[AZ-487] JWT validation baseline (HS256, all endpoints)

Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail fast at startup). Every minimal-API endpoint now carries .RequireAuthorization(); the middleware chain is UseExceptionHandler -> UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization -> endpoints. Swagger UI gets a Bearer security definition so the Authorize button works. Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers (integration) mint deterministic tokens against the same secret; the integration test runner attaches a default Bearer token to its shared HttpClient so existing tests continue to exercise protected endpoints. JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests covers AC-5 (missing/empty/short secret fail-fast) plus env-var precedence; JwtTokenFactoryTests covers AC-6 (claims pass through the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses). docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to the api and integration-tests containers, with a >=32-byte guard. .env.example documents the required keys; .env stays gitignored. Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced in _docs/03_implementation/reviews/batch_01_cycle2_review.md). Cross-component coordination: gps-denied-onboard and the mission planner UI must attach Bearer tokens before this lands in dev. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 23:01:14 +00:00 · 2026-05-11 23:06:23 +03:00
parent 8e15e53782
commit 96cd3c4495
23 changed files with 872 additions and 15 deletions
@@ -0,0 +1,151 @@
+using System.IdentityModel.Tokens.Jwt;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+using SatelliteProvider.Api.Authentication;
+using SatelliteProvider.Tests.TestUtilities;
+
+namespace SatelliteProvider.Tests.Authentication;
+
+public class AuthenticationServiceCollectionExtensionsTests : IDisposable
+{
+    private const string ValidSecret = "test-secret-that-is-definitely-longer-than-32-bytes";
+    private readonly string? _originalEnv;
+
+    public AuthenticationServiceCollectionExtensionsTests()
+    {
+        _originalEnv = Environment.GetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar);
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, null);
+    }
+
+    public void Dispose()
+    {
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, _originalEnv);
+        GC.SuppressFinalize(this);
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_RegistersJwtBearerScheme()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var schemeProvider = provider.GetRequiredService<IAuthenticationSchemeProvider>();
+        var scheme = schemeProvider.GetSchemeAsync(JwtBearerDefaults.AuthenticationScheme).GetAwaiter().GetResult();
+
+        // Assert
+        scheme.Should().NotBeNull("JwtBearer scheme should be registered");
+        scheme!.HandlerType.Should().Be(typeof(JwtBearerHandler));
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ConfiguresTokenValidationParameters_AsPerContract()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
+
+        // Assert
+        var p = options.TokenValidationParameters;
+        p.ValidateIssuerSigningKey.Should().BeTrue();
+        p.ValidateLifetime.Should().BeTrue();
+        p.ValidateIssuer.Should().BeFalse();
+        p.ValidateAudience.Should().BeFalse();
+        p.RequireSignedTokens.Should().BeTrue();
+        p.RequireExpirationTime.Should().BeTrue();
+        p.ClockSkew.Should().Be(TimeSpan.FromSeconds(30));
+        p.IssuerSigningKey.Should().BeOfType<SymmetricSecurityKey>();
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnMissingSecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration();
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*JWT secret is not configured*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnEmptySecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration(("Jwt:Secret", ""));
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*JWT secret is not configured*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_ThrowsOnShortSecret()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        var configuration = BuildConfiguration(("Jwt:Secret", "too-short-secret"));
+
+        // Act
+        var act = () => services.AddSatelliteJwt(configuration);
+
+        // Assert
+        act.Should().Throw<InvalidOperationException>()
+            .WithMessage("*at least 32 bytes*");
+    }
+
+    [Fact]
+    public void AddSatelliteJwt_PrefersEnvironmentVariableOverConfiguration()
+    {
+        // Arrange
+        const string envSecret = "env-secret-also-longer-than-thirty-two-bytes-for-hmac";
+        Environment.SetEnvironmentVariable(AuthenticationServiceCollectionExtensions.JwtSecretEnvVar, envSecret);
+        var services = new ServiceCollection();
+        services.AddLogging();
+        var configuration = BuildConfiguration(("Jwt:Secret", "config-secret-also-32-bytes-long-aaaaaaaaaa"));
+
+        // Act
+        services.AddSatelliteJwt(configuration);
+        var provider = services.BuildServiceProvider();
+        var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
+        var token = JwtTokenFactory.Create(envSecret);
+        var handler = new JwtSecurityTokenHandler();
+        var act = () => handler.ValidateToken(token, options.TokenValidationParameters, out _);
+
+        // Assert
+        act.Should().NotThrow("token signed with env secret must validate when env secret takes precedence");
+    }
+
+    private static IConfiguration BuildConfiguration(params (string Key, string Value)[] pairs)
+    {
+        var builder = new ConfigurationBuilder();
+        if (pairs.Length > 0)
+        {
+            builder.AddInMemoryCollection(pairs.Select(p => new KeyValuePair<string, string?>(p.Key, p.Value)));
+        }
+        return builder.Build();
+    }
+}