysToRemove[index], out _);
        }
    }

    /// <inheritdoc />
    public void ClearTokens()
    {
        _tokenCache.Clear();
    }

    /// <inheritdoc />
    public IMfaToken CreateMfaToken(IUser user)
    {
        if (user is null)
        {
            throw new ArgumentNullException(nameof(user));
        }


        DateTimeOffset now = DateTimeOffset.UtcNow;
        var token = new MfaToken
        {
            Token = CreateToken(),
            User = user,
            Attempts = 0,
            Created = now,
            Expires = now + TimeSpan.FromMinutes(5)
        };

        _tokenCache[token.Token] = token;
        return token;

        // while we do want a string, BitConvert.ToString requires a heap byte array
        // which is just very not pog. so this method behaves the same but uses a Span<byte>
        // while still returning a string necessary for the IMfaToken model
        static string CreateToken()
        {
            ReadOnlySpan<char> hexChars = "0123456789ABCDEF";
            Span<char> chars = stackalloc char[128];
            Span<byte> buffer = stackalloc byte[64];
            RandomNumberGenerator.GetBytes(buffer);

            for (var index = 0; index < buffer.Length; index++)
            {
                int byteValue = buffer[index];
                chars[index * 2] = hexChars[byteValue >> 4];
                chars[index * 2 + 1] = hexChars[byteValue & 0xF];
            }

            return chars.ToString();
        }
    }

    /// <inheritdoc />
    public void DeleteToken(string token)
    {
        if (token is null)
        {
            throw new ArgumentNullException(nameof(token));
        }

        _tokenCache.TryRemove(token, out _);
    }

    /// <inheritdoc />
    public bool TryGetUser(Guid id, [NotNullWhen(true)] out IUser? user)
    {
        if (_userCache.TryGetValue(id, out user))
        {
            return true;
        }

        using WebContext context = _dbContextFactory.CreateDbContext();
        user = context.Users.Find(id);

        if (user is not null)
        {
            _userCache.TryAdd(id, user);
        }

        return user is not null;
    }

    /// <inheritdoc />
    public bool VerifyLogin(string email, string password, [NotNullWhen(true)] out IUser? user)
    {
        using WebContext context = _dbContextFactory.CreateDbContext();
        user = context.Users.FirstOrDefault(u => u.EmailAddress == email);
        return user is not null && BC.Verify(password, ((User)user).Password);
    }

    /// <inheritdoc />
    public MfaRequestResult VerifyMfaRequest(string token, string totp, out IUser? user)
    {
        if (token is null)
        {
            throw new ArgumentNullException(nameof(token));
        }

        if (totp is null)
        {
            throw new ArgumentNullException(nameof(totp));
        }

        user = null;

        if (!_tokenCache.TryGetValue(token, out MfaToken? mfaToken))
        {
            return MfaRequestResult.TokenExpired;
        }

        if (!mfaToken.User.TestTotp(totp))
        {
            mfaToken.Attempts++;
            if (mfaToken.Attempts == 4)
            {
                return MfaRequestResult.TooManyAttempts;
            }

            return MfaRequestResult.InvalidTotp;
        }

        user = mfaToken.User;
        return MfaRequestResult.Success;
    }

    /// <inheritdoc />
    public override Task StopAsync(CancellationToken cancellationToken)
    {
        _tokenClearTimer.Stop();
        return base.StopAsync(cancellationToken);
    }

    /// <inheritdoc />
    protected override Task ExecuteAsync(CancellationToken stoppingToken)
    {
        ClearTokens();
        _tokenClearTimer.Start();
        return Task.CompletedTask;
    }
}
perf(blog): cache users 2023-08-13 17:03:08 +00:00			`using System.Collections.Concurrent;`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`using System.Diagnostics.CodeAnalysis;`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00			`using System.Security.Cryptography;`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`using Microsoft.EntityFrameworkCore;`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`using OliverBooth.Data.Web;`
feat: add blog admin page and simple login 2024-02-20 20:39:52 +00:00			`using BC = BCrypt.Net.BCrypt;`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00			`using Timer = System.Timers.Timer;`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00
refactor: combine sites into one CORS was "cors"ing some issues (heh). But also it is easier to maintain this way. Development was made much more difficult when I separated it. Combining it all also improves SEO 2023-08-13 16:33:54 +00:00			`namespace OliverBooth.Services;`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00
			`/// <summary>`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`/// Represents an implementation of <see cref="IUserService" />.`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`/// </summary>`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00			`internal sealed class UserService : BackgroundService, IUserService`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`{`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00			`private static readonly RandomNumberGenerator RandomNumberGenerator = RandomNumberGenerator.Create();`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`private readonly IDbContextFactory<WebContext> _dbContextFactory;`
perf(blog): cache users 2023-08-13 17:03:08 +00:00			`private readonly ConcurrentDictionary<Guid, IUser> _userCache = new();`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00			`private readonly ConcurrentDictionary<string, MfaToken> _tokenCache = new();`
			`private readonly Timer _tokenClearTimer = new();`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00
			`/// <summary>`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`/// Initializes a new instance of the <see cref="UserService" /> class.`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`/// </summary>`
			`/// <param name="dbContextFactory">`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`/// The <see cref="IDbContextFactory{TContext}" /> used to create a <see cref="WebContext" />.`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`/// </param>`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`public UserService(IDbContextFactory<WebContext> dbContextFactory)`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`{`
			`_dbContextFactory = dbContextFactory;`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00
			`_tokenClearTimer.Interval = TimeSpan.FromMinutes(5).TotalMilliseconds;`
			`_tokenClearTimer.Elapsed += (_, _) => ClearExpiredTokens();`
			`}`

			`/// <inheritdoc />`
			`public void ClearExpiredTokens()`
			`{`
			`DateTimeOffset now = DateTimeOffset.UtcNow;`
			`var keysToRemove = new string[_tokenCache.Count];`
			`var insertionIndex = 0;`

			`foreach (var (key, token) in _tokenCache)`
			`{`
			`if (token.Expires <= now)`
			`{`
			`keysToRemove[insertionIndex++] = key;`
			`}`
			`}`

			`for (var index = 0; index < insertionIndex; index++)`
			`{`
			`_tokenCache.TryRemove(keysToRemove[index], out _);`
			`}`
			`}`

			`/// <inheritdoc />`
			`public void ClearTokens()`
			`{`
			`_tokenCache.Clear();`
			`}`

			`/// <inheritdoc />`
			`public IMfaToken CreateMfaToken(IUser user)`
			`{`
			`if (user is null)`
			`{`
			`throw new ArgumentNullException(nameof(user));`
			`}`


			`DateTimeOffset now = DateTimeOffset.UtcNow;`
			`var token = new MfaToken`
			`{`
			`Token = CreateToken(),`
			`User = user,`
			`Attempts = 0,`
			`Created = now,`
			`Expires = now + TimeSpan.FromMinutes(5)`
			`};`

			`_tokenCache[token.Token] = token;`
			`return token;`

			`// while we do want a string, BitConvert.ToString requires a heap byte array`
			`// which is just very not pog. so this method behaves the same but uses a Span<byte>`
			`// while still returning a string necessary for the IMfaToken model`
			`static string CreateToken()`
			`{`
			`ReadOnlySpan<char> hexChars = "0123456789ABCDEF";`
			`Span<char> chars = stackalloc char[128];`
			`Span<byte> buffer = stackalloc byte[64];`
			`RandomNumberGenerator.GetBytes(buffer);`

			`for (var index = 0; index < buffer.Length; index++)`
			`{`
			`int byteValue = buffer[index];`
			`chars[index * 2] = hexChars[byteValue >> 4];`
			`chars[index * 2 + 1] = hexChars[byteValue & 0xF];`
			`}`

			`return chars.ToString();`
			`}`
			`}`

			`/// <inheritdoc />`
			`public void DeleteToken(string token)`
			`{`
			`if (token is null)`
			`{`
			`throw new ArgumentNullException(nameof(token));`
			`}`

			`_tokenCache.TryRemove(token, out _);`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`}`

			`/// <inheritdoc />`
			`public bool TryGetUser(Guid id, [NotNullWhen(true)] out IUser? user)`
			`{`
style: apply braces style to project 2024-02-25 14:11:33 +00:00			`if (_userCache.TryGetValue(id, out user))`
			`{`
			`return true;`
			`}`
perf(blog): cache users 2023-08-13 17:03:08 +00:00
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`using WebContext context = _dbContextFactory.CreateDbContext();`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`user = context.Users.Find(id);`
perf(blog): cache users 2023-08-13 17:03:08 +00:00
style: apply braces style to project 2024-02-25 14:11:33 +00:00			`if (user is not null)`
			`{`
			`_userCache.TryAdd(id, user);`
			`}`

refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`return user is not null;`
			`}`
feat: add blog admin page and simple login 2024-02-20 20:39:52 +00:00
			`/// <inheritdoc />`
			`public bool VerifyLogin(string email, string password, [NotNullWhen(true)] out IUser? user)`
			`{`
refactor: rename BlogUserService to UserService 2024-02-24 14:52:43 +00:00			`using WebContext context = _dbContextFactory.CreateDbContext();`
feat: add blog admin page and simple login 2024-02-20 20:39:52 +00:00			`user = context.Users.FirstOrDefault(u => u.EmailAddress == email);`
			`return user is not null && BC.Verify(password, ((User)user).Password);`
			`}`
feat: implement MFA for admin login 2024-02-25 17:21:29 +00:00
			`/// <inheritdoc />`
			`public MfaRequestResult VerifyMfaRequest(string token, string totp, out IUser? user)`
			`{`
			`if (token is null)`
			`{`
			`throw new ArgumentNullException(nameof(token));`
			`}`

			`if (totp is null)`
			`{`
			`throw new ArgumentNullException(nameof(totp));`
			`}`

			`user = null;`

			`if (!_tokenCache.TryGetValue(token, out MfaToken? mfaToken))`
			`{`
			`return MfaRequestResult.TokenExpired;`
			`}`

			`if (!mfaToken.User.TestTotp(totp))`
			`{`
			`mfaToken.Attempts++;`
			`if (mfaToken.Attempts == 4)`
			`{`
			`return MfaRequestResult.TooManyAttempts;`
			`}`

			`return MfaRequestResult.InvalidTotp;`
			`}`

			`user = mfaToken.User;`
			`return MfaRequestResult.Success;`
			`}`

			`/// <inheritdoc />`
			`public override Task StopAsync(CancellationToken cancellationToken)`
			`{`
			`_tokenClearTimer.Stop();`
			`return base.StopAsync(cancellationToken);`
			`}`

			`/// <inheritdoc />`
			`protected override Task ExecuteAsync(CancellationToken stoppingToken)`
			`{`
			`ClearTokens();`
			`_tokenClearTimer.Start();`
			`return Task.CompletedTask;`
			`}`
refactor: move blog to separate app I'd ideally like to keep the blog. subdomain the same, and while there are a few ways to achieve this it is much simpler to just dedicate a separate application for the subdomain. This change also adjusts the webhost builder extensions to default to ports 443/80, and each app now explicitly sets the port it needs. 2023-08-12 19:13:47 +00:00			`}`