feat: доделал MS Auth для фронта

backend/UniVerse.Api/Controllers/AuthController.cs

@@ -1,7 +1,9 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.WebUtilities;
 using UniVerse.Application.DTOs.Auth;
 using UniVerse.Application.Interfaces;
+using System.Security.Cryptography;
 using System.Security.Claims;
 
 namespace UniVerse.Api.Controllers;
@@ -11,16 +13,122 @@ namespace UniVerse.Api.Controllers;
 public class AuthController : ControllerBase
 {
     private readonly IAuthService _auth;
-    public AuthController(IAuthService auth) => _auth = auth;
+    private readonly IConfiguration _config;
+
+    private const string MicrosoftStateCookieName = "msAuthState";
+    private const string MicrosoftReturnUrlCookieName = "msAuthReturnUrl";
+
+    public AuthController(IAuthService auth, IConfiguration config)
+    {
+        _auth = auth;
+        _config = config;
+    }
 
     [HttpPost("login/microsoft")]
     public async Task<ActionResult<AuthResponse>> LoginMicrosoft([FromBody] LoginMicrosoftRequest request)
     {
-        var result = await _auth.LoginWithMicrosoftAsync(request.AuthorizationCode);
+        var result = await _auth.LoginWithMicrosoftAsync(request.AuthorizationCode, request.RedirectUri);
         SetRefreshTokenCookie(result.RefreshToken);
         return Ok(result.Response);
     }
 
+    // Server-driven auth flow: frontend just navigates here; backend builds Microsoft authorize URL.
+    // Optional returnUrl is stored in a short-lived cookie and used by callback.
+    [HttpGet("login/microsoft")]
+    [AllowAnonymous]
+    public IActionResult LoginMicrosoftRedirect([FromQuery] string? returnUrl = null)
+    {
+        var tenantId = _config["AzureAd:TenantId"];
+        var clientId = _config["AzureAd:ClientId"];
+        var instance = _config["AzureAd:Instance"] ?? "https://login.microsoftonline.com/";
+
+        if (string.IsNullOrWhiteSpace(tenantId) || string.IsNullOrWhiteSpace(clientId))
+            return Problem("Microsoft authentication is not configured (AzureAd:TenantId/ClientId).", statusCode: StatusCodes.Status500InternalServerError);
+
+        var redirectUri = _config["AzureAd:RedirectUri"] ?? BuildAbsoluteUrl("/api/v1/auth/callback/microsoft");
+
+        var state = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
+        Response.Cookies.Append(MicrosoftStateCookieName, state, new CookieOptions
+        {
+            HttpOnly = true,
+            Secure = Request.IsHttps,
+            SameSite = SameSiteMode.Lax,
+            Expires = DateTimeOffset.UtcNow.AddMinutes(10)
+        });
+
+        if (!string.IsNullOrWhiteSpace(returnUrl) && IsAllowedReturnUrl(returnUrl))
+        {
+            Response.Cookies.Append(MicrosoftReturnUrlCookieName, returnUrl, new CookieOptions
+            {
+                HttpOnly = true,
+                Secure = Request.IsHttps,
+                SameSite = SameSiteMode.Lax,
+                Expires = DateTimeOffset.UtcNow.AddMinutes(10)
+            });
+        }
+
+        var authorizeEndpoint = $"{instance.TrimEnd('/')}/{tenantId}/oauth2/v2.0/authorize";
+        var scope = _config["AzureAd:Scopes"] ?? "openid profile email offline_access User.Read";
+
+        var authorizeUrl = QueryHelpers.AddQueryString(authorizeEndpoint, new Dictionary<string, string?>
+        {
+            ["client_id"] = clientId,
+            ["response_type"] = "code",
+            ["redirect_uri"] = redirectUri,
+            ["response_mode"] = "query",
+            ["scope"] = scope,
+            ["state"] = state
+        });
+
+        return Redirect(authorizeUrl);
+    }
+
+    [HttpGet("callback/microsoft")]
+    [AllowAnonymous]
+    public async Task<IActionResult> CallbackMicrosoft(
+        [FromQuery] string? code = null,
+        [FromQuery] string? state = null,
+        [FromQuery] string? error = null,
+        [FromQuery(Name = "error_description")] string? errorDescription = null)
+    {
+        if (!string.IsNullOrEmpty(error))
+        {
+            return Unauthorized(new
+            {
+                error,
+                errorDescription
+            });
+        }
+
+        if (string.IsNullOrWhiteSpace(code))
+            return BadRequest(new { error = "missing_code" });
+
+        var expectedState = Request.Cookies[MicrosoftStateCookieName];
+        if (string.IsNullOrWhiteSpace(expectedState) || string.IsNullOrWhiteSpace(state) || !string.Equals(expectedState, state, StringComparison.Ordinal))
+            return Unauthorized(new { error = "invalid_state" });
+
+        Response.Cookies.Delete(MicrosoftStateCookieName);
+
+        var redirectUri = _config["AzureAd:RedirectUri"] ?? BuildAbsoluteUrl("/api/v1/auth/callback/microsoft");
+
+        var result = await _auth.LoginWithMicrosoftAsync(code, redirectUri);
+        SetRefreshTokenCookie(result.RefreshToken);
+
+        var returnUrl = Request.Cookies[MicrosoftReturnUrlCookieName] ?? _config["AzureAd:PostLoginRedirectUri"];
+        Response.Cookies.Delete(MicrosoftReturnUrlCookieName);
+
+        if (!string.IsNullOrWhiteSpace(returnUrl) && IsAllowedReturnUrl(returnUrl))
+        {
+            // Put access token in URL fragment so it is not sent as Referer to the backend.
+            // Frontend can read it from location.hash on the landing page.
+            var fragment = $"access_token={Uri.EscapeDataString(result.Response.AccessToken)}&expires_at={Uri.EscapeDataString(result.Response.ExpiresAt.ToString("O"))}";
+            return Redirect($"{returnUrl}#{fragment}");
+        }
+
+        // Useful for manual testing without frontend: you'll see JSON in the browser.
+        return Ok(result.Response);
+    }
+
     [HttpPost("login/dev")]
     public async Task<ActionResult<AuthResponse>> DevLogin([FromBody] DevLoginRequest request)
     {
@@ -70,4 +178,32 @@ public class AuthController : ControllerBase
             Expires = DateTime.UtcNow.AddDays(30)
         });
     }
+
+    private string BuildAbsoluteUrl(string path)
+    {
+        if (!path.StartsWith('/')) path = "/" + path;
+        return $"{Request.Scheme}://{Request.Host}{path}";
+    }
+
+    private bool IsAllowedReturnUrl(string returnUrl)
+    {
+        if (Uri.TryCreate(returnUrl, UriKind.Relative, out _))
+            return true;
+
+        if (!Uri.TryCreate(returnUrl, UriKind.Absolute, out var absolute))
+            return false;
+
+        var allowedOrigins = _config.GetSection("Cors:Origins").Get<string[]>() ?? Array.Empty<string>();
+        foreach (var origin in allowedOrigins)
+        {
+            if (!Uri.TryCreate(origin, UriKind.Absolute, out var allowed))
+                continue;
+            if (string.Equals(allowed.Scheme, absolute.Scheme, StringComparison.OrdinalIgnoreCase)
+                && string.Equals(allowed.Host, absolute.Host, StringComparison.OrdinalIgnoreCase)
+                && allowed.Port == absolute.Port)
+                return true;
+        }
+
+        return false;
+    }
 }