Initial commit: scadaproj umbrella — sister-project index, auth component normalization (design + GAPS), and the built ZB.MOM.WW.Auth shared library (0.1.0, flattened in).
This commit is contained in:
dohertj2
@@ -0,0 +1,54 @@
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
|
||||
namespace ZB.MOM.WW.Auth.AspNetCore;
|
||||
|
||||
/// <summary>
|
||||
/// Applies the hardened cookie-authentication defaults shared by ZB.MOM.WW apps:
|
||||
/// HTTP-only, <see cref="SameSiteMode.Strict"/>, sliding expiration, a caller-supplied idle
|
||||
/// timeout, and a configurable HTTPS requirement.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// The cookie <em>name</em> is intentionally left untouched: each app owns its own cookie name
|
||||
/// (so two apps on the same host do not clobber each other's session), and the caller sets it
|
||||
/// when configuring the cookie scheme.
|
||||
/// </remarks>
|
||||
public static class ZbCookieDefaults
|
||||
{
|
||||
/// <summary>
|
||||
/// Default idle timeout used when a caller does not supply one. After this much inactivity
|
||||
/// the (sliding) session cookie expires and the principal must re-authenticate.
|
||||
/// </summary>
|
||||
public static readonly TimeSpan DefaultIdleTimeout = TimeSpan.FromMinutes(30);
|
||||
|
||||
/// <summary>
|
||||
/// Applies the hardened defaults to <paramref name="options"/>.
|
||||
/// </summary>
|
||||
/// <param name="options">The cookie-authentication options to mutate.</param>
|
||||
/// <param name="requireHttps">
|
||||
/// When <see langword="true"/> (the default), the cookie is only ever sent over HTTPS
|
||||
/// (<see cref="CookieSecurePolicy.Always"/>). Set to <see langword="false"/> only for local
|
||||
/// development over plain HTTP (<see cref="CookieSecurePolicy.SameAsRequest"/>: Secure is
|
||||
/// still set when the current request is HTTPS, which is safer than <c>None</c>).
|
||||
/// </param>
|
||||
/// <param name="idleTimeout">
|
||||
/// The sliding idle timeout. Defaults to <see cref="DefaultIdleTimeout"/> when not specified.
|
||||
/// </param>
|
||||
/// <exception cref="ArgumentNullException"><paramref name="options"/> is <see langword="null"/>.</exception>
|
||||
public static void Apply(
|
||||
CookieAuthenticationOptions options,
|
||||
bool requireHttps = true,
|
||||
TimeSpan? idleTimeout = null)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(options);
|
||||
|
||||
options.Cookie.HttpOnly = true;
|
||||
options.Cookie.SameSite = SameSiteMode.Strict;
|
||||
options.Cookie.SecurePolicy = requireHttps
|
||||
? CookieSecurePolicy.Always
|
||||
: CookieSecurePolicy.SameAsRequest;
|
||||
|
||||
options.SlidingExpiration = true;
|
||||
options.ExpireTimeSpan = idleTimeout ?? DefaultIdleTimeout;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user