Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
Azaion Admin API — black-box E2E tests
Run (Docker)
From the repository root:
docker compose -f docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from e2e-consumer
Reports are written to e2e/test-results/ on the host (results.trx, results.xunit.xml).
Database bootstrap
The stock Postgres entrypoint runs every file in /docker-entrypoint-initdb.d/ against POSTGRES_DB only. The scripts under env/db/ expect different databases (postgres vs azaion), so e2e/db-init/00_run_all.sh runs 01_permissions.sql on postgres, then 02_structure.sql, 03_add_timestamp_columns.sql, and 99_test_seed.sql on azaion. The compose file uses POSTGRES_USER=postgres so 01_permissions.sql can create roles and the azaion database as written.
99_test_seed.sql sets azaion_admin / azaion_reader passwords to test_password (matching the API connection strings) and updates seed user password hashes for Admin1234 and Upload1234.
Local dotnet test (without Docker)
appsettings.test.json targets http://system-under-test:8080. Running tests on the host will fail fixture setup unless you override ApiBaseUrl (for example via environment variables) and run the API plus Postgres yourself.