Back to Auth
Web Auth API MySQL Votes Discord Checking session...

KullGames.Auth

The Identity & Token Service — Port 5001

Role in the System
  Browser           AUTH (this)          API
    |                   |                   |
    |  Login + FP       |                   |
    |==================>|                   |
    |  Set-Cookie (30d) |                   |
    |<==================|                   |
    |                   |                   |
    |  GenerateWebToken |                   |
    |  {endpoint,method}|                   |
    |==================>|                   |
    |  OTUT (60s)       |                   |
    |<==================|                   |
    |                   |                   |
    |                   |  ValidateToken    |
    |                   |<==================|
    |                   |  Valid + Claims   |
    |                   |==================>|
    |                   |                   |
    |                   |  CompleteToken    |
    |                   |<==================|
    |                   |  BURN (one-time)    |
    |                   |                   |
What This Service Manages
  KULLGAMES.AUTH — Responsibilities
  ============================================

  1. USER MANAGEMENT
  +------------------------------------------+
  |  ASP.NET Identity + SQLite               |
  |  Users, Roles, Password Hashing          |
  |  Admin seeded on first boot              |
  +------------------------------------------+

  2. SESSION MANAGEMENT
  +------------------------------------------+
  |  Cookie: .KullGames.Auth                 |
  |  HttpOnly, Secure, SameSite=Lax          |
  |  30-day sliding expiration               |
  |  Path = / (shared across services)       |
  +------------------------------------------+

  3. TOKEN ENGINE (OTUT)
  +------------------------------------------+
  |  One-Time-Use Tokens                     |
  |  60-second TTL                           |
  |  Scoped to: Endpoint + HTTP Method       |
  |  Bound to: Device Fingerprint            |
  |  Burned after single validation          |
  +------------------------------------------+

  4. DEVICE FINGERPRINTING
  +------------------------------------------+
  |  Hash = SHA256(                          |
  |    UserAgent + IP_Subnet +               |
  |    ScreenRes + Timezone                  |
  |  )                                       |
  |  Checked at: Login, Token Gen, Token Use |
  +------------------------------------------+
Security Layer Stack
  LAYER 4: REPLAY GUARD       Token burned after first use
  -------------------------------------------------------
  LAYER 3: CONTEXT BINDING     OTUT locked to endpoint+method
  -------------------------------------------------------
  LAYER 2: DEVICE BINDING      Fingerprint must match session
  -------------------------------------------------------
  LAYER 1: IDENTITY            Cookie (.KullGames.Auth, 30d)
  -------------------------------------------------------

  Attacker steals cookie?     Blocked — wrong fingerprint
  Attacker intercepts OTUT?   Blocked — already burned
  Attacker replays request?   Blocked — token is dead
  Attacker reuses for DELETE? Blocked — wrong context
API Endpoints
  POST  /auth/api/Auth/Login            Browser login
  POST  /auth/api/Auth/Logout           Clear session
  GET   /auth/api/Auth/WhoAmI           Check session status
  POST  /auth/api/Auth/GenerateWebToken Issue OTUT
  POST  /auth/api/Auth/ValidateToken    Validate OTUT (Api calls this)
  POST  /auth/api/Auth/CompleteToken    Burn OTUT (Api calls this)