Add middleware to clear stale cookies after key rotation

neozhu · neozhu · commit 516f75a3fc85 · 2026-02-18T20:04:52.000+08:00
Introduced StaleCookieMiddleware to detect and remove invalid encrypted cookies when Data Protection keys change, preventing cryptographic errors and login issues. Added configurable StaleCookieOptions and extension methods for easy integration. Improved GlobalExceptionHandler for better error mapping and logging. Enhances application resilience and user experience.
diff --git a/src/Server.UI/DependencyInjection.cs b/src/Server.UI/DependencyInjection.cs
@@ -17,6 +17,7 @@
 using Toolbelt.Blazor.Extensions.DependencyInjection;
 using CleanArchitecture.Blazor.Server.UI.Middlewares;
 using CleanArchitecture.Blazor.Application;
+using CleanArchitecture.Blazor.Server.UI.Extensions;
 
 
 namespace CleanArchitecture.Blazor.Server.UI;
@@ -133,13 +134,14 @@ public static WebApplication ConfigureServer(this WebApplication app, IConfigura
         }
         else
         {
-            app.UseExceptionHandler("/Error", true);
             // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
             app.UseHsts();
         }
         app.InitializeCacheFactory();
+        app.UseExceptionHandler();
         app.UseStatusCodePagesWithReExecute("/not-found",createScopeForStatusCodePages: true);
         app.MapHealthChecks("/health");
+        app.UseDataProtectionKeyCheck();
         app.UseAuthentication();
         app.UseAuthorization();
         app.UseAntiforgery();
diff --git a/src/Server.UI/Extensions/StaleCookieMiddlewareExtensions.cs b/src/Server.UI/Extensions/StaleCookieMiddlewareExtensions.cs
@@ -0,0 +1,26 @@
+﻿using CleanArchitecture.Blazor.Server.UI.Middlewares;
+
+namespace CleanArchitecture.Blazor.Server.UI.Extensions;
+
+public static class StaleCookieMiddlewareExtensions
+{
+    public static IApplicationBuilder UseDataProtectionKeyCheck(
+        this IApplicationBuilder builder)
+    {
+        return builder.UseMiddleware<StaleCookieMiddleware>();
+    }
+
+    public static IServiceCollection AddDataProtectionKeyCheck(
+        this IServiceCollection services, Action<StaleCookieOptions>? configureOptions = null)
+    {
+        if (configureOptions != null)
+        {
+            services.Configure(configureOptions);
+        }
+        else
+        {
+            services.Configure<StaleCookieOptions>(_ => { });
+        }
+        return services;
+    }
+}
diff --git a/src/Server.UI/Middlewares/GlobalExceptionHandler.cs b/src/Server.UI/Middlewares/GlobalExceptionHandler.cs
@@ -1,5 +1,5 @@
 ﻿using System.Diagnostics;
-using CleanArchitecture.Blazor.Application.Common.ExceptionHandlers;
+using System.Security;
 using Microsoft.AspNetCore.Diagnostics;
 
 namespace CleanArchitecture.Blazor.Server.UI.Middlewares;
@@ -12,40 +12,49 @@ public async ValueTask<bool> TryHandleAsync(HttpContext httpContext, Exception e
         var traceId = Activity.Current?.Id ?? httpContext.TraceIdentifier;
 
         logger.LogError(exception,
-            $"Could not process a request on machine {Environment.MachineName}. TraceId: {traceId}");
+            "Could not process a request on machine {MachineName}. TraceId: {TraceId}",
+            Environment.MachineName, traceId);
 
-        await GenerateProblemDetails(httpContext, traceId, exception).ConfigureAwait(false);
+        var rootException = GetRootException(exception);
+        var (statusCode, title) = MapExceptionToStatusCode(rootException);
 
-        return true;
-    }
+        httpContext.Response.StatusCode = statusCode;
 
-    private static async Task GenerateProblemDetails(HttpContext httpContext,
-        string traceId,
-        Exception exception)
-    {
-        var (statusCode, title) = MapExceptionWithStatusCode(exception);
-
-        await Results.Problem(title: title,
+        await Results.Problem(
+            title: title,
             statusCode: statusCode,
             extensions: new Dictionary<string, object?>
             {
-                {
-                    "traceId", traceId
-                }
+                { "traceId", traceId }
             }).ExecuteAsync(httpContext).ConfigureAwait(false);
+
+        return true;
+    }
+
+    private static Exception GetRootException(Exception exception)
+    {
+        while (exception.InnerException is not null)
+        {
+            exception = exception.InnerException;
+        }
+        return exception;
     }
 
-    private static (int statusCode, string title) MapExceptionWithStatusCode(Exception exception)
+    private static (int statusCode, string title) MapExceptionToStatusCode(Exception exception)
     {
-        if (exception is not ServerException && exception.InnerException != null)
-            while (exception.InnerException != null)
-                exception = exception.InnerException;
         return exception switch
         {
-            ArgumentOutOfRangeException => (StatusCodes.Status400BadRequest, exception.Message),
-            ServerException => (StatusCodes.Status500InternalServerError, exception.Message),
-            KeyNotFoundException => (StatusCodes.Status404NotFound, exception.Message),
-            _ => (StatusCodes.Status500InternalServerError, "We are sorry for the inconvenience but we are on it.")
+            ArgumentOutOfRangeException or ArgumentNullException or ArgumentException
+                => (StatusCodes.Status400BadRequest, "Bad request."),
+            KeyNotFoundException or FileNotFoundException
+                => (StatusCodes.Status404NotFound, "Resource not found."),
+            UnauthorizedAccessException or SecurityException
+                => (StatusCodes.Status403Forbidden, "Access denied."),
+            TimeoutException or TaskCanceledException
+                => (StatusCodes.Status504GatewayTimeout, "The request timed out."),
+            NotImplementedException
+                => (StatusCodes.Status501NotImplemented, "This feature is not implemented."),
+            _ => (StatusCodes.Status500InternalServerError, "An unexpected error occurred. Please try again later.")
         };
     }
-}
+}
diff --git a/src/Server.UI/Middlewares/StaleCookieMiddleware.cs b/src/Server.UI/Middlewares/StaleCookieMiddleware.cs
@@ -0,0 +1,189 @@
+﻿using System.Security.Cryptography;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.Options;
+
+namespace CleanArchitecture.Blazor.Server.UI.Middlewares;
+
+public class StaleCookieMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly IDataProtector _protector;
+    private readonly ILogger<StaleCookieMiddleware> _logger;
+    private readonly StaleCookieOptions _options;
+
+    private const string CanaryPayload = "ok";
+
+    public StaleCookieMiddleware(
+        RequestDelegate next,
+        IDataProtectionProvider dataProtection,
+        ILogger<StaleCookieMiddleware> logger,
+        IOptions<StaleCookieOptions> options) // Inject configuration
+    {
+        _next = next;
+        _protector = dataProtection.CreateProtector("StaleCookieMiddleware.Canary");
+        _logger = logger;
+        _options = options.Value;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        // Optimization: Skip decryption overhead for static files or other requests that don't need to be checked.
+        // Note: This depends on your routing configuration. Sometimes static files don't go through Endpoint routing, this is just an example.
+        if (_options.IgnoreStaticFiles && IsStaticFile(context))
+        {
+            await _next(context);
+            return;
+        }
+
+        var cookieName = _options.CanaryCookieName;
+        var hasCanary = context.Request.Cookies.TryGetValue(cookieName, out var canaryValue);
+
+        bool keysAreStale = false;
+        bool shouldSetCanary = true; // By default, needs to be set/refreshed
+
+        if (hasCanary && !string.IsNullOrEmpty(canaryValue))
+        {
+            try
+            {
+                var result = _protector.Unprotect(canaryValue);
+                if (result == CanaryPayload)
+                {
+                    // Verification successful: keys are not expired
+                    keysAreStale = false;
+                    // Optimization: If the cookie is valid, no need to resend Set-Cookie on every response, reduce header size.
+                    // Unless you want to implement Sliding Expiration, set this to false.
+                    shouldSetCanary = false;
+                }
+                else
+                {
+                    keysAreStale = true;
+                }
+            }
+            catch (CryptographicException)
+            {
+                // Decryption failed, indicating the key has changed
+                keysAreStale = true;
+            }
+        }
+
+        if (keysAreStale)
+        {
+            HandleStaleCookies(context);
+            // Since the old one is invalid, we need to set a new one in the response
+            shouldSetCanary = true;
+        }
+
+        // Continue executing the pipeline
+        await _next(context);
+
+        // Response phase: Write new canary cookie
+        if (shouldSetCanary && !context.Response.HasStarted && context.Response.StatusCode < 400)
+        {
+            SetCanaryCookie(context);
+        }
+    }
+
+    private void HandleStaleCookies(HttpContext context)
+    {
+        var canaryName = _options.CanaryCookieName;
+        var staleCookies = context.Request.Cookies.Keys
+            .Where(k => IsEncryptedCookie(k) && !string.Equals(k, canaryName, StringComparison.OrdinalIgnoreCase))
+            .ToList();
+
+        if (staleCookies.Count > 0)
+        {
+            _logger.LogWarning(
+                "Detected Key Rotation. Clearing {Count} stale cookie(s): {Cookies}",
+                staleCookies.Count,
+                string.Join(", ", staleCookies));
+
+            var staleSet = new HashSet<string>(staleCookies, StringComparer.OrdinalIgnoreCase);
+
+            // 1. Notify the browser to delete
+            foreach (var cookie in staleCookies)
+            {
+                context.Response.Cookies.Delete(cookie);
+            }
+
+            // 2. Most importantly: Remove from current request to prevent errors in subsequent middleware
+            // Rebuild the Cookie Header
+            var freshCookies = context.Request.Cookies
+                .Where(c => !staleSet.Contains(c.Key))
+                .Select(c => $"{Uri.EscapeDataString(c.Key)}={Uri.EscapeDataString(c.Value)}");
+
+            context.Request.Headers.Cookie = string.Join("; ", freshCookies);
+        }
+    }
+
+    private void SetCanaryCookie(HttpContext context)
+    {
+        try
+        {
+            var options = new CookieOptions
+            {
+                HttpOnly = true,
+                Secure = true, // Recommendation: Force Secure in production environment
+                SameSite = SameSiteMode.Lax,
+                IsEssential = true,
+                MaxAge = TimeSpan.FromDays(365) // Long-term validity
+            };
+
+            // Protect the payload
+            var protectedPayload = _protector.Protect(CanaryPayload);
+            context.Response.Cookies.Append(_options.CanaryCookieName, protectedPayload, options);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to set canary cookie.");
+        }
+    }
+
+    private bool IsEncryptedCookie(string name)
+    {
+        // Use prefixes from configuration, no longer hardcoded
+        return _options.EncryptedCookiePrefixes.Any(prefix =>
+            name.StartsWith(prefix, StringComparison.OrdinalIgnoreCase));
+    }
+
+    // Simple static file judgment logic (optional)
+    private bool IsStaticFile(HttpContext context)
+    {
+        // Better approach: Check Endpoint Metadata or simple extension check
+        var path = context.Request.Path.Value;
+        if (string.IsNullOrEmpty(path)) return false;
+
+        // Simple example
+        return path.EndsWith(".css", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".js", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".png", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".jpg", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".ico", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".svg", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".woff", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".woff2", StringComparison.OrdinalIgnoreCase) ||
+               path.EndsWith(".wasm", StringComparison.OrdinalIgnoreCase);
+    }
+}
+public class StaleCookieOptions
+{
+    /// <summary>
+    /// List of encrypted cookie prefixes to monitor and remove.
+    /// </summary>
+    public List<string> EncryptedCookiePrefixes { get; set; } = new()
+    {
+        ".AspNetCore.Antiforgery",
+        ".AspNetCore.Identity",
+        ".AspNetCore.Cookies",
+        ".AspNetCore.Session"
+    };
+
+    /// <summary>
+    /// Name of the canary cookie
+    /// </summary>
+    public string CanaryCookieName { get; set; } = ".AspNetCore.DPCheck";
+
+    /// <summary>
+    /// Whether to ignore checks on static files (determined by Endpoint)
+    /// </summary>
+    public bool IgnoreStaticFiles { get; set; } = true;
+}
