mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 13:31:13 +00:00
Oleksandr Bezdieniezhnykh
96cd3c4495
Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail fast at startup). Every minimal-API endpoint now carries .RequireAuthorization(); the middleware chain is UseExceptionHandler -> UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization -> endpoints. Swagger UI gets a Bearer security definition so the Authorize button works. Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers (integration) mint deterministic tokens against the same secret; the integration test runner attaches a default Bearer token to its shared HttpClient so existing tests continue to exercise protected endpoints. JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests covers AC-5 (missing/empty/short secret fail-fast) plus env-var precedence; JwtTokenFactoryTests covers AC-6 (claims pass through the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses). docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to the api and integration-tests containers, with a >=32-byte guard. .env.example documents the required keys; .env stays gitignored. Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced in _docs/03_implementation/reviews/batch_01_cycle2_review.md). Cross-component coordination: gps-denied-onboard and the mission planner UI must attach Bearer tokens before this lands in dev. Co-authored-by: Cursor <cursoragent@cursor.com>
67 lines
2.5 KiB
C#
67 lines
2.5 KiB
C#
using System.Text;
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
namespace SatelliteProvider.Api.Authentication;
|
|
|
|
public static class AuthenticationServiceCollectionExtensions
|
|
{
|
|
public const string JwtSecretEnvVar = "JWT_SECRET";
|
|
public const string JwtSecretConfigKey = "Jwt:Secret";
|
|
public const int MinSecretByteLength = 32;
|
|
|
|
public static IServiceCollection AddSatelliteJwt(this IServiceCollection services, IConfiguration configuration)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(services);
|
|
ArgumentNullException.ThrowIfNull(configuration);
|
|
|
|
var secret = ResolveSecretOrThrow(configuration);
|
|
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
|
|
|
|
services
|
|
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
|
.AddJwtBearer(options =>
|
|
{
|
|
options.TokenValidationParameters = new TokenValidationParameters
|
|
{
|
|
ValidateIssuerSigningKey = true,
|
|
IssuerSigningKey = signingKey,
|
|
ValidateLifetime = true,
|
|
ClockSkew = TimeSpan.FromSeconds(30),
|
|
ValidateIssuer = false,
|
|
ValidateAudience = false,
|
|
RequireSignedTokens = true,
|
|
RequireExpirationTime = true
|
|
};
|
|
});
|
|
|
|
return services;
|
|
}
|
|
|
|
internal static string ResolveSecretOrThrow(IConfiguration configuration)
|
|
{
|
|
var secret = Environment.GetEnvironmentVariable(JwtSecretEnvVar);
|
|
if (string.IsNullOrWhiteSpace(secret))
|
|
{
|
|
secret = configuration[JwtSecretConfigKey];
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(secret))
|
|
{
|
|
throw new InvalidOperationException(
|
|
$"JWT secret is not configured. Set the {JwtSecretEnvVar} environment variable " +
|
|
$"or the {JwtSecretConfigKey} configuration key to a value of at least {MinSecretByteLength} bytes.");
|
|
}
|
|
|
|
var byteLength = Encoding.UTF8.GetByteCount(secret);
|
|
if (byteLength < MinSecretByteLength)
|
|
{
|
|
throw new InvalidOperationException(
|
|
$"JWT secret is too short ({byteLength} bytes). HMAC-SHA256 requires at least {MinSecretByteLength} bytes " +
|
|
$"per RFC 2104 §3. Set {JwtSecretEnvVar} or {JwtSecretConfigKey} to a longer value.");
|
|
}
|
|
|
|
return secret;
|
|
}
|
|
}
|