azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 08:41:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-487] JWT validation baseline (HS256, all endpoints)
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details

Browse Source 
Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the
SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that
validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail
fast at startup). Every minimal-API endpoint now carries
.RequireAuthorization(); the middleware chain is UseExceptionHandler ->
UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization
-> endpoints. Swagger UI gets a Bearer security definition so the
Authorize button works.

Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers
(integration) mint deterministic tokens against the same secret; the
integration test runner attaches a default Bearer token to its shared
HttpClient so existing tests continue to exercise protected endpoints.
JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises
Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests
covers AC-5 (missing/empty/short secret fail-fast) plus env-var
precedence; JwtTokenFactoryTests covers AC-6 (claims pass through
the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses).

docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to
the api and integration-tests containers, with a >=32-byte guard.
.env.example documents the required keys; .env stays gitignored.

Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced
in _docs/03_implementation/reviews/batch_01_cycle2_review.md).

Cross-component coordination: gps-denied-onboard and the mission
planner UI must attach Bearer tokens before this lands in dev.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 23:06:23 +03:00
parent 8e15e53782
commit 96cd3c4495
23 changed files with 872 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/run-tests.sh
+16 -1
View File
@@ -23,6 +23,9 @@ Flags:
Environment:
GOOGLE_MAPS_API_KEY Required for any integration test mode (loaded from .env or shell env).
JWT_SECRET Required for any integration test mode. Shared HMAC secret used by the
API and the integration test runner; must be at least 32 bytes (UTF-8).
Loaded from .env or shell env.
EOF
}
@@ -66,7 +69,7 @@ if [[ "$mode" == "unit" ]]; then
exit 0
fi
if [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] && [[ -f "$PROJECT_ROOT/.env" ]]; then
if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
set -o allexport
# shellcheck disable=SC1091
source "$PROJECT_ROOT/.env"
@@ -78,6 +81,18 @@ if [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]]; then
exit 3
fi
if [[ -z "${JWT_SECRET:-}" ]]; then
echo "ERROR: JWT_SECRET is not set (export it or add to .env). API will fail to start without it."
exit 3
fi
jwt_secret_bytes=${#JWT_SECRET}
if (( jwt_secret_bytes < 32 )); then
echo "ERROR: JWT_SECRET is ${jwt_secret_bytes} bytes; HMAC-SHA256 requires at least 32 bytes."
exit 3
fi
export JWT_SECRET
echo "Step 1: Unit tests"
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:8.0 \
sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"