refactor: enhance JWT authentication and CORS configuration

Updated JWT authentication to use configuration values instead of hardcoded secrets, improving security and flexibility. Enhanced CORS policy to conditionally allow origins based on configuration settings, with logging for permissive defaults. Updated README to reflect project renaming and clarify service context.

Program.cs

@@ -2,23 +2,25 @@ using LinqToDB;
 using LinqToDB.Data;
 using Azaion.Flights.Auth;
 using Azaion.Flights.Database;
+using Azaion.Flights.Infrastructure;
 using Azaion.Flights.Middleware;
 using Azaion.Flights.Services;
 
+const string DatabaseUrlEnvVar    = "DATABASE_URL";
+const string DatabaseUrlConfigKey = "Database:Url";
+
 var builder = WebApplication.CreateBuilder(args);
 
-var databaseUrl = builder.Configuration["DATABASE_URL"]
-    ?? Environment.GetEnvironmentVariable("DATABASE_URL")
-    ?? "Host=localhost;Database=azaion;Username=postgres;Password=changeme";
+var databaseUrl = ConfigurationResolver.ResolveRequiredOrThrow(
+    builder.Configuration,
+    DatabaseUrlEnvVar,
+    DatabaseUrlConfigKey,
+    "Database connection string");
 
 var connectionString = databaseUrl.StartsWith("postgresql://")
     ? ConvertPostgresUrl(databaseUrl)
     : databaseUrl;
 
-var jwtSecret = builder.Configuration["JWT_SECRET"]
-    ?? Environment.GetEnvironmentVariable("JWT_SECRET")
-    ?? "development-secret-key-min-32-chars!!";
-
 builder.Services.AddScoped(_ =>
 {
     var options = new DataOptions().UsePostgreSQL(connectionString);
@@ -29,10 +31,22 @@ builder.Services.AddScoped<FlightService>();
 builder.Services.AddScoped<WaypointService>();
 builder.Services.AddScoped<AircraftService>();
 
-builder.Services.AddJwtAuth(jwtSecret);
+builder.Services.AddJwtAuth(builder.Configuration);
+
+var allowedOrigins = builder.Configuration.GetSection("CorsConfig:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
+var allowAnyOrigin = builder.Configuration.GetValue<bool>("CorsConfig:AllowAnyOrigin");
+CorsConfigurationValidator.EnsureSafeForEnvironment(allowedOrigins, allowAnyOrigin, builder.Environment.EnvironmentName);
+
 builder.Services.AddCors(options =>
+{
     options.AddDefaultPolicy(policy =>
-        policy.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader()));
+    {
+        if (CorsConfigurationValidator.ShouldUsePermissivePolicy(allowedOrigins, allowAnyOrigin))
+            policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod();
+        else
+            policy.WithOrigins(allowedOrigins).AllowAnyHeader().AllowAnyMethod();
+    });
+});
 
 builder.Services.AddControllers();
 builder.Services.AddEndpointsApiExplorer();
@@ -40,6 +54,13 @@ builder.Services.AddSwaggerGen();
 
 var app = builder.Build();
 
+if (CorsConfigurationValidator.ShouldWarnAboutPermissiveDefault(allowedOrigins, allowAnyOrigin))
+{
+    app.Services
+        .GetRequiredService<ILogger<Program>>()
+        .LogWarning(CorsConfigurationValidator.PermissiveDefaultWarning, app.Environment.EnvironmentName);
+}
+
 using (var scope = app.Services.CreateScope())
 {
     var db = scope.ServiceProvider.GetRequiredService<AppDataConnection>();