Add DeviceDetectionService

Author: VahidN

.github/workflows/build.yml

@@ -12,6 +12,6 @@ jobs:
     - name: Setup .NET Core
       uses: actions/setup-dotnet@v1
       with:
-        dotnet-version: 7.0.200
+        dotnet-version: 7.0.202
     - name: Build ASPNETCore2JwtAuthentication
       run: dotnet build ./src/ASPNETCore2JwtAuthentication.WebApp/ASPNETCore2JwtAuthentication.WebApp.csproj --configuration Release

Directory.Packages.props

@@ -27,5 +27,6 @@
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.3" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.5.0" />
     <PackageVersion Include="Microsoft.Web.LibraryManager.Build" Version="2.1.175" />
+    <PackageVersion Include="UAParser" Version="3.1.47" />
   </ItemGroup>
 </Project>

global.json

@@ -1,5 +1,5 @@
 {
   "sdk": {
-    "version": "7.0.200"
+    "version": "7.0.202"
   }
 }

src/ASPNETCore2JwtAuthentication.IoCConfig/ConfigureServicesExtensions.cs

@@ -152,6 +152,7 @@ public static void AddCustomDbContext(this IServiceCollection services, IConfigu
     public static void AddCustomServices(this IServiceCollection services)
     {
         services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
+        services.AddScoped<IDeviceDetectionService, DeviceDetectionService>();
         services.AddScoped<IAntiForgeryCookieService, AntiForgeryCookieService>();
         services.AddScoped<IUnitOfWork, ApplicationDbContext>();
         services.AddScoped<IUsersService, UsersService>();

src/ASPNETCore2JwtAuthentication.Services/ASPNETCore2JwtAuthentication.Services.csproj

@@ -12,5 +12,6 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.EntityFrameworkCore" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+    <PackageReference Include="UAParser" />
   </ItemGroup>
 </Project>

src/ASPNETCore2JwtAuthentication.Services/DeviceDetectionService.cs

@@ -0,0 +1,76 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Net.Http.Headers;
+using UAParser;
+
+namespace ASPNETCore2JwtAuthentication.Services;
+
+/// <summary>
+///     To invalidate an old user's token from a new device
+/// </summary>
+public class DeviceDetectionService : IDeviceDetectionService
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly ISecurityService _securityService;
+
+    public DeviceDetectionService(ISecurityService securityService, IHttpContextAccessor httpContextAccessor)
+    {
+        _securityService = securityService ?? throw new ArgumentNullException(nameof(securityService));
+        _httpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
+    }
+
+    public string GetCurrentRequestDeviceDetails() => GetDeviceDetails(_httpContextAccessor.HttpContext);
+
+    public string GetDeviceDetails(HttpContext context)
+    {
+        var ua = GetUserAgent(context);
+        if (ua is null)
+        {
+            return "unknown";
+        }
+
+        var client = Parser.GetDefault().Parse(ua);
+        var deviceInfo = client.Device.Family;
+        var browserInfo = $"{client.UA.Family}, {client.UA.Major}.{client.UA.Minor}";
+        var osInfo = $"{client.OS.Family}, {client.OS.Major}.{client.OS.Minor}";
+        //TODO: Add the user's IP address here, if it's a banking system.
+        return $"{deviceInfo}, {browserInfo}, {osInfo}";
+    }
+
+    public string GetDeviceDetailsHash(HttpContext context) =>
+        _securityService.GetSha256Hash(GetDeviceDetails(context));
+
+    public string GetCurrentRequestDeviceDetailsHash() => GetDeviceDetailsHash(_httpContextAccessor.HttpContext);
+
+    public string GetCurrentUserTokenDeviceDetailsHash() =>
+        GetUserTokenDeviceDetailsHash(_httpContextAccessor.HttpContext?.User.Identity as ClaimsIdentity);
+
+    public string GetUserTokenDeviceDetailsHash(ClaimsIdentity claimsIdentity)
+    {
+        if (claimsIdentity?.Claims == null || !claimsIdentity.Claims.Any())
+        {
+            return null;
+        }
+
+        return claimsIdentity.FindFirst(ClaimTypes.System)?.Value;
+    }
+
+    public bool HasCurrentUserTokenValidDeviceDetails() =>
+        HasUserTokenValidDeviceDetails(_httpContextAccessor.HttpContext?.User.Identity as ClaimsIdentity);
+
+    public bool HasUserTokenValidDeviceDetails(ClaimsIdentity claimsIdentity) =>
+        string.Equals(GetCurrentRequestDeviceDetailsHash(), GetUserTokenDeviceDetailsHash(claimsIdentity),
+                      StringComparison.Ordinal);
+
+    private static string GetUserAgent(HttpContext context)
+    {
+        if (context is null)
+        {
+            return null;
+        }
+
+        return context.Request.Headers.TryGetValue(HeaderNames.UserAgent, out var userAgent)
+                   ? userAgent.ToString()
+                   : null;
+    }
+}

src/ASPNETCore2JwtAuthentication.Services/IDeviceDetectionService.cs

@@ -0,0 +1,19 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+
+namespace ASPNETCore2JwtAuthentication.Services;
+
+public interface IDeviceDetectionService
+{
+    string GetDeviceDetails(HttpContext context);
+    string GetCurrentRequestDeviceDetails();
+
+    string GetDeviceDetailsHash(HttpContext context);
+    string GetCurrentRequestDeviceDetailsHash();
+
+    string GetUserTokenDeviceDetailsHash(ClaimsIdentity claimsIdentity);
+    string GetCurrentUserTokenDeviceDetailsHash();
+
+    bool HasUserTokenValidDeviceDetails(ClaimsIdentity claimsIdentity);
+    bool HasCurrentUserTokenValidDeviceDetails();
+}

src/ASPNETCore2JwtAuthentication.Services/TokenFactoryService.cs

@@ -12,6 +12,7 @@ namespace ASPNETCore2JwtAuthentication.Services;
 public class TokenFactoryService : ITokenFactoryService
 {
     private readonly IOptionsSnapshot<BearerTokensOptions> _configuration;
+    private readonly IDeviceDetectionService _deviceDetectionService;
     private readonly ILogger<TokenFactoryService> _logger;
     private readonly IRolesService _rolesService;
     private readonly ISecurityService _securityService;
@@ -20,12 +21,15 @@ public TokenFactoryService(
         ISecurityService securityService,
         IRolesService rolesService,
         IOptionsSnapshot<BearerTokensOptions> configuration,
-        ILogger<TokenFactoryService> logger)
+        ILogger<TokenFactoryService> logger,
+        IDeviceDetectionService deviceDetectionService)
     {
         _securityService = securityService ?? throw new ArgumentNullException(nameof(securityService));
         _rolesService = rolesService ?? throw new ArgumentNullException(nameof(rolesService));
         _configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _deviceDetectionService =
+            deviceDetectionService ?? throw new ArgumentNullException(nameof(deviceDetectionService));
     }
 
     public async Task<JwtTokensData> CreateJwtTokensAsync(User user)
@@ -104,6 +108,8 @@ out _
                          // for invalidation
                          new(ClaimTypes.SerialNumber, refreshTokenSerial, ClaimValueTypes.String,
                              _configuration.Value.Issuer),
+                         new(ClaimTypes.System, _deviceDetectionService.GetCurrentRequestDeviceDetailsHash(),
+                             ClaimValueTypes.String, _configuration.Value.Issuer),
                      };
         var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Value.Key));
         var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
@@ -140,17 +146,17 @@ out _
                              DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString(CultureInfo.InvariantCulture),
                              ClaimValueTypes.Integer64, _configuration.Value.Issuer),
                          new(ClaimTypes.NameIdentifier, user.Id.ToString(CultureInfo.InvariantCulture),
-                             ClaimValueTypes.String,
-                             _configuration.Value.Issuer),
+                             ClaimValueTypes.String, _configuration.Value.Issuer),
                          new(ClaimTypes.Name, user.Username, ClaimValueTypes.String, _configuration.Value.Issuer),
                          new("DisplayName", user.DisplayName, ClaimValueTypes.String, _configuration.Value.Issuer),
                          // to invalidate the cookie
                          new(ClaimTypes.SerialNumber, user.SerialNumber, ClaimValueTypes.String,
                              _configuration.Value.Issuer),
                          // custom data
                          new(ClaimTypes.UserData, user.Id.ToString(CultureInfo.InvariantCulture),
-                             ClaimValueTypes.String,
-                             _configuration.Value.Issuer),
+                             ClaimValueTypes.String, _configuration.Value.Issuer),
+                         new(ClaimTypes.System, _deviceDetectionService.GetCurrentRequestDeviceDetailsHash(),
+                             ClaimValueTypes.String, _configuration.Value.Issuer),
                      };
 
         // add roles

src/ASPNETCore2JwtAuthentication.Services/TokenValidatorService.cs

@@ -6,13 +6,18 @@ namespace ASPNETCore2JwtAuthentication.Services;
 
 public class TokenValidatorService : ITokenValidatorService
 {
+    private readonly IDeviceDetectionService _deviceDetectionService;
     private readonly ITokenStoreService _tokenStoreService;
     private readonly IUsersService _usersService;
 
-    public TokenValidatorService(IUsersService usersService, ITokenStoreService tokenStoreService)
+    public TokenValidatorService(IUsersService usersService,
+                                 ITokenStoreService tokenStoreService,
+                                 IDeviceDetectionService deviceDetectionService)
     {
         _usersService = usersService ?? throw new ArgumentNullException(nameof(usersService));
         _tokenStoreService = tokenStoreService ?? throw new ArgumentNullException(nameof(tokenStoreService));
+        _deviceDetectionService =
+            deviceDetectionService ?? throw new ArgumentNullException(nameof(deviceDetectionService));
     }
 
     public async Task ValidateAsync(TokenValidatedContext context)
@@ -29,6 +34,12 @@ public async Task ValidateAsync(TokenValidatedContext context)
             return;
         }
 
+        if (!_deviceDetectionService.HasUserTokenValidDeviceDetails(claimsIdentity))
+        {
+            context.Fail("Detected usage of an old token from a new device! Please login again!");
+            return;
+        }
+
         var serialNumberClaim = claimsIdentity.FindFirst(ClaimTypes.SerialNumber);
         if (serialNumberClaim == null)
         {