docs+src: complete Steps 1-3 outcomes + auth re-sync baseline

This commit captures everything produced during autodev existing-code Steps 1 (Document), 2 (Architecture Baseline Scan), and 3 (Test Spec), together with the targeted auth + CORS re-sync triggered on 2026-05-14 when codebase drift was detected at Step 4 entry. None of this work was previously committed. Step 1 (Document) — 50+ _docs/02_document/ files: problem, solution, architecture, system flows, glossary, module-layout, per-component specs (01..06), modules, deployment, diagrams, data model, FINAL report, verification log, discovery. Step 2 (Architecture Baseline) — architecture_compliance_baseline.md. Verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 2 Low). No High/Critical findings; auto-chained to Step 3 per existing-code flow. Step 3 (Test Spec) — _docs/02_document/tests/* (67 scenarios across blackbox, security, resilience, resource-limit, performance), plus e2e/docker-compose.test.yml, e2e/seed/run.sh, scripts/run-tests.sh, scripts/run-performance-tests.sh. Coverage 88% over the active scope (40 of 45 items covered, 6 RB-deferred, 5 documented-as-uncovered). Targeted auth + CORS re-sync — replaces the deleted in-house token issuer with a JWKS-verifier model. AuthController and TokenService removed; JwtExtensions switched from HS256 symmetric to ES256 over admin's JWKS. ConfigurationResolver and CorsConfigurationValidator added under src/Infrastructure/. ADR-002 and ADR-006 retired; SEC-01, SEC-02, SEC-03 marked Closed. One new testability risk recorded in architecture.md Open Risks Section 6 (JWKS HTTPS gating). Source changes: - src/Auth/JwtExtensions.cs (modified) — ES256, JWKS, alg pinning - src/Program.cs (modified) — DI wiring for ConfigurationResolver and CorsConfigurationValidator - src/Controllers/AuthController.cs (deleted) — no in-service issuance - src/Services/TokenService.cs (deleted) — same - src/Infrastructure/ConfigurationResolver.cs (new) - src/Infrastructure/CorsConfigurationValidator.cs (new) - .env.example (new) — required env var documentation - .gitignore (updated) Cross-repo coordination: _docs/cross-repo/flights_h1_h2_h3_change_spec captures the change-spec for downstream services that consumed the now deleted /auth endpoints. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 14:01:06 +00:00 · 2026-05-14 20:19:05 +03:00
parent 08eadc1158
commit 03f879206e
66 changed files with 6006 additions and 133 deletions
@@ -1,32 +1,89 @@
-using System.Text;
+using Azaion.Annotations.Infrastructure;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Tokens;

 namespace Azaion.Annotations.Auth;

 public static class JwtExtensions
 {
-    public static IServiceCollection AddJwtAuth(this IServiceCollection services, string jwtSecret)
+    public const string JwtIssuerEnvVar      = "JWT_ISSUER";
+    public const string JwtIssuerConfigKey   = "Jwt:Issuer";
+    public const string JwtAudienceEnvVar    = "JWT_AUDIENCE";
+    public const string JwtAudienceConfigKey = "Jwt:Audience";
+    public const string JwtJwksUrlEnvVar     = "JWT_JWKS_URL";
+    public const string JwtJwksUrlConfigKey  = "Jwt:JwksUrl";
+
+    public static IServiceCollection AddJwtAuth(this IServiceCollection services, IConfiguration configuration)
    {
+        ArgumentNullException.ThrowIfNull(services);
+        ArgumentNullException.ThrowIfNull(configuration);
+
+        var issuer   = ConfigurationResolver.ResolveRequiredOrThrow(configuration, JwtIssuerEnvVar,   JwtIssuerConfigKey,   "JWT issuer");
+        var audience = ConfigurationResolver.ResolveRequiredOrThrow(configuration, JwtAudienceEnvVar, JwtAudienceConfigKey, "JWT audience");
+        var jwksUrl  = ConfigurationResolver.ResolveRequiredOrThrow(configuration, JwtJwksUrlEnvVar,  JwtJwksUrlConfigKey,  "JWKS URL");
+
+        // JwtBearer's stock ConfigurationManager targets the full OIDC discovery
+        // document; admin only exposes JWKS, so we wire a JWKS-only retriever.
+        // The manager caches the document and refreshes on the default schedule
+        // (matches admin's Cache-Control: public, max-age=3600 on /.well-known/jwks.json).
+        var jwksConfigManager = new ConfigurationManager<JsonWebKeySet>(
+            jwksUrl,
+            new JwksRetriever(),
+            new HttpDocumentRetriever { RequireHttps = true });
+
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
+                    ValidateIssuer           = true,
+                    ValidIssuer              = issuer,
+                    ValidateAudience         = true,
+                    ValidAudience            = audience,
+                    ValidateLifetime         = true,
                    ValidateIssuerSigningKey = true,
-                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecret)),
-                    ValidateIssuer = false,
-                    ValidateAudience = false,
-                    ValidateLifetime = true,
-                    ClockSkew = TimeSpan.FromMinutes(1)
+                    // Pin algorithms so a token forged with alg=HS256 using the
+                    // public key as the HMAC secret cannot pass validation.
+                    ValidAlgorithms          = [SecurityAlgorithms.EcdsaSha256],
+                    RequireSignedTokens      = true,
+                    RequireExpirationTime    = true,
+                    ClockSkew                = TimeSpan.FromSeconds(30),
+                    IssuerSigningKeyResolver = (_, _, kid, _) =>
+                    {
+                        var jwks = jwksConfigManager
+                            .GetConfigurationAsync(CancellationToken.None)
+                            .GetAwaiter()
+                            .GetResult();
+
+                        if (string.IsNullOrEmpty(kid))
+                            return jwks.GetSigningKeys();
+
+                        return jwks.GetSigningKeys().Where(k => k.KeyId == kid);
+                    }
                };
            });

        services.AddAuthorizationBuilder()
-            .AddPolicy("ANN", p => p.RequireClaim("permissions", "ANN"))
+            .AddPolicy("ANN",     p => p.RequireClaim("permissions", "ANN"))
            .AddPolicy("DATASET", p => p.RequireClaim("permissions", "DATASET"))
-            .AddPolicy("ADM", p => p.RequireClaim("permissions", "ADM"));
+            .AddPolicy("ADM",     p => p.RequireClaim("permissions", "ADM"));

        return services;
    }
+
+    // ConfigurationManager<JsonWebKeySet> needs an IConfigurationRetriever<JsonWebKeySet>.
+    // Microsoft ships OpenIdConnectConfigurationRetriever (full discovery doc) but
+    // no JWKS-only equivalent, so we implement the minimal version here.
+    private sealed class JwksRetriever : IConfigurationRetriever<JsonWebKeySet>
+    {
+        public async Task<JsonWebKeySet> GetConfigurationAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
+        {
+            ArgumentNullException.ThrowIfNull(address);
+            ArgumentNullException.ThrowIfNull(retriever);
+
+            var document = await retriever.GetDocumentAsync(address, cancel).ConfigureAwait(false);
+            return new JsonWebKeySet(document);
+        }
+    }
 }