azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 14:31:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
753be43d11cd046fd5db6eb829d8aa61854b0bec
satellite-provider/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
T
Oleksandr Bezdieniezhnykh 96cd3c4495
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-487] JWT validation baseline (HS256, all endpoints) 
Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the
SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that
validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail
fast at startup). Every minimal-API endpoint now carries
.RequireAuthorization(); the middleware chain is UseExceptionHandler ->
UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization
-> endpoints. Swagger UI gets a Bearer security definition so the
Authorize button works.

Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers
(integration) mint deterministic tokens against the same secret; the
integration test runner attaches a default Bearer token to its shared
HttpClient so existing tests continue to exercise protected endpoints.
JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises
Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests
covers AC-5 (missing/empty/short secret fail-fast) plus env-var
precedence; JwtTokenFactoryTests covers AC-6 (claims pass through
the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses).

docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to
the api and integration-tests containers, with a >=32-byte guard.
.env.example documents the required keys; .env stays gitignored.

Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced
in _docs/03_implementation/reviews/batch_01_cycle2_review.md).

Cross-component coordination: gps-denied-onboard and the mission
planner UI must attach Bearer tokens before this lands in dev.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 23:06:23 +03:00

87 lines
2.9 KiB
C#
Raw Blame History

using System.IdentityModel.Tokens.Jwt;
using System.Net.Http.Headers;
using System.Security.Claims;
using System.Text;
using Microsoft.IdentityModel.Tokens;
namespace SatelliteProvider.IntegrationTests;
public static class JwtTestHelpers
{
public const string JwtSecretEnvVar = "JWT_SECRET";
public const string DefaultSubject = "integration-tests";
public static string ResolveSecretOrThrow()
{
var secret = Environment.GetEnvironmentVariable(JwtSecretEnvVar);
if (string.IsNullOrWhiteSpace(secret))
{
throw new InvalidOperationException(
$"{JwtSecretEnvVar} is not set in the integration test environment. " +
"It must match the JWT_SECRET configured for the API container.");
}
var byteLength = Encoding.UTF8.GetByteCount(secret);
if (byteLength < 32)
{
throw new InvalidOperationException(
$"{JwtSecretEnvVar} is {byteLength} bytes; the test runner requires at least 32 bytes to match API validation.");
}
return secret;
}
public static string MintValidToken(string secret, string subject = DefaultSubject, TimeSpan? lifetime = null, IEnumerable<Claim>? extraClaims = null)
{
ArgumentNullException.ThrowIfNull(secret);
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var now = DateTime.UtcNow;
var claims = new List<Claim>
{
new(JwtRegisteredClaimNames.Sub, subject),
new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
};
if (extraClaims is not null)
{
claims.AddRange(extraClaims);
}
var token = new JwtSecurityToken(
issuer: null,
audience: null,
claims: claims,
notBefore: now,
expires: now.Add(lifetime ?? TimeSpan.FromHours(1)),
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
public static string MintExpiredToken(string secret, string subject = DefaultSubject)
{
return MintValidToken(secret, subject, lifetime: TimeSpan.FromMinutes(-10));
}
public static string TamperSignature(string token)
{
var parts = token.Split('.');
if (parts.Length != 3)
{
throw new ArgumentException("JWT must have three dot-separated segments.", nameof(token));
}
var signature = parts[2];
var firstChar = signature[0];
parts[2] = (firstChar == 'A' ? 'B' : 'A') + signature[1..];
return string.Join('.', parts);
}
public static void AttachDefaultAuthorization(HttpClient httpClient, string token)
{
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
}
}
Reference in New Issue View Git Blame Copy Permalink