azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 06:51:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f979e18811cfc4f978015c15060491d163e8f828
satellite-provider/_docs/02_document/modules/api_program.md
T
Oleksandr Bezdieniezhnykh f979e18811 [AZ-494] Enable JWT iss/aud validation with fail-fast startup 
Option B per user decision: production ships with empty Jwt.Issuer /
Jwt.Audience in appsettings.json so the API process refuses to start
unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development
ships with grep-friendly DEV-ONLY- placeholders so local + docker
flows keep working unchanged.

AuthenticationServiceCollectionExtensions flips ValidateIssuer +
ValidateAudience to true and wires ValidIssuer / ValidAudience via a
new ResolveRequiredOrThrow helper that all three required values
(secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired
gain optional iss / aud parameters (default null) so existing call
sites compile unchanged. JwtTestHelpers adds MintAuthenticated /
MintExpired wrappers that resolve iss + aud from env, plus
ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken
+ Program.cs JWT bootstrap migrated to the new surface so the perf
harness and the integration runner both validate against the same
contract.

Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2
negative integration scenarios (WrongIssuer_Returns401,
WrongAudience_Returns401), and re-tags every existing integration
mint site via MintAuthenticated.

Compose, .env.example, run-tests.sh, run-performance-tests.sh all
load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET.

Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7
(cross-repo suite/_docs/10_auth.md write) deferred — outside this
workspace; tracked in deploy_cycle2.md R3 follow-up.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 02:28:48 +03:00

8.1 KiB
Raw Blame History

Module: Api/Program.cs

Purpose

Application entry point. Configures DI container, sets up middleware, defines minimal API endpoints, runs database migrations on startup, and starts background services.

Public Interface

API Endpoints

Method Route Handler Description
GET /tiles/{z}/{x}/{y} ServeTile Slippy map tile server with in-memory caching
GET /api/satellite/tiles/latlon GetTileByLatLon Download single tile by lat/lon/zoom
GET /api/satellite/tiles/mgrs GetSatelliteTilesByMgrs MGRS stub (returns empty)
POST /api/satellite/upload UploadUavTileBatch UAV tile batch upload (AZ-488) — multipart envelope, 5-rule quality gate, per-source UPSERT with source='uav'. Requires the RequiresGpsPermission policy.
POST /api/satellite/request RequestRegion Queue region for async tile processing
GET /api/satellite/region/{id} GetRegionStatus Get region processing status
POST /api/satellite/route CreateRoute Create route with intermediate points
GET /api/satellite/route/{id} GetRoute Get route with all points

Local Records (defined in Program.cs)

  • GetSatelliteTilesResponse, SatelliteTile — MGRS response stubs
  • DownloadTileResponse — tile download response
  • RequestRegionRequest — region request body
  • ParameterDescriptionFilter — Swagger operation filter

Api/DTOs (AZ-488)

  • UavTileBatchUploadRequest — multipart envelope with metadata (JSON string) and files (IFormFileCollection)

Common/DTO (AZ-488)

  • UavTileMetadata, UavTileBatchMetadataPayload — per-item metadata + envelope shape
  • UavTileBatchUploadResponse, UavTileUploadResultItem — per-item response shape
  • UavTileUploadStatus, UavTileRejectReasons — string-constant enumerations exposed in the v1.0.0 contract

Internal Logic

DI Registration

  1. Serilog configured from appsettings.json
  2. Connection string extracted from ConnectionStrings:DefaultConnection
  3. Config bindings: MapConfig, StorageConfig, ProcessingConfig, UavQualityConfig (AZ-488)
  4. Request size limits (AZ-488): KestrelServerOptions.Limits.MaxRequestBodySize and FormOptions.MultipartBodyLengthLimit are set to UavQualityConfig.MaxBatchSize × UavQualityConfig.MaxBytes (default 100 × 5 MiB = 500 MiB) so an oversized UAV batch is rejected at the framework layer before reaching the handler.
  5. Singletons: repositories (TileRepository, RegionRepository, RouteRepository), GoogleMapsDownloaderV2, ITileService, IRegionService, IRouteService, IUavTileQualityGate, IUavTileUploadHandler (AZ-488)
  6. IRegionRequestQueue with configurable capacity
  7. Hosted services: RegionProcessingService, RouteProcessingService
  8. CORS policy: TilesCors — configured origins from CorsConfig:AllowedOrigins, falls back to allow-any
  9. JSON options: camelCase, case-insensitive
  10. JWT authentication (AZ-487 + AZ-494): AddSatelliteJwt(builder.Configuration) (extension in SatelliteProvider.Api.Authentication) registers JwtBearer with TokenValidationParameters set per the suite auth contract: signature + lifetime + issuer + audience validation, 30 s clock skew, ≥ 32-byte HMAC key. The iss value comes from JWT_ISSUER env (fallback Jwt:Issuer config); the aud value comes from JWT_AUDIENCE env (fallback Jwt:Audience config). All three values (secret, iss, aud) are fail-fast — the API throws InvalidOperationException at startup if any is unset or whitespace-only. Production deploys MUST set the env vars with admin-team-confirmed values; appsettings.json ships empty so the fail-fast triggers. appsettings.Development.json ships clearly-tagged DEV-ONLY values (DEV-ONLY-iss-admin-azaion-local / DEV-ONLY-aud-satellite-provider) so local dev works out-of-the-box. Followed by AddAuthorization with the RequiresGpsPermission policy (AZ-488).

Startup

  1. Database migration via DatabaseMigrator.RunMigrations() — throws on failure
  2. Creates tiles and ready directories
  3. Swagger enabled in Development mode
  4. Middleware chain (order matters): UseExceptionHandlerUseHttpsRedirectionUseCors("TilesCors")UseAuthenticationUseAuthorization → endpoint mapping.
  5. Every MapGet/MapPost endpoint is decorated with .RequireAuthorization(); the framework returns 401 before the handler runs for any anonymous, expired, or invalid-signature request.

ServeTile Handler

  1. Checks IMemoryCache for tile bytes (1h absolute, 30min sliding expiration)
  2. If cache miss: queries ITileRepository.GetByTileCoordinatesAsync
  3. If no DB record: downloads tile via GoogleMapsDownloaderV2.DownloadSingleTileAsync, creates TileEntity, inserts
  4. Returns image bytes with cache headers (Cache-Control: public, max-age=86400)

GetTileByLatLon Handler

Downloads a tile, persists it, returns metadata as DownloadTileResponse.

RequestRegion Handler

Validates size (10010000m), delegates to IRegionService.RequestRegionAsync.

UploadUavTileBatch Handler (AZ-488)

Buffers each IFormFile into memory, packages them as UavUploadFile records (filename, content-type, bytes), and delegates to IUavTileUploadHandler.HandleAsync. Envelope-level errors (mismatched batch, oversized batch, malformed metadata) are surfaced as HTTP 400 ProblemDetails; per-item rejects are returned in the HTTP 200 response payload. The endpoint is protected by .RequireAuthorization(SatellitePermissions.UavUploadPolicy) so 401 (no token) and 403 (no GPS permission) are returned before the handler runs.

Dependencies

All project references: Common, DataAccess, Services. NuGet: Serilog.AspNetCore, Swashbuckle.AspNetCore, Microsoft.AspNetCore.OpenApi (8.0.25, bumped from 8.0.21 by AZ-496), Microsoft.AspNetCore.Authentication.JwtBearer (8.0.25, added at 8.0.21 by AZ-487, bumped by AZ-496), SixLabors.ImageSharp, Newtonsoft.Json.

Consumers

  • HTTP clients (external)
  • Integration tests (via HTTP)

Data Models

Defines several local request/response records that are not shared with other projects.

Configuration

All configuration sections are consumed here:

  • ConnectionStrings:DefaultConnection
  • MapConfig, StorageConfig, ProcessingConfig
  • UavQuality (AZ-488) — MinBytes, MaxBytes, MaxAgeDays, CapturedAtFutureSkewSeconds, MinLuminanceVariance, MaxBatchSize, LuminanceSampleSize. Drives the 5-rule quality gate AND the per-request body-size limits.
  • CorsConfig:AllowedOrigins
  • Jwt:Secret — HMAC-SHA256 signing key for JWT validation (AZ-487). Resolution: JWT_SECRET env var (preferred, opaque production secret) → Jwt:Secret configuration key (appsettings.Development.json placeholder only). Startup fails fast if the resolved value is unset, empty, or shorter than 32 bytes.
  • Jwt:Issuer — Expected iss claim value (AZ-494). Resolution: JWT_ISSUER env → Jwt:Issuer config. Startup fails fast if unset/empty.
  • Jwt:Audience — Expected aud claim value (AZ-494). Resolution: JWT_AUDIENCE env → Jwt:Audience config. Startup fails fast if unset/empty.
  • Serilog section

External Integrations

  • Google Maps (indirectly via GoogleMapsDownloaderV2)
  • PostgreSQL (via repositories and DatabaseMigrator)
  • File system (./tiles/, ./ready/)

Security

  • CORS configured (permissive by default when no origins specified)
  • Swagger only in Development; Bearer token "Authorize" button registered via AddSecurityDefinition/AddSecurityRequirement (AZ-487)
  • HTTPS redirection enabled
  • JWT bearer authentication (AZ-487) — every endpoint requires a valid HS256-signed token. Anonymous, expired, or signature-tampered requests return 401 before the handler runs.
  • Permission-claim policies (AZ-488) — POST /api/satellite/upload is wrapped in .RequireAuthorization(SatellitePermissions.UavUploadPolicy). The PermissionsAuthorizationHandler reads the permissions claim (repeated-string OR JSON-array shape) and returns 403 if GPS is not present.

Tests

Integration tests exercise all endpoints. Unit test project has only a dummy test.

Reference in New Issue View Git Blame Copy Permalink