changed login flow to support 2 phase program selection login.

2026-05-20 12:17:35 +00:00 · 2026-02-21 15:40:04 -08:00
parent d90eefacdd
commit 043ff337c1
14 changed files with 280 additions and 44 deletions
@@ -10,15 +10,42 @@ public class TokenService
 {
    private readonly IConfiguration _config;
    private readonly int _tokenExpiryInSeconds = 60 * 15; // 15 minutes
+    private readonly int _sessionTokenExpiryInSeconds = 60 * 5; // 5 minutes

    public TokenService(IConfiguration config)
    {
        _config = config;
    }

-    public string GenerateToken(Guid userId, string email, string role)
+    // Phase 1: short-lived token with no program/role scope, only valid for SelectProgram
+    public string GenerateSessionToken(Guid userId, string email)
    {
+        var claims = new List<Claim>
+        {
+            new Claim(JwtRegisteredClaimNames.Sub, userId.ToString()),
+            new Claim(JwtRegisteredClaimNames.Email, email),
+            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
+            new Claim("user_id", userId.ToString()),
+            new Claim("auth_stage", "selecting_program")
+        };

+        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]!));
+        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+        var token = new JwtSecurityToken(
+            issuer: _config["Jwt:Issuer"],
+            audience: null,
+            claims: claims,
+            expires: DateTime.UtcNow.AddSeconds(_sessionTokenExpiryInSeconds),
+            signingCredentials: creds
+        );
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    // Phase 2: full program-scoped token
+    public string GenerateToken(Guid userId, string email, string role, Guid programId)
+    {
        if (UserRoles.TryParse(role) is null)
        {
            throw new ArgumentException("Invalid role name");
@@ -29,14 +56,11 @@ public class TokenService
            new Claim(JwtRegisteredClaimNames.Sub, userId.ToString()),
            new Claim(JwtRegisteredClaimNames.Email, email),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
-            new Claim("user_id", userId.ToString())
+            new Claim("user_id", userId.ToString()),
+            new Claim("program_id", programId.ToString()),
+            new Claim(ClaimTypes.Role, role)
        };

-        if (role is not null)
-        {
-            claims.Add(new Claim(ClaimTypes.Role, role));
-        }
-
        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]!));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);