♻️ Refactored auth service for better security

DysonNetwork.Pass/Auth/OpenId/ConnectionController.cs

@@ -342,13 +342,19 @@ public class ConnectionController(
                 callbackData.State.Split('|').FirstOrDefault() :
                 string.Empty;
 
-            var challenge = await oidcService.CreateChallengeForUserAsync(
+            if (HttpContext.Items["CurrentSession"] is not SnAuthSession parentSession) parentSession = null;
+            
+            var session = await oidcService.CreateSessionForUserAsync(
                 userInfo,
                 connection.Account,
                 HttpContext,
-                deviceId ?? string.Empty);
+                deviceId ?? string.Empty,
+                null,
+                ClientPlatform.Web,
+                parentSession);
             
-            var redirectUrl = QueryHelpers.AddQueryString(redirectBaseUrl, "challenge", challenge.Id.ToString());
+            var token = auth.CreateToken(session);
+            var redirectUrl = QueryHelpers.AddQueryString(redirectBaseUrl, "token", token);
             logger.LogInformation("OIDC login successful for user {UserId}. Redirecting to {RedirectUrl}", connection.AccountId, redirectUrl);
             return Redirect(redirectUrl);
         }

DysonNetwork.Pass/Auth/OpenId/OidcController.cs

@@ -14,6 +14,7 @@ public class OidcController(
     IServiceProvider serviceProvider,
     AppDatabase db,
     AccountService accounts,
+    AuthService auth,
     ICacheService cache,
     ILogger<OidcController> logger
 )
@@ -22,6 +23,11 @@ public class OidcController(
     private const string StateCachePrefix = "oidc-state:";
     private static readonly TimeSpan StateExpiration = TimeSpan.FromMinutes(15);
 
+    public class TokenExchangeResponse
+    {
+        public string Token { get; set; } = string.Empty;
+    }
+    
     [HttpGet("{provider}")]
     public async Task<ActionResult> OidcLogin(
         [FromRoute] string provider,
@@ -75,7 +81,7 @@ public class OidcController(
     /// Handles Apple authentication directly from mobile apps
     /// </summary>
     [HttpPost("apple/mobile")]
-    public async Task<ActionResult<SnAuthChallenge>> AppleMobileLogin(
+    public async Task<ActionResult<TokenExchangeResponse>> AppleMobileLogin(
         [FromBody] AppleMobileSignInRequest request
     )
     {
@@ -98,16 +104,21 @@ public class OidcController(
             // Find or create user account using existing logic
             var account = await FindOrCreateAccount(userInfo, "apple");
 
+            if (HttpContext.Items["CurrentSession"] is not SnAuthSession parentSession) parentSession = null;
+            
             // Create session using the OIDC service
-            var challenge = await appleService.CreateChallengeForUserAsync(
+            var session = await appleService.CreateSessionForUserAsync(
                 userInfo,
                 account,
                 HttpContext,
                 request.DeviceId,
-                request.DeviceName
+                request.DeviceName,
+                ClientPlatform.Ios,
+                parentSession
             );
-
-            return Ok(challenge);
+            
+            var token = auth.CreateToken(session);
+            return Ok(new TokenExchangeResponse { Token = token });
         }
         catch (SecurityTokenValidationException ex)
         {

DysonNetwork.Pass/Auth/OpenId/OidcService.cs

@@ -1,4 +1,3 @@
-using System;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography;
 using System.Text;
@@ -250,15 +249,17 @@ public abstract class OidcService(
     }
 
     /// <summary>
-    /// Creates a challenge and session for an authenticated user
+    /// Creates a session for an authenticated user
     /// Also creates or updates the account connection
     /// </summary>
-    public async Task<SnAuthChallenge> CreateChallengeForUserAsync(
+    public async Task<SnAuthSession> CreateSessionForUserAsync(
         OidcUserInfo userInfo,
         SnAccount account,
         HttpContext request,
         string deviceId,
-        string? deviceName = null
+        string? deviceName = null,
+        ClientPlatform platform = ClientPlatform.Web,
+        SnAuthSession? parentSession = null
     )
     {
         // Create or update the account connection
@@ -282,28 +283,24 @@ public abstract class OidcService(
             await Db.AccountConnections.AddAsync(connection);
         }
 
-        // Create a challenge that's already completed
+        // Create a session directly
         var now = SystemClock.Instance.GetCurrentInstant();
-        var device = await auth.GetOrCreateDeviceAsync(account.Id, deviceId, deviceName, ClientPlatform.Ios);
-        var challenge = new SnAuthChallenge
-        {
-            ExpiredAt = now.Plus(Duration.FromHours(1)),
-            StepTotal = await auth.DetectChallengeRisk(request.Request, account),
-            Type = ChallengeType.Oidc,
-            Audiences = [ProviderName],
-            Scopes = ["*"],
-            AccountId = account.Id,
-            ClientId = device.Id,
-            IpAddress = request.Connection.RemoteIpAddress?.ToString() ?? null,
-            UserAgent = request.Request.Headers.UserAgent,
-        };
-        challenge.StepRemain--;
-        if (challenge.StepRemain < 0) challenge.StepRemain = 0;
+        var device = await auth.GetOrCreateDeviceAsync(account.Id, deviceId, deviceName, platform);
 
-        await Db.AuthChallenges.AddAsync(challenge);
+        var session = new SnAuthSession
+        {
+            AccountId = account.Id,
+            CreatedAt = now,
+            LastGrantedAt = now,
+            ParentSessionId = parentSession?.Id,
+            ClientId = device.Id,
+            ExpiredAt = now.Plus(Duration.FromDays(30))
+        };
+
+        await Db.AuthSessions.AddAsync(session);
         await Db.SaveChangesAsync();
 
-        return challenge;
+        return session;
     }
 }