mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 18:01:16 +00:00
Oleksandr Bezdieniezhnykh
f979e18811
Option B per user decision: production ships with empty Jwt.Issuer / Jwt.Audience in appsettings.json so the API process refuses to start unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development ships with grep-friendly DEV-ONLY- placeholders so local + docker flows keep working unchanged. AuthenticationServiceCollectionExtensions flips ValidateIssuer + ValidateAudience to true and wires ValidIssuer / ValidAudience via a new ResolveRequiredOrThrow helper that all three required values (secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired gain optional iss / aud parameters (default null) so existing call sites compile unchanged. JwtTestHelpers adds MintAuthenticated / MintExpired wrappers that resolve iss + aud from env, plus ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken + Program.cs JWT bootstrap migrated to the new surface so the perf harness and the integration runner both validate against the same contract. Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2 negative integration scenarios (WrongIssuer_Returns401, WrongAudience_Returns401), and re-tags every existing integration mint site via MintAuthenticated. Compose, .env.example, run-tests.sh, run-performance-tests.sh all load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET. Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7 (cross-repo suite/_docs/10_auth.md write) deferred — outside this workspace; tracked in deploy_cycle2.md R3 follow-up. Co-authored-by: Cursor <cursoragent@cursor.com>
97 lines
3.9 KiB
C#
97 lines
3.9 KiB
C#
using System.Text;
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
namespace SatelliteProvider.Api.Authentication;
|
|
|
|
public static class AuthenticationServiceCollectionExtensions
|
|
{
|
|
public const string JwtSecretEnvVar = "JWT_SECRET";
|
|
public const string JwtSecretConfigKey = "Jwt:Secret";
|
|
public const string JwtIssuerEnvVar = "JWT_ISSUER";
|
|
public const string JwtIssuerConfigKey = "Jwt:Issuer";
|
|
public const string JwtAudienceEnvVar = "JWT_AUDIENCE";
|
|
public const string JwtAudienceConfigKey = "Jwt:Audience";
|
|
public const int MinSecretByteLength = 32;
|
|
|
|
public static IServiceCollection AddSatelliteJwt(this IServiceCollection services, IConfiguration configuration)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(services);
|
|
ArgumentNullException.ThrowIfNull(configuration);
|
|
|
|
var secret = ResolveSecretOrThrow(configuration);
|
|
var issuer = ResolveRequiredOrThrow(configuration, JwtIssuerEnvVar, JwtIssuerConfigKey, "JWT issuer");
|
|
var audience = ResolveRequiredOrThrow(configuration, JwtAudienceEnvVar, JwtAudienceConfigKey, "JWT audience");
|
|
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
|
|
|
|
services
|
|
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
|
.AddJwtBearer(options =>
|
|
{
|
|
options.TokenValidationParameters = new TokenValidationParameters
|
|
{
|
|
ValidateIssuerSigningKey = true,
|
|
IssuerSigningKey = signingKey,
|
|
ValidateLifetime = true,
|
|
ClockSkew = TimeSpan.FromSeconds(30),
|
|
ValidateIssuer = true,
|
|
ValidIssuer = issuer,
|
|
ValidateAudience = true,
|
|
ValidAudience = audience,
|
|
RequireSignedTokens = true,
|
|
RequireExpirationTime = true
|
|
};
|
|
});
|
|
|
|
return services;
|
|
}
|
|
|
|
internal static string ResolveSecretOrThrow(IConfiguration configuration)
|
|
{
|
|
var secret = Environment.GetEnvironmentVariable(JwtSecretEnvVar);
|
|
if (string.IsNullOrWhiteSpace(secret))
|
|
{
|
|
secret = configuration[JwtSecretConfigKey];
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(secret))
|
|
{
|
|
throw new InvalidOperationException(
|
|
$"JWT secret is not configured. Set the {JwtSecretEnvVar} environment variable " +
|
|
$"or the {JwtSecretConfigKey} configuration key to a value of at least {MinSecretByteLength} bytes.");
|
|
}
|
|
|
|
var byteLength = Encoding.UTF8.GetByteCount(secret);
|
|
if (byteLength < MinSecretByteLength)
|
|
{
|
|
throw new InvalidOperationException(
|
|
$"JWT secret is too short ({byteLength} bytes). HMAC-SHA256 requires at least {MinSecretByteLength} bytes " +
|
|
$"per RFC 2104 §3. Set {JwtSecretEnvVar} or {JwtSecretConfigKey} to a longer value.");
|
|
}
|
|
|
|
return secret;
|
|
}
|
|
|
|
// AZ-494: required non-secret config (iss / aud). Fail-fast contract mirrors
|
|
// JWT_SECRET — missing or whitespace-only values throw at startup so a
|
|
// production deploy without the operator-confirmed values cannot silently
|
|
// accept tokens with arbitrary issuer/audience claims.
|
|
internal static string ResolveRequiredOrThrow(IConfiguration configuration, string envVar, string configKey, string humanLabel)
|
|
{
|
|
var value = Environment.GetEnvironmentVariable(envVar);
|
|
if (string.IsNullOrWhiteSpace(value))
|
|
{
|
|
value = configuration[configKey];
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(value))
|
|
{
|
|
throw new InvalidOperationException(
|
|
$"{humanLabel} is not configured. Set the {envVar} environment variable " +
|
|
$"or the {configKey} configuration key. (See AZ-494 task spec.)");
|
|
}
|
|
|
|
return value;
|
|
}
|
|
}
|