mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 15:21:15 +00:00
Oleksandr Bezdieniezhnykh
96cd3c4495
Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail fast at startup). Every minimal-API endpoint now carries .RequireAuthorization(); the middleware chain is UseExceptionHandler -> UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization -> endpoints. Swagger UI gets a Bearer security definition so the Authorize button works. Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers (integration) mint deterministic tokens against the same secret; the integration test runner attaches a default Bearer token to its shared HttpClient so existing tests continue to exercise protected endpoints. JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests covers AC-5 (missing/empty/short secret fail-fast) plus env-var precedence; JwtTokenFactoryTests covers AC-6 (claims pass through the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses). docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to the api and integration-tests containers, with a >=32-byte guard. .env.example documents the required keys; .env stays gitignored. Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced in _docs/03_implementation/reviews/batch_01_cycle2_review.md). Cross-component coordination: gps-denied-onboard and the mission planner UI must attach Bearer tokens before this lands in dev. Co-authored-by: Cursor <cursoragent@cursor.com>
94 lines
3.0 KiB
C#
94 lines
3.0 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Security.Claims;
|
|
using System.Text;
|
|
using FluentAssertions;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using SatelliteProvider.Tests.TestUtilities;
|
|
|
|
namespace SatelliteProvider.Tests.Authentication;
|
|
|
|
public class JwtTokenFactoryTests
|
|
{
|
|
private const string Secret = "factory-secret-that-is-longer-than-thirty-two-bytes-bytes";
|
|
|
|
[Fact]
|
|
public void Create_ProducesTokenValidatedByMatchingParameters()
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenFactory.Create(Secret, subject: "alice");
|
|
var parameters = BuildParameters(Secret);
|
|
var handler = new JwtSecurityTokenHandler();
|
|
|
|
// Act
|
|
var principal = handler.ValidateToken(token, parameters, out var validatedToken);
|
|
|
|
// Assert
|
|
principal.Identity!.IsAuthenticated.Should().BeTrue();
|
|
principal.FindFirst(JwtRegisteredClaimNames.Sub)!.Value.Should().Be("alice");
|
|
validatedToken.Should().BeOfType<JwtSecurityToken>();
|
|
}
|
|
|
|
[Fact]
|
|
public void Create_WithExtraClaims_PropagatesClaimsThroughValidation()
|
|
{
|
|
// Arrange
|
|
var claims = new[]
|
|
{
|
|
new Claim("email", "alice@example.com"),
|
|
new Claim("role", "operator"),
|
|
new Claim("permissions", "GPS"),
|
|
new Claim("permissions", "FL")
|
|
};
|
|
var token = JwtTokenFactory.Create(Secret, extraClaims: claims);
|
|
var handler = new JwtSecurityTokenHandler();
|
|
|
|
// Act
|
|
var principal = handler.ValidateToken(token, BuildParameters(Secret), out _);
|
|
|
|
// Assert
|
|
principal.FindAll("permissions").Select(c => c.Value).Should().BeEquivalentTo(new[] { "GPS", "FL" });
|
|
principal.FindFirst("email")!.Value.Should().Be("alice@example.com");
|
|
}
|
|
|
|
[Fact]
|
|
public void CreateExpired_TokenFailsValidationWithLifetimeException()
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenFactory.CreateExpired(Secret);
|
|
var handler = new JwtSecurityTokenHandler();
|
|
|
|
// Act
|
|
var act = () => handler.ValidateToken(token, BuildParameters(Secret), out _);
|
|
|
|
// Assert
|
|
act.Should().Throw<SecurityTokenExpiredException>();
|
|
}
|
|
|
|
[Fact]
|
|
public void TamperSignature_TokenFailsValidationWithSignatureException()
|
|
{
|
|
// Arrange
|
|
var token = JwtTokenFactory.Create(Secret);
|
|
var tampered = JwtTokenFactory.TamperSignature(token);
|
|
var handler = new JwtSecurityTokenHandler();
|
|
|
|
// Act
|
|
var act = () => handler.ValidateToken(tampered, BuildParameters(Secret), out _);
|
|
|
|
// Assert
|
|
act.Should().Throw<SecurityTokenInvalidSignatureException>();
|
|
}
|
|
|
|
private static TokenValidationParameters BuildParameters(string secret) => new()
|
|
{
|
|
ValidateIssuerSigningKey = true,
|
|
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret)),
|
|
ValidateLifetime = true,
|
|
ClockSkew = TimeSpan.FromSeconds(30),
|
|
ValidateIssuer = false,
|
|
ValidateAudience = false,
|
|
RequireSignedTokens = true,
|
|
RequireExpirationTime = true
|
|
};
|
|
}
|