feat: Logout functionality (#14)

* feat: Fix hash validation

* fix: Adjust k6 scenario with correct user creds

* feat: Logout endpoint

Author: Expeth

src/UserAPI.Application/Common/Abstraction/Repository/ISessionsRepository.cs

@@ -5,6 +5,7 @@ namespace UserAPI.Application.Common.Abstraction.Repository
 {
     public interface ISessionsRepository
     {
+        Task<bool> SetEndedAsync(string id);
         Task<SessionEntity> GetAsync(string id);
         Task CreateAsync(SessionEntity entity);
     }

src/UserAPI.Application/Handler/Query/LogoutUser.cs

@@ -0,0 +1,111 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using FluentValidation;
+using MediatR;
+using UserAPI.Application.Common.Model.Result;
+using UserAPI.Domain.ValueObject;
+using OneOf;
+using Serilog;
+using UserAPI.Application.Common.Abstraction.Repository;
+using UserAPI.Application.Common.Extension;
+using UserAPI.Application.Common.Model.Constant;
+using UserAPI.Application.Handler.Command;
+
+namespace UserAPI.Application.Handler.Query
+{
+    public static class LogoutUser
+    {
+        public sealed class Request : IRequest<OneOf<Response, ValidationFail, InternalError>>
+        {
+            public JwtClaims JwtClaims { get; }
+
+            public Request(JwtClaims jwtClaims)
+            {
+                JwtClaims = jwtClaims;
+            }
+        }
+
+        public sealed class Response
+        {
+            public Response()
+            {
+            }
+        }
+        
+        public sealed class RequestValidator : AbstractValidator<Request>
+        {
+            public RequestValidator()
+            {
+                RuleFor(i => i.JwtClaims.UserId)
+                    .NotNull()
+                    .NotEmpty();
+
+                RuleFor(i => i.JwtClaims.IssuedAt)
+                    .NotNull()
+                    .Must(i => i.IsPassed())
+                    .WithMessage(ErrorMessage.InvalidJWT);
+                
+                RuleFor(i => i.JwtClaims.ExpiresAt)
+                    .NotNull()
+                    .Must(i => !i.IsPassed())
+                    .WithMessage(ErrorMessage.InvalidJWT);
+            }
+        }
+        
+        public sealed class Handler : IRequestHandler<Request,
+            OneOf<Response, ValidationFail, InternalError>>
+        {
+            private static readonly ILogger Logger = Log.ForContext(typeof(LogoutUser));
+            
+            private readonly IValidator<Request> _requestValidator;
+            private readonly ISessionsRepository _sessionsRepository;
+
+            public Handler(ISessionsRepository sessionsRepository,
+                IValidator<Request> requestValidator)
+            {
+                _sessionsRepository = sessionsRepository;
+                _requestValidator = requestValidator;
+            }
+
+            public async Task<OneOf<Response, ValidationFail, InternalError>> Handle(Request request, 
+                CancellationToken cancellationToken)
+            {
+                try
+                {
+                    var requestValidationResult = await _requestValidator.ValidateAsync(request, cancellationToken);
+                    if (!requestValidationResult.IsValid)
+                        return ValidationFail.FromValidationResult(requestValidationResult);
+
+                    var session = await _sessionsRepository.GetAsync(request.JwtClaims.SessionId);
+                    if (session == null || session.UserId != request.JwtClaims.UserId)
+                    {
+                        return ValidationFail.FromMessage(ErrorMessage.InvalidSession);
+                    }
+
+                    if (session.EndTime.HasValue && session.EndTime.Value.IsPassed())
+                    {
+                        return ValidationFail.FromMessage(ErrorMessage.InvalidSession);
+                    }
+
+                    var isUpdated = await _sessionsRepository.SetEndedAsync(session.Id);
+
+                    if (!isUpdated)
+                    {
+                        Logger.Error("Session wasn't able to update for userId: {userId}, sessionId: {sessionId}",
+                            request.JwtClaims.UserId, request.JwtClaims.SessionId);
+                        return InternalError.Default;
+                    }
+
+                    return new Response();
+                }
+                catch (Exception e)
+                {
+                    Logger.Error(e, "Exception during logout for userId: {userId}, sessionId: {sessionId}",
+                        request.JwtClaims.UserId, request.JwtClaims.SessionId);
+                    return InternalError.Default;
+                }
+            }
+        }
+    }
+}

src/UserAPI.Application/UserAPI.Application.csproj

@@ -15,8 +15,4 @@
       <PackageReference Include="Serilog" Version="2.10.0" />
     </ItemGroup>
 
-    <ItemGroup>
-      <Folder Include="Handler\Query" />
-    </ItemGroup>
-
 </Project>

src/UserAPI.Host/Controllers/UsersController.cs

@@ -1,9 +1,9 @@
-using System.Linq;
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using MediatR;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using UserAPI.Application.Handler.Command;
+using UserAPI.Application.Handler.Query;
 using UserAPI.Contracts.Request;
 using UserAPI.Contracts.Response;
 using UserAPI.Host.Extensions;
@@ -53,5 +53,15 @@ public async Task<IActionResult> RefreshToken([FromBody] RefreshJwtRequest reque
             return domainResponse.Match(response =>
                     Ok(new RefreshJwtResponse(response.Jwt, response.RefreshToken)), BadRequest, InternalError);
         }
+
+        [Authorize]
+        [HttpPost("logout")]
+        public async Task<IActionResult> Logout()
+        {
+            var domainRequest = new LogoutUser.Request(HttpContext.User.Claims.ToClaimsObject());
+
+            var domainResponse = await _mediator.Send(domainRequest);
+            return domainResponse.Match(Ok, BadRequest, InternalError);
+        }
     }
 }

src/UserAPI.Infrastructure/Repository/SessionRepository.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Threading.Tasks;
 using MongoDB.Driver;
 using UserAPI.Application.Common.Abstraction.Repository;
@@ -14,6 +15,19 @@ public SessionRepository(IMongoDatabase database)
             _database = database;
         }
 
+        public async Task<bool> SetEndedAsync(string id)
+        {
+            var collection = _database.GetCollection<SessionEntity>("sessions");
+            var filterBuilder = Builders<SessionEntity>.Filter;
+            var filter = filterBuilder.Eq(i => i.Id, id);
+
+            var updateBuilder = Builders<SessionEntity>.Update;
+            var update = updateBuilder.Set(i => i.EndTime, DateTime.UtcNow);
+
+            var result = await collection.UpdateOneAsync(filter, update);
+            return result.IsAcknowledged;
+        }
+
         public async Task<SessionEntity> GetAsync(string id)
         {
             var collection = _database.GetCollection<SessionEntity>("sessions");

src/UserAPI.Infrastructure/Service/Pbkdf2PasswordService.cs

@@ -29,7 +29,7 @@ public PasswordHash GenerateHash(string password, string salt = null)
         public bool ValidateHash(string hash, string password, string salt)
         {
             var pwdHash = GenerateHash(password, salt);
-            return string.Equals(pwdHash.Hash, hash, StringComparison.OrdinalIgnoreCase);
+            return string.Equals(pwdHash.Hash, hash);
         }
 
         private byte[] GenerateSalt()

tests/UserAPI.E2E/Scenario/Base/Scenario.cs

@@ -41,6 +41,16 @@ public Scenario()
             };
         }
 
+        protected Task<(HttpStatusCode code, string strResponse)> SendAsJson(string path, string jwt = null)
+        {
+            if (!string.IsNullOrEmpty(jwt))
+            {
+                return SendAsJsonInternal(path, string.Empty, AuthorizedHttpClient(jwt));
+            }
+            
+            return SendAsJsonInternal(path, string.Empty, HttpClient);
+        }
+        
         protected Task<(HttpStatusCode code, string strResponse, TResponse response)> SendAsJson<TRequest,
             TResponse>(string path, TRequest request, string jwt = null)
         {

tests/UserAPI.E2E/Scenario/LogoutScenario.cs

@@ -0,0 +1,61 @@
+using System.Net;
+using System.Threading.Tasks;
+using NUnit.Framework;
+using UserAPI.Contracts.Request;
+using UserAPI.Contracts.Response;
+using UserAPI.Host.IntegrationTests.Common.Builder;
+
+namespace UserAPI.Host.IntegrationTests.Scenario
+{
+    public class LogoutScenario : Base.Scenario
+    {
+        [Test]
+        public async Task Should_SuccessfullyLogoutUser_When_NotExpiredJwtWithSessionPassed()
+        {
+            var authenticationRequest = new AuthenticationRequestBuilder()
+                .WithLogin(Config.TestData.ValidUser.Username)
+                .WithPassword(Config.TestData.ValidUser.Password)
+                .Build();
+
+            var authResponse =
+                await SendAsJson<AuthenticateUserRequest, AuthenticateUserResponse>("users/authenticate",
+                    authenticationRequest);
+
+            var logoutResponse = await SendAsJson("users/logout", authResponse.response.Jwt);
+            
+            Assert.AreEqual(HttpStatusCode.OK, logoutResponse.code);
+        }
+        
+        [Test]
+        public async Task Should_FailLogoutUser_When_ExpiredJwtPassed()
+        {
+            var expiredJwt = Config.TestData.ValidUser.ExpiredJwt;
+            
+            var logoutResponse = await SendAsJson("users/logout", expiredJwt);
+            
+            Assert.AreEqual(HttpStatusCode.BadRequest, logoutResponse.code);
+            Assert.IsTrue(logoutResponse.strResponse.Contains("Invalid JWT"));
+        }
+        
+        [Test]
+        public async Task Should_FailLogoutUser_When_EndedSessionInJwtPassed()
+        {
+            var authenticationRequest = new AuthenticationRequestBuilder()
+                .WithLogin(Config.TestData.ValidUser.Username)
+                .WithPassword(Config.TestData.ValidUser.Password)
+                .Build();
+
+            var authResponse =
+                await SendAsJson<AuthenticateUserRequest, AuthenticateUserResponse>("users/authenticate",
+                    authenticationRequest);
+
+            // Send first logout request to end the session
+            await SendAsJson("users/logout", authResponse.response.Jwt);
+            
+            var logoutResponse = await SendAsJson("users/logout", authResponse.response.Jwt);
+            
+            Assert.AreEqual(HttpStatusCode.BadRequest, logoutResponse.code);
+            Assert.IsTrue(logoutResponse.strResponse.Contains("Invalid session"));
+        }
+    }
+}

tests/k6/authenticate-load.js

@@ -3,16 +3,16 @@ import { check, sleep } from 'k6';
 
 export const options = {
   stages: [
-    { duration: '10s', target: 20 },
-    { duration: '5m', target: 20 },
+    { duration: '10s', target: 10 },
+    { duration: '5m', target: 10 },
     { duration: '10s', target: 0 },
   ],
 };
 
 export default function () {
     const payload = JSON.stringify({
-        login: 'kovetskiy',
-        password: '1234567',
+        login: 'testuser1',
+        password: '123456aF1!',
     });
 
     const params = {
@@ -22,6 +22,6 @@ export default function () {
       };
 
 
-  const res = http.post('http://127.0.0.1:5000/users/authenticate', payload, params);
+  const res = http.post('http://127.0.0.1:50000/users/authenticate', payload, params);
   check(res, { 'status was 200': (r) => r.status == 200 });
 }