azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 21:51:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-494] Enable JWT iss/aud validation with fail-fast startup

Browse Source 
Option B per user decision: production ships with empty Jwt.Issuer /
Jwt.Audience in appsettings.json so the API process refuses to start
unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development
ships with grep-friendly DEV-ONLY- placeholders so local + docker
flows keep working unchanged.

AuthenticationServiceCollectionExtensions flips ValidateIssuer +
ValidateAudience to true and wires ValidIssuer / ValidAudience via a
new ResolveRequiredOrThrow helper that all three required values
(secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired
gain optional iss / aud parameters (default null) so existing call
sites compile unchanged. JwtTestHelpers adds MintAuthenticated /
MintExpired wrappers that resolve iss + aud from env, plus
ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken
+ Program.cs JWT bootstrap migrated to the new surface so the perf
harness and the integration runner both validate against the same
contract.

Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2
negative integration scenarios (WrongIssuer_Returns401,
WrongAudience_Returns401), and re-tags every existing integration
mint site via MintAuthenticated.

Compose, .env.example, run-tests.sh, run-performance-tests.sh all
load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET.

Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7
(cross-repo suite/_docs/10_auth.md write) deferred — outside this
workspace; tracked in deploy_cycle2.md R3 follow-up.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 02:28:48 +03:00
parent 080441db5d
commit f979e18811
27 changed files with 543 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SatelliteProvider.Tests/Authentication/AuthenticationServiceCollectionExtensionsTests.cs
+119 -13
View File
@@ -15,17 +15,27 @@ namespace SatelliteProvider.Tests.Authentication;
public class AuthenticationServiceCollectionExtensionsTests : IDisposable
{
private const string ValidSecret = "test-secret-that-is-definitely-longer-than-32-bytes";
private readonly string? _originalEnv;
private const string ValidIssuer = "https://test-issuer.example/";
private const string ValidAudience = "satellite-provider-tests";
private readonly string? _originalSecret;
private readonly string? _originalIssuer;
private readonly string? _originalAudience;
public AuthenticationServiceCollectionExtensionsTests()
{
_originalEnv = Environment.GetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar);
_originalSecret = Environment.GetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar);
_originalIssuer = Environment.GetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar);
_originalAudience = Environment.GetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar);
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, null);
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, null);
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, null);
}
public void Dispose()
{
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, _originalEnv);
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, _originalSecret);
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, _originalIssuer);
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, _originalAudience);
GC.SuppressFinalize(this);
}
@@ -35,7 +45,7 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
// Arrange
var services = new ServiceCollection();
services.AddLogging();
var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
var configuration = BuildValidConfiguration();
// Act
services.AddSatelliteJwt(configuration);
@@ -54,7 +64,7 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
// Arrange
var services = new ServiceCollection();
services.AddLogging();
var configuration = BuildConfiguration(("Jwt:Secret", ValidSecret));
var configuration = BuildValidConfiguration();
// Act
services.AddSatelliteJwt(configuration);
@@ -65,8 +75,10 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
var p = options.TokenValidationParameters;
p.ValidateIssuerSigningKey.Should().BeTrue();
p.ValidateLifetime.Should().BeTrue();
p.ValidateIssuer.Should().BeFalse();
p.ValidateAudience.Should().BeFalse();
p.ValidateIssuer.Should().BeTrue("AZ-494 flipped issuer validation on");
p.ValidIssuer.Should().Be(ValidIssuer);
p.ValidateAudience.Should().BeTrue("AZ-494 flipped audience validation on");
p.ValidAudience.Should().Be(ValidAudience);
p.RequireSignedTokens.Should().BeTrue();
p.RequireExpirationTime.Should().BeTrue();
p.ClockSkew.Should().Be(TimeSpan.FromSeconds(30));
@@ -78,7 +90,9 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
{
// Arrange
var services = new ServiceCollection();
var configuration = BuildConfiguration();
var configuration = BuildConfiguration(
("Jwt:Issuer", ValidIssuer),
("Jwt:Audience", ValidAudience));
// Act
var act = () => services.AddSatelliteJwt(configuration);
@@ -93,7 +107,10 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
{
// Arrange
var services = new ServiceCollection();
var configuration = BuildConfiguration(("Jwt:Secret", ""));
var configuration = BuildConfiguration(
("Jwt:Secret", ""),
("Jwt:Issuer", ValidIssuer),
("Jwt:Audience", ValidAudience));
// Act
var act = () => services.AddSatelliteJwt(configuration);
@@ -108,7 +125,10 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
{
// Arrange
var services = new ServiceCollection();
var configuration = BuildConfiguration(("Jwt:Secret", "too-short-secret"));
var configuration = BuildConfiguration(
("Jwt:Secret", "too-short-secret"),
("Jwt:Issuer", ValidIssuer),
("Jwt:Audience", ValidAudience));
// Act
var act = () => services.AddSatelliteJwt(configuration);
@@ -118,28 +138,114 @@ public class AuthenticationServiceCollectionExtensionsTests : IDisposable
.WithMessage("*at least 32 bytes*");
}
[Fact]
public void AddSatelliteJwt_ThrowsOnMissingIssuer()
{
// Arrange — AZ-494 AC-4: fail-fast on missing issuer.
var services = new ServiceCollection();
var configuration = BuildConfiguration(
("Jwt:Secret", ValidSecret),
("Jwt:Audience", ValidAudience));
// Act
var act = () => services.AddSatelliteJwt(configuration);
// Assert
act.Should().Throw<InvalidOperationException>()
.WithMessage("*JWT issuer is not configured*")
.Where(ex => ex.Message.Contains(AuthExtensions.JwtIssuerEnvVar));
}
[Fact]
public void AddSatelliteJwt_ThrowsOnEmptyIssuer()
{
// Arrange
var services = new ServiceCollection();
var configuration = BuildConfiguration(
("Jwt:Secret", ValidSecret),
("Jwt:Issuer", " "),
("Jwt:Audience", ValidAudience));
// Act
var act = () => services.AddSatelliteJwt(configuration);
// Assert
act.Should().Throw<InvalidOperationException>()
.WithMessage("*JWT issuer is not configured*");
}
[Fact]
public void AddSatelliteJwt_ThrowsOnMissingAudience()
{
// Arrange — AZ-494 AC-4: fail-fast on missing audience.
var services = new ServiceCollection();
var configuration = BuildConfiguration(
("Jwt:Secret", ValidSecret),
("Jwt:Issuer", ValidIssuer));
// Act
var act = () => services.AddSatelliteJwt(configuration);
// Assert
act.Should().Throw<InvalidOperationException>()
.WithMessage("*JWT audience is not configured*")
.Where(ex => ex.Message.Contains(AuthExtensions.JwtAudienceEnvVar));
}
[Fact]
public void AddSatelliteJwt_ThrowsOnEmptyAudience()
{
// Arrange
var services = new ServiceCollection();
var configuration = BuildConfiguration(
("Jwt:Secret", ValidSecret),
("Jwt:Issuer", ValidIssuer),
("Jwt:Audience", ""));
// Act
var act = () => services.AddSatelliteJwt(configuration);
// Assert
act.Should().Throw<InvalidOperationException>()
.WithMessage("*JWT audience is not configured*");
}
[Fact]
public void AddSatelliteJwt_PrefersEnvironmentVariableOverConfiguration()
{
// Arrange
const string envSecret = "env-secret-also-longer-than-thirty-two-bytes-for-hmac";
const string envIssuer = "https://env-issuer.example/";
const string envAudience = "env-audience";
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, envSecret);
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, envIssuer);
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, envAudience);
var services = new ServiceCollection();
services.AddLogging();
var configuration = BuildConfiguration(("Jwt:Secret", "config-secret-also-32-bytes-long-aaaaaaaaaa"));
var configuration = BuildConfiguration(
("Jwt:Secret", "config-secret-also-32-bytes-long-aaaaaaaaaa"),
("Jwt:Issuer", "https://config-issuer.example/"),
("Jwt:Audience", "config-audience"));
// Act
services.AddSatelliteJwt(configuration);
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
var token = JwtTokenFactory.Create(envSecret);
var token = JwtTokenFactory.Create(envSecret, issuer: envIssuer, audience: envAudience);
var handler = new JwtSecurityTokenHandler();
var act = () => handler.ValidateToken(token, options.TokenValidationParameters, out _);
// Assert
act.Should().NotThrow("token signed with env secret must validate when env secret takes precedence");
act.Should().NotThrow("token signed with env secret + minted with env iss/aud must validate when env precedence applies");
options.TokenValidationParameters.ValidIssuer.Should().Be(envIssuer);
options.TokenValidationParameters.ValidAudience.Should().Be(envAudience);
}
private static IConfiguration BuildValidConfiguration() => BuildConfiguration(
("Jwt:Secret", ValidSecret),
("Jwt:Issuer", ValidIssuer),
("Jwt:Audience", ValidAudience));
private static IConfiguration BuildConfiguration(params (string Key, string Value)[] pairs)
{
var builder = new ConfigurationBuilder();