services/identity/FlatRender.IdentitySvc/Application/Services/TokenService.cs

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using FlatRender.IdentitySvc.Application.Services.Interfaces;
using FlatRender.IdentitySvc.Domain.Entities;
using Microsoft.IdentityModel.Tokens;

namespace FlatRender.IdentitySvc.Application.Services;

public class TokenService(IConfiguration config) : ITokenService
{
    private readonly string _secret = config["Jwt:Secret"]
        ?? throw new InvalidOperationException("Jwt:Secret not configured");
    private readonly string _issuer = config["Jwt:Issuer"] ?? "flatrender-identity";
    private readonly string _audience = config["Jwt:Audience"] ?? "flatrender";
    private readonly int _accessTokenMinutes = int.Parse(config["Jwt:AccessTokenMinutes"] ?? "15");

    public string GenerateAccessToken(User user, Tenant tenant)
    {
        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        // Role claim drives [Authorize(Roles = "...")] in the other services.
        var role = user.IsAdmin ? "Admin" : user.IsTenantAdmin ? "TenantAdmin" : "User";

        var claims = new List<Claim>
        {
            new(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new("tenant_id", tenant.Id.ToString()),
            new("tenant_slug", tenant.Slug),
            new("is_admin", user.IsAdmin.ToString().ToLower()),
            new("is_tenant_admin", user.IsTenantAdmin.ToString().ToLower()),
            new("role", role),
            // Concurrent-render ceiling — render-svc enforces "active renders < max_renders".
            // Admin grants or gamification raise ParallelRenderingCeiling; default is 1.
            new("max_renders", Math.Max(1, user.ParallelRenderingCeiling).ToString()),
        };

        if (!string.IsNullOrEmpty(user.Email))
            claims.Add(new(JwtRegisteredClaimNames.Email, user.Email));

        var token = new JwtSecurityToken(
            issuer: _issuer,
            audience: _audience,
            claims: claims,
            expires: DateTime.UtcNow.AddMinutes(_accessTokenMinutes),
            signingCredentials: creds
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

    public string GenerateRefreshToken()
        => Convert.ToBase64String(RandomNumberGenerator.GetBytes(64));

    public string HashToken(string token)
    {
        var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(token));
        return Convert.ToHexString(bytes).ToLower();
    }

    public (Guid userId, Guid tenantId, bool isAdmin) ValidateAccessToken(string token)
    {
        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));
        var handler = new JwtSecurityTokenHandler();
        var parameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = key,
            ValidateIssuer = true,
            ValidIssuer = _issuer,
            ValidateAudience = true,
            ValidAudience = _audience,
            ValidateLifetime = true,
        };

        var principal = handler.ValidateToken(token, parameters, out _);
        var userId = Guid.Parse(principal.FindFirstValue(JwtRegisteredClaimNames.Sub)!);
        var tenantId = Guid.Parse(principal.FindFirstValue("tenant_id")!);
        var isAdmin = bool.Parse(principal.FindFirstValue("is_admin") ?? "false");

        return (userId, tenantId, isAdmin);
    }

    public string GenerateServiceToken()
    {
        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));
        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: _issuer,
            audience: _audience,
            claims: [new("type", "service"), new("service", "identity")],
            expires: DateTime.UtcNow.AddHours(24),
            signingCredentials: creds
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}
feat: V2 microservices stack — backend services, gateway, JWT auth 2026-05-29 23:29:31 +03:30			`using System.IdentityModel.Tokens.Jwt;`
			`using System.Security.Claims;`
			`using System.Security.Cryptography;`
			`using System.Text;`
			`using FlatRender.IdentitySvc.Application.Services.Interfaces;`
			`using FlatRender.IdentitySvc.Domain.Entities;`
			`using Microsoft.IdentityModel.Tokens;`

			`namespace FlatRender.IdentitySvc.Application.Services;`

			`public class TokenService(IConfiguration config) : ITokenService`
			`{`
			`private readonly string _secret = config["Jwt:Secret"]`
			`?? throw new InvalidOperationException("Jwt:Secret not configured");`
			`private readonly string _issuer = config["Jwt:Issuer"] ?? "flatrender-identity";`
			`private readonly string _audience = config["Jwt:Audience"] ?? "flatrender";`
			`private readonly int _accessTokenMinutes = int.Parse(config["Jwt:AccessTokenMinutes"] ?? "15");`

			`public string GenerateAccessToken(User user, Tenant tenant)`
			`{`
			`var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));`
			`var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);`

feat: AI SEO generator, full admin panel, i18n sweep, new logo + auth/RTL fixes 2026-06-02 09:35:14 +03:30			`// Role claim drives [Authorize(Roles = "...")] in the other services.`
			`var role = user.IsAdmin ? "Admin" : user.IsTenantAdmin ? "TenantAdmin" : "User";`

feat: V2 microservices stack — backend services, gateway, JWT auth 2026-05-29 23:29:31 +03:30			`var claims = new List<Claim>`
			`{`
			`new(JwtRegisteredClaimNames.Sub, user.Id.ToString()),`
			`new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),`
			`new("tenant_id", tenant.Id.ToString()),`
			`new("tenant_slug", tenant.Slug),`
			`new("is_admin", user.IsAdmin.ToString().ToLower()),`
			`new("is_tenant_admin", user.IsTenantAdmin.ToString().ToLower()),`
feat: AI SEO generator, full admin panel, i18n sweep, new logo + auth/RTL fixes 2026-06-02 09:35:14 +03:30			`new("role", role),`
feat(render): full-screen render page, one-active-render limit, app-wide progress 2026-06-05 16:48:05 +03:30			`// Concurrent-render ceiling — render-svc enforces "active renders < max_renders".`
			`// Admin grants or gamification raise ParallelRenderingCeiling; default is 1.`
			`new("max_renders", Math.Max(1, user.ParallelRenderingCeiling).ToString()),`
feat: V2 microservices stack — backend services, gateway, JWT auth 2026-05-29 23:29:31 +03:30			`};`

			`if (!string.IsNullOrEmpty(user.Email))`
			`claims.Add(new(JwtRegisteredClaimNames.Email, user.Email));`

			`var token = new JwtSecurityToken(`
			`issuer: _issuer,`
			`audience: _audience,`
			`claims: claims,`
			`expires: DateTime.UtcNow.AddMinutes(_accessTokenMinutes),`
			`signingCredentials: creds`
			`);`

			`return new JwtSecurityTokenHandler().WriteToken(token);`
			`}`

			`public string GenerateRefreshToken()`
			`=> Convert.ToBase64String(RandomNumberGenerator.GetBytes(64));`

			`public string HashToken(string token)`
			`{`
			`var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(token));`
			`return Convert.ToHexString(bytes).ToLower();`
			`}`

			`public (Guid userId, Guid tenantId, bool isAdmin) ValidateAccessToken(string token)`
			`{`
			`var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));`
			`var handler = new JwtSecurityTokenHandler();`
			`var parameters = new TokenValidationParameters`
			`{`
			`ValidateIssuerSigningKey = true,`
			`IssuerSigningKey = key,`
			`ValidateIssuer = true,`
			`ValidIssuer = _issuer,`
			`ValidateAudience = true,`
			`ValidAudience = _audience,`
			`ValidateLifetime = true,`
			`};`

			`var principal = handler.ValidateToken(token, parameters, out _);`
			`var userId = Guid.Parse(principal.FindFirstValue(JwtRegisteredClaimNames.Sub)!);`
			`var tenantId = Guid.Parse(principal.FindFirstValue("tenant_id")!);`
			`var isAdmin = bool.Parse(principal.FindFirstValue("is_admin") ?? "false");`

			`return (userId, tenantId, isAdmin);`
			`}`

			`public string GenerateServiceToken()`
			`{`
			`var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_secret));`
			`var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);`

			`var token = new JwtSecurityToken(`
			`issuer: _issuer,`
			`audience: _audience,`
			`claims: [new("type", "service"), new("service", "identity")],`
			`expires: DateTime.UtcNow.AddHours(24),`
			`signingCredentials: creds`
			`);`

			`return new JwtSecurityTokenHandler().WriteToken(token);`
			`}`
			`}`