amrez-nova-eop-services-api/AMREZ.EOP.Application/UseCases/Authentications/IssueTokenPairUseCase.cs

using System.Data;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using AMREZ.EOP.Abstractions.Applications.Tenancy;
using AMREZ.EOP.Abstractions.Applications.UseCases.Authentications;
using AMREZ.EOP.Abstractions.Infrastructures.Common;
using AMREZ.EOP.Abstractions.Infrastructures.Repositories;
using AMREZ.EOP.Abstractions.Security;
using AMREZ.EOP.Contracts.DTOs.Authentications.IssueTokenPair;
using AMREZ.EOP.Domain.Entities.Authentications;
using Microsoft.AspNetCore.Http;

namespace AMREZ.EOP.Application.UseCases.Authentications;

public sealed class IssueTokenPairUseCase : IIssueTokenPairUseCase
{
    private readonly IUserRepository _users;
    private readonly IJwtFactory _jwt;
    private readonly IHttpContextAccessor _http;

    private const int RefreshDays = 14;

    public IssueTokenPairUseCase(
        IUserRepository users,
        IJwtFactory jwt,
        IHttpContextAccessor http)
    {
        _users = users;
        _jwt = jwt;
        _http = http;
    }

    public async Task<IssueTokenPairResponse> ExecuteAsync(IssueTokenPairRequest request,
        CancellationToken ct = default)
    {
        var http = _http.HttpContext ?? throw new InvalidOperationException("No HttpContext");

        var tenantId = request.TenantId;

        // ---- สร้าง/บันทึก refresh session ----
        var refreshRaw = Convert.ToBase64String(RandomNumberGenerator.GetBytes(64));
        var refreshHash = Sha256(refreshRaw);
        var now = DateTimeOffset.UtcNow;

        var session = await _users.CreateSessionAsync(new UserSession
        {
            Id = Guid.NewGuid(),
            TenantId = tenantId,
            UserId = request.UserId,
            RefreshTokenHash = refreshHash,
            IssuedAt = now,
            ExpiresAt = now.AddDays(RefreshDays),
            DeviceId = http.Request.Headers["X-Device-Id"].FirstOrDefault(),
            UserAgent = http.Request.Headers["User-Agent"].FirstOrDefault(),
            IpAddress = http.Connection.RemoteIpAddress?.ToString()
        }, ct);

        var tv = await _users.GetTenantTokenVersionAsync(tenantId, ct);
        var sstamp = await _users.GetUserSecurityStampAsync(request.UserId, ct) ?? string.Empty;

        // ---- เตรียม claims พื้นฐาน ----
        var claims = new List<Claim>
        {
            new("sub", request.UserId.ToString()),
            new("email", request.Email),
            new("tenant", request.Tenant), // tenantKey ที่ FE ใช้
            new("tenant_id", tenantId.ToString()),
            new("sid", session.Id.ToString()),
            new("jti", Guid.NewGuid().ToString("N")),
            new("tv", tv),
            new("sstamp", sstamp),
            new("iat", now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
        };

        string[] roles = request.Roles ?? Array.Empty<string>();
        if (roles.Length == 0)
        {
            roles = await _users.GetRoleCodesByUserIdAsync(request.UserId, tenantId, ct);
        }

        foreach (var r in roles.Where(s => !string.IsNullOrWhiteSpace(s)).Distinct(StringComparer.OrdinalIgnoreCase))
        {
            claims.Add(new Claim("role", r));
            claims.Add(new Claim(ClaimTypes.Role, r));
        }

        var (access, accessExp) = _jwt.CreateAccessToken(claims);

        return new IssueTokenPairResponse
        {
            AccessToken = access,
            AccessExpiresAt = accessExp,
            RefreshToken = refreshRaw,
            RefreshExpiresAt = session.ExpiresAt
        };
    }

    private static string Sha256(string raw)
    {
        var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(raw));
        return Convert.ToHexString(bytes);
    }
}