[AZ-487] JWT validation baseline (HS256, all endpoints)

Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the
SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that
validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail
fast at startup). Every minimal-API endpoint now carries
.RequireAuthorization(); the middleware chain is UseExceptionHandler ->
UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization
-> endpoints. Swagger UI gets a Bearer security definition so the
Authorize button works.

Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers
(integration) mint deterministic tokens against the same secret; the
integration test runner attaches a default Bearer token to its shared
HttpClient so existing tests continue to exercise protected endpoints.
JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises
Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests
covers AC-5 (missing/empty/short secret fail-fast) plus env-var
precedence; JwtTokenFactoryTests covers AC-6 (claims pass through
the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses).

docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to
the api and integration-tests containers, with a >=32-byte guard.
.env.example documents the required keys; .env stays gitignored.

Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced
in _docs/03_implementation/reviews/batch_01_cycle2_review.md).

Cross-component coordination: gps-denied-onboard and the mission
planner UI must attach Bearer tokens before this lands in dev.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Tests/Authentication/AuthenticationServiceCollectionExtensionsTests.cs

@@ -0,0 +1,151 @@
+using System.IdentityModel.Tokens.Jwt;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+using SatelliteProvider.Api.Authentication;
+using SatelliteProvider.Tests.TestUtilities;
+
+namespace SatelliteProvider.Tests.Authentication;
+
+public class AuthenticationServiceCollectionExtensionsTests : IDisposable
+{
+    private const string ValidSecret = "test-secret-that-is-definitely-longer-than-32-bytes";
+    private readonly string? _originalEnv;
+
+    public AuthenticationServiceCollectionExtensionsTests()
+    {
+        _originalEnv = Environment.GetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar);
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, null);
+    }
+
+    public void Dispose()
+    {
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, _originalEnv);
+        GC.SuppressFinalize(this);
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_RegistersJwtBearerScheme()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var schemeProvider = provider.GetRequiredService<IAuthenticationSchemeProvider>();
+        var scheme = schemeProvider.GetSchemeAsync(JwtBearerDefaults.AuthenticationScheme).GetAwaiter().GetResult();
+
+        // Assert
+        scheme.Should().NotBeNull("JwtBearer scheme should be registered");
+        scheme!.HandlerType.Should().Be(typeof(JwtBearerHandler));
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ConfiguresTokenValidationParameters_AsPerContract()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
+
+        // Assert
+        var p = options.TokenValidationParameters;
+        p.ValidateIssuerSigningKey.Should().BeTrue();
+        p.ValidateLifetime.Should().BeTrue();
+        p.ValidateIssuer.Should().BeFalse();
+        p.ValidateAudience.Should().BeFalse();
+        p.RequireSignedTokens.Should().BeTrue();
+        p.RequireExpirationTime.Should().BeTrue();
+        p.ClockSkew.Should().Be(TimeSpan.FromSeconds(30));
+        p.IssuerSigningKey.Should().BeOfType<SymmetricSecurityKey>();
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnMissingSecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration();
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*JWT secret is not configured*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnEmptySecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration(("Jwt:Secret", ""));
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*JWT secret is not configured*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnShortSecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration(("Jwt:Secret", "too-short-secret"));
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*at least 32 bytes*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_PrefersEnvironmentVariableOverConfiguration()
+    {
+        // Arrange
+        const string envSecret = "env-secret-also-longer-than-thirty-two-bytes-for-hmac";
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, envSecret);
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", "config-secret-also-32-bytes-long-aaaaaaaaaa"));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
+        var token = JwtTokenFactory.Create(envSecret);
+        var handler = new JwtSecurityTokenHandler();
+        var act = () => handler.ValidateToken(token, options.TokenValidationParameters, out _);
+
+        // Assert
+        act.Should().NotThrow("token signed with env secret must validate when env secret takes precedence");
+    }
+
+    private static IConfiguration BuildConfiguration(params (string Key, string Value)[] pairs)
+    {
+        var builder = new ConfigurationBuilder();
+        if (pairs.Length > 0)
+        {
+            builder.AddInMemoryCollection(pairs.Select(p => new KeyValuePair<string, string?>(p.Key, p.Value)));
+        }
+        return builder.Build();
+    }
+}

SatelliteProvider.Tests/Authentication/JwtTokenFactoryTests.cs

@@ -0,0 +1,93 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using FluentAssertions;
+using Microsoft.IdentityModel.Tokens;
+using SatelliteProvider.Tests.TestUtilities;
+
+namespace SatelliteProvider.Tests.Authentication;
+
+public class JwtTokenFactoryTests
+{
+    private const string Secret = "factory-secret-that-is-longer-than-thirty-two-bytes-bytes";
+
+    [Fact]
+    public void Create_ProducesTokenValidatedByMatchingParameters()
+    {
+        // Arrange
+        var token = JwtTokenFactory.Create(Secret, subject: "alice");
+        var parameters = BuildParameters(Secret);
+        var handler = new JwtSecurityTokenHandler();
+
+        // Act
+        var principal = handler.ValidateToken(token, parameters, out var validatedToken);
+
+        // Assert
+        principal.Identity!.IsAuthenticated.Should().BeTrue();
+        principal.FindFirst(JwtRegisteredClaimNames.Sub)!.Value.Should().Be("alice");
+        validatedToken.Should().BeOfType<JwtSecurityToken>();
+    }
+
+    [Fact]
+    public void Create_WithExtraClaims_PropagatesClaimsThroughValidation()
+    {
+        // Arrange
+        var claims = new[]
+        {
+            new Claim("email", "alice@example.com"),
+            new Claim("role", "operator"),
+            new Claim("permissions", "GPS"),
+            new Claim("permissions", "FL")
+        };
+        var token = JwtTokenFactory.Create(Secret, extraClaims: claims);
+        var handler = new JwtSecurityTokenHandler();
+
+        // Act
+        var principal = handler.ValidateToken(token, BuildParameters(Secret), out _);
+
+        // Assert
+        principal.FindAll("permissions").Select(c => c.Value).Should().BeEquivalentTo(new[] { "GPS", "FL" });
+        principal.FindFirst("email")!.Value.Should().Be("alice@example.com");
+    }
+
+    [Fact]
+    public void CreateExpired_TokenFailsValidationWithLifetimeException()
+    {
+        // Arrange
+        var token = JwtTokenFactory.CreateExpired(Secret);
+        var handler = new JwtSecurityTokenHandler();
+
+        // Act
+        var act = () => handler.ValidateToken(token, BuildParameters(Secret), out _);
+
+        // Assert
+        act.Should().Throw<SecurityTokenExpiredException>();
+    }
+
+    [Fact]
+    public void TamperSignature_TokenFailsValidationWithSignatureException()
+    {
+        // Arrange
+        var token = JwtTokenFactory.Create(Secret);
+        var tampered = JwtTokenFactory.TamperSignature(token);
+        var handler = new JwtSecurityTokenHandler();
+
+        // Act
+        var act = () => handler.ValidateToken(tampered, BuildParameters(Secret), out _);
+
+        // Assert
+        act.Should().Throw<SecurityTokenInvalidSignatureException>();
+    }
+
+    private static TokenValidationParameters BuildParameters(string secret) => new()
+    {
+        ValidateIssuerSigningKey = true,
+        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret)),
+        ValidateLifetime = true,
+        ClockSkew = TimeSpan.FromSeconds(30),
+        ValidateIssuer = false,
+        ValidateAudience = false,
+        RequireSignedTokens = true,
+        RequireExpirationTime = true
+    };
+}

SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs

@@ -0,0 +1,76 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.IdentityModel.Tokens;
+
+namespace SatelliteProvider.Tests.TestUtilities;
+
+public static class JwtTokenFactory
+{
+    public const string DefaultSubject = "test-user";
+
+    public static string Create(
+        string secret,
+        string subject = DefaultSubject,
+        TimeSpan? lifetime = null,
+        IEnumerable<Claim>? extraClaims = null,
+        string algorithm = SecurityAlgorithms.HmacSha256)
+    {
+        ArgumentNullException.ThrowIfNull(secret);
+
+        var keyBytes = Encoding.UTF8.GetBytes(secret);
+        var signingKey = new SymmetricSecurityKey(keyBytes);
+        var credentials = new SigningCredentials(signingKey, algorithm);
+
+        var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+
+        var claims = new List<Claim>
+        {
+            new(JwtRegisteredClaimNames.Sub, subject),
+            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
+        };
+
+        if (extraClaims is not null)
+        {
+            claims.AddRange(extraClaims);
+        }
+
+        var token = new JwtSecurityToken(
+            issuer: null,
+            audience: null,
+            claims: claims,
+            notBefore: now,
+            expires: expires,
+            signingCredentials: credentials);
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    public static string CreateExpired(string secret, string subject = DefaultSubject)
+    {
+        return Create(secret, subject, lifetime: TimeSpan.FromMinutes(-5));
+    }
+
+    public static string TamperSignature(string token)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(token);
+
+        var parts = token.Split('.');
+        if (parts.Length != 3)
+        {
+            throw new ArgumentException("JWT must have three dot-separated parts.", nameof(token));
+        }
+
+        var signature = parts[2];
+        if (signature.Length == 0)
+        {
+            throw new ArgumentException("JWT signature segment is empty.", nameof(token));
+        }
+
+        var firstChar = signature[0];
+        var replacement = firstChar == 'A' ? 'B' : 'A';
+        parts[2] = replacement + signature[1..];
+        return string.Join('.', parts);
+    }
+}