adds OAuth support

Author: jakeoverall

CodeWorks.Auth.csproj

@@ -6,7 +6,7 @@
     <Nullable>enable</Nullable>
 
     <PackageId>CodeWorks.Auth</PackageId>
-    <Version>0.0.2</Version>
+    <Version>0.0.3</Version>
     <Authors>CodeWorks</Authors>
     <Company>CodeWorks</Company>
     <Description>Flexible, pluggable authentication module for .NET APIs with JWT, email login, and MFA support.</Description>

Interfaces/IAccountIdentity.cs

@@ -1,3 +1,6 @@
+using CodeWorks.Auth.Models;
+using Microsoft.AspNetCore.Identity;
+
 namespace CodeWorks.Auth.Interfaces;
 
 public interface IAccountIdentity
@@ -13,3 +16,20 @@ public interface IAccountIdentity
   List<string> Roles { get; set; }
   List<string> Permissions { get; set; }
 }
+
+public interface IOAuthUser : IAccountIdentity
+{
+  string? Provider { get; set; }  // "google", "facebook", "local"
+  string? ProviderId { get; set; } // User ID from OAuth provider
+  string? ProfilePictureUrl { get; set; }
+}
+
+public interface IOAuthService<TUser> where TUser : IOAuthUser
+{
+  Task<AuthResult<TUser>> HandleOAuthCallbackAsync(
+      ExternalLoginInfo loginInfo);
+
+  Task<string> GenerateOAuthStateAsync(string provider);
+
+  Task<bool> ValidateOAuthStateAsync(string state);
+}

Interfaces/IAccountIdentityStore.cs

@@ -7,6 +7,10 @@ public interface IAccountIdentityStore<TIdentity> where TIdentity : IAccountIden
   Task SaveAsync(TIdentity user);
   Task<TIdentity> FindByIdAsync(string id);
 
+  Task<TIdentity> FindByProviderAsync(string provider, string providerId);
+
+  
+
   async public Task<TIdentity> MarkEmailVerifiedAsync(TIdentity user)
   {
     if (user == null) throw new ArgumentNullException(nameof(user));

Models/AuthResult.cs

@@ -1,12 +1,14 @@
 using CodeWorks.Auth.Interfaces;
 
-public class AuthResult
+namespace CodeWorks.Auth.Models;
+
+public class AuthResult<UserT>
 {
   public bool IsSuccessful { get; init; }
-  public IAccountIdentity? User { get; init; }
+  public UserT? User { get; init; }
   public string? Token { get; init; }
   public string? Error { get; init; }
 
-  public static AuthResult Success(IAccountIdentity user, string token) => new() { IsSuccessful = true, Token = token, User = user };
-  public static AuthResult Failure(string message) => new() { IsSuccessful = false, Error = message };
+  public static AuthResult<UserT> Success(UserT user, string token) => new() { IsSuccessful = true, Token = token, User = user };
+  public static AuthResult<UserT> Failure(string message) => new() { IsSuccessful = false, Error = message };
 }

Services/AuthService.cs

@@ -1,17 +1,18 @@
 using CodeWorks.Auth.Extensions;
 using CodeWorks.Auth.Interfaces;
+using CodeWorks.Auth.Models;
 using CodeWorks.Auth.Security;
 using Microsoft.AspNetCore.Identity;
 
 namespace CodeWorks.Auth.Services;
 
 public interface IAuthService<TIdentity> where TIdentity : IAccountIdentity
 {
-  Task<AuthResult> LoginAsync(string email, string password);
-  Task<AuthResult> RegisterAsync(TIdentity user, string password);
-  Task<AuthResult> ResetPasswordAsync(string email, string newPassword);
-  Task<AuthResult> RefreshAuthToken(string token, int refreshExtensionInHours = 1);
-  AuthResult GenerateAuthToken(IAccountIdentity user);
+  Task<AuthResult<TIdentity>> LoginAsync(string email, string password);
+  Task<AuthResult<TIdentity>> RegisterAsync(TIdentity user, string password);
+  Task<AuthResult<TIdentity>> ResetPasswordAsync(string email, string newPassword);
+  Task<AuthResult<TIdentity>> RefreshAuthToken(string token, int refreshExtensionInHours = 1);
+  AuthResult<TIdentity> GenerateAuthToken(TIdentity user);
 
 }
 
@@ -20,59 +21,59 @@ public class AuthService<TIdentity>(IAccountIdentityStore<TIdentity> store, IJwt
   private readonly IAccountIdentityStore<TIdentity> _store = store;
   private readonly IJwtService _jwt = jwt;
 
-  public async Task<AuthResult> RegisterAsync(TIdentity user, string password)
+  public async Task<AuthResult<TIdentity>> RegisterAsync(TIdentity user, string password)
   {
     if (await _store.EmailExistsAsync(user.Email))
-      return AuthResult.Failure("Email already registered.");
+      return AuthResult<TIdentity>.Failure("Email already registered.");
 
-    user.PasswordHash = PasswordHelper<IAccountIdentity>.HashPassword(user, password);
+    user.PasswordHash = PasswordHelper<TIdentity>.HashPassword(user, password);
     await _store.SaveAsync(user);
-    return AuthResult.Success(user, _jwt.GenerateToken(user));
+    return AuthResult<TIdentity>.Success(user, _jwt.GenerateToken(user));
   }
 
-  public async Task<AuthResult> LoginAsync(string email, string password)
+  public async Task<AuthResult<TIdentity>> LoginAsync(string email, string password)
   {
     var user = await _store.FindByEmailAsync(email);
     if (user == null)
-      return AuthResult.Failure("Invalid credentials.");
+      return AuthResult<TIdentity>.Failure("Invalid credentials.");
 
-    var result = PasswordHelper<IAccountIdentity>.VerifyPassword(user, user.PasswordHash, password);
+    var result = PasswordHelper<TIdentity>.VerifyPassword(user, user.PasswordHash, password);
     if (result == PasswordVerificationResult.Failed)
-      return AuthResult.Failure("Invalid credentials.");
+      return AuthResult<TIdentity>.Failure("Invalid credentials.");
 
-    return AuthResult.Success(user, _jwt.GenerateToken(user));
+    return AuthResult<TIdentity>.Success(user, _jwt.GenerateToken(user));
   }
 
-  public async Task<AuthResult> ResetPasswordAsync(string email, string newPassword)
+  public async Task<AuthResult<TIdentity>> ResetPasswordAsync(string email, string newPassword)
   {
     var user = await _store.FindByEmailAsync(email);
     if (user == null)
-      return AuthResult.Failure("User not found.");
+      return AuthResult<TIdentity>.Failure("User not found.");
 
-    user.PasswordHash = PasswordHelper<IAccountIdentity>.HashPassword(user, newPassword);
+    user.PasswordHash = PasswordHelper<TIdentity>.HashPassword(user, newPassword);
     await _store.SaveAsync(user);
-    return AuthResult.Success(user, _jwt.GenerateToken(user));
+    return AuthResult<TIdentity>.Success(user, _jwt.GenerateToken(user));
   }
 
-  public AuthResult GenerateAuthToken(IAccountIdentity user)
+  public AuthResult<TIdentity> GenerateAuthToken(TIdentity user)
   {
     if (user == null)
-      return AuthResult.Failure("Invalid credentials.");
-    return AuthResult.Success(user, _jwt.GenerateToken(user));
+      return AuthResult<TIdentity>.Failure("Invalid credentials.");
+    return AuthResult<TIdentity>.Success(user, _jwt.GenerateToken(user));
   }
 
 
-  public async Task<AuthResult> RefreshAuthToken(string token, int refreshExtensionInHours = 1)
+  public async Task<AuthResult<TIdentity>> RefreshAuthToken(string token, int refreshExtensionInHours = 1)
   {
     var email = _jwt.GetEmailFromToken(token);
     var user = await _store.FindByEmailAsync(email);
     if (user == null)
-      return AuthResult.Failure("Invalid credentials.");
+      return AuthResult<TIdentity>.Failure("Invalid credentials.");
 
     var result = _jwt.RefreshToken(token, user, refreshExtensionInHours);
     if (result == null)
-      return AuthResult.Failure("Invalid token.");
-    return AuthResult.Success(user, result);
+      return AuthResult<TIdentity>.Failure("Invalid token.");
+    return AuthResult<TIdentity>.Success(user, result);
   }
 
 }

Services/OAuthService.cs

@@ -0,0 +1,134 @@
+using System.Security.Claims;
+using System.Security.Cryptography;
+using CodeWorks.Auth.Interfaces;
+using CodeWorks.Auth.Models;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
+
+namespace CodeWorks.Auth.Services;
+
+public class OAuthService<TUser> : IOAuthService<TUser>
+    where TUser : class, IOAuthUser, new()
+{
+    private readonly IAccountIdentityStore<TUser> _userStore;
+    private readonly IAuthService<TUser> _authService;
+    private readonly ILogger<OAuthService<TUser>> _logger;
+
+    public OAuthService(
+        IAccountIdentityStore<TUser> userStore,
+        IAuthService<TUser> authService,
+        ILogger<OAuthService<TUser>> logger)
+    {
+        _userStore = userStore;
+        _authService = authService;
+        _logger = logger;
+    }
+
+    public async Task<AuthResult<TUser>> HandleOAuthCallbackAsync(
+        ExternalLoginInfo loginInfo)
+    {
+        try
+        {
+            var email = loginInfo.Principal.FindFirstValue(ClaimTypes.Email);
+            var providerId = loginInfo.ProviderKey;
+            var provider = loginInfo.LoginProvider.ToLower();
+
+            if (string.IsNullOrEmpty(email))
+            {
+                return AuthResult<TUser>.Failure("Email not provided by OAuth provider");
+            }
+
+            // Check if user exists by provider ID
+            var existingUser = await _userStore.FindByProviderAsync(provider, providerId);
+
+            if (existingUser != null)
+            {
+                return GenerateUserToken(existingUser);
+            }
+
+            // Check if user exists by email
+            existingUser = await _userStore.FindByEmailAsync(email);
+
+            if (existingUser != null)
+            {
+                // Link OAuth account to existing user
+                existingUser.Provider = provider;
+                existingUser.ProviderId = providerId;
+                existingUser.IsEmailVerified = true; // OAuth providers verify emails
+
+                if (loginInfo.Principal.HasClaim(c => c.Type == "picture"))
+                {
+                    existingUser.ProfilePictureUrl =
+                        loginInfo.Principal.FindFirstValue("picture");
+                }
+
+                await _userStore.SaveAsync(existingUser);
+
+                return GenerateUserToken(existingUser);
+            }
+
+            // Create new user
+            var newUser = new TUser
+            {
+                Id = Guid.NewGuid().ToString(),
+                Email = email,
+                Provider = provider,
+                ProviderId = providerId,
+                IsEmailVerified = true,
+                Name = loginInfo.Principal.FindFirstValue(ClaimTypes.Name) ?? email.Substring(0, email.IndexOf('@')),
+                Picture = loginInfo.Principal.FindFirstValue("picture") ?? string.Empty,
+                ProfilePictureUrl = loginInfo.Principal.FindFirstValue("picture") ?? string.Empty,
+                Roles = ["user"],
+                Permissions = ["read"]
+            };
+
+            if (loginInfo.Principal.HasClaim(c => c.Type == "picture"))
+            {
+                newUser.ProfilePictureUrl =
+                    loginInfo.Principal.FindFirstValue("picture");
+            }
+
+            await _userStore.SaveAsync(newUser);
+
+            return GenerateUserToken(newUser);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Error handling OAuth callback");
+            return AuthResult<TUser>.Failure("OAuth authentication failed");
+        }
+    }
+
+
+    private AuthResult<TUser> GenerateUserToken(TUser existingUser)
+    {
+        var user = _authService.GenerateAuthToken(existingUser) ?? throw new Exception("Failed to generate auth token");
+        if (!user.IsSuccessful)
+        {
+            return AuthResult<TUser>.Failure("Failed to generate auth token");
+        }
+
+        if (user.User == null)
+        {
+            return AuthResult<TUser>.Failure("User not found after token generation");
+        }
+        return AuthResult<TUser>.Success(user.User, user.Token!);
+    }
+
+
+
+    public async Task<string> GenerateOAuthStateAsync(string provider)
+    {
+        // Generate secure state token to prevent CSRF
+        var state = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
+        // Store state with expiration (implement in token store)
+        return state;
+    }
+
+    public async Task<bool> ValidateOAuthStateAsync(string state)
+    {
+        // Validate and consume state token
+        // Implement in token store
+        return true;
+    }
+}