Add CORS config and auth with JWT

2026-03-02 22:26:50 +02:00
parent 154b9b66ce
commit 2beeadd42c
17 changed files with 307 additions and 23 deletions
--- a/api/App/App.csproj
+++ b/api/App/App.csproj
@@ -7,6 +7,7 @@
  </PropertyGroup>

  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0" />
    <PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.0" />
  </ItemGroup>
--- a/api/App/Endpoints/AuthEndpoints.cs
+++ b/api/App/Endpoints/AuthEndpoints.cs
@@ -0,0 +1,77 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+
+public record AuthTokenRequest(string Email, string Password);
+
+public class AuthUser
+{
+  public string Email { get; set; } = string.Empty;
+  public string Password { get; set; } = string.Empty;
+}
+
+public class AuthOptions
+{
+  public string Issuer { get; set; } = "klapi-api";
+  public string Audience { get; set; } = "klapi-ui";
+  public string SigningKey { get; set; } = string.Empty;
+  public List<string> AllowedOrigins { get; set; } = [];
+  public List<AuthUser> Users { get; set; } = [];
+}
+
+public static class AuthEndpoints
+{
+  public static void MapAuthEndpoints(WebApplication app)
+  {
+    app.MapPost("/auth/token", (
+      HttpContext httpContext,
+      IOptions<AuthOptions> authOptions,
+      AuthTokenRequest request) =>
+    {
+      if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.Password))
+      {
+        return Results.BadRequest(new { Message = "Email and password are required." });
+      }
+
+      var options = authOptions.Value;
+      var user = options.Users.FirstOrDefault(item =>
+        string.Equals(item.Email, request.Email.Trim(), StringComparison.OrdinalIgnoreCase));
+
+      if (user is null || !string.Equals(user.Password, request.Password, StringComparison.Ordinal))
+      {
+        return Results.Unauthorized();
+      }
+
+      var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(options.SigningKey));
+      var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+      var claims = new List<Claim>
+      {
+        new(JwtRegisteredClaimNames.Sub, user.Email),
+        new(JwtRegisteredClaimNames.Email, user.Email),
+        new(ClaimTypes.Name, user.Email),
+        new("scope", "openhours:write")
+      };
+
+      var token = new JwtSecurityToken(
+        issuer: options.Issuer,
+        audience: options.Audience,
+        claims: claims,
+        expires: DateTime.UtcNow.AddHours(12),
+        signingCredentials: credentials);
+
+      var tokenValue = new JwtSecurityTokenHandler().WriteToken(token);
+
+      return Results.Ok(new
+      {
+        AccessToken = tokenValue,
+        Email = user.Email,
+        TokenType = "Bearer",
+        ExpiresIn = 43200
+      });
+    })
+    .RequireCors("FrontendWriteCors")
+    .WithName("CreateAuthToken");
+  }
+}
--- a/api/App/Endpoints/LokEndpoints.cs
+++ b/api/App/Endpoints/LokEndpoints.cs
@@ -32,6 +32,8 @@ public static class LokEndpoints
      httpContext.Response.Headers.Location = "/lok/open-hours";
      await httpContext.Response.WriteAsJsonAsync(createdOpenHours);
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("CreateLokOpenHours");

    app.MapGet("/lok/open-hours", async (HttpContext httpContext) =>
@@ -51,6 +53,7 @@ public static class LokEndpoints

      await httpContext.Response.WriteAsJsonAsync(openHours);
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetLokOpenHours");

    app.MapDelete("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
@@ -70,6 +73,8 @@ public static class LokEndpoints

      httpContext.Response.StatusCode = StatusCodes.Status204NoContent;
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("DeleteLokOpenHours");

    app.MapPut("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
@@ -111,6 +116,8 @@ public static class LokEndpoints

      await httpContext.Response.WriteAsJsonAsync(updatedOpenHours);
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("UpdateLokOpenHours");

    app.MapPut("/lok/open-hours/{id:long}/active", async (HttpContext httpContext, long id) =>
@@ -134,6 +141,8 @@ public static class LokEndpoints
        IsActive = true
      });
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("SetActiveLokOpenHours");
  }
 }
--- a/api/App/Endpoints/SystemEndpoints.cs
+++ b/api/App/Endpoints/SystemEndpoints.cs
@@ -9,6 +9,7 @@ public static class SystemEndpoints
        Version = "1.0.0"
      };
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetVersion");

    app.MapGet("/health/db", async (Microsoft.Data.Sqlite.SqliteConnection connection) =>
@@ -24,6 +25,7 @@ public static class SystemEndpoints
        Result = result
      };
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetDatabaseHealth");
  }
 }
--- a/api/App/Program.cs
+++ b/api/App/Program.cs
@@ -1,4 +1,7 @@
 using Microsoft.Data.Sqlite;
+using System.Text;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;

 public class Program
 {
@@ -19,21 +22,66 @@ public class Program
        sqliteConnectionStringBuilder.DataSource = databasePath;
        var resolvedConnectionString = sqliteConnectionStringBuilder.ToString();

+        var authOptions = builder.Configuration.GetSection("Auth").Get<AuthOptions>()
+            ?? throw new InvalidOperationException("Auth configuration was not found.");
+
+        if (string.IsNullOrWhiteSpace(authOptions.SigningKey) || authOptions.SigningKey.Length < 32)
+        {
+            throw new InvalidOperationException("Auth:SigningKey must be at least 32 characters long.");
+        }
+
+        if (authOptions.Users.Count == 0)
+        {
+            throw new InvalidOperationException("At least one user must be configured under Auth:Users.");
+        }
+
+        builder.Services.Configure<AuthOptions>(builder.Configuration.GetSection("Auth"));
+
        builder.Services.AddScoped(_ => new SqliteConnection(resolvedConnectionString));
        builder.Services.AddScoped<LokService>();
        builder.Services.AddCors(options =>
        {
-            options.AddPolicy("UiCors", policy =>
+            options.AddPolicy("PublicReadCors", policy =>
            {
                policy
-                    .WithOrigins(
-                        "http://localhost:5173",
-                        "http://127.0.0.1:5173",
-                        "http://localhost:4173",
-                        "http://127.0.0.1:4173")
+                    .AllowAnyOrigin()
                    .AllowAnyHeader()
                    .AllowAnyMethod();
            });
+
+            options.AddPolicy("FrontendWriteCors", policy =>
+            {
+                policy
+                    .WithOrigins(authOptions.AllowedOrigins.ToArray())
+                    .AllowAnyHeader()
+                    .AllowAnyMethod();
+            });
+        });
+
+        builder.Services
+            .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = true,
+                    ValidateAudience = true,
+                    ValidateIssuerSigningKey = true,
+                    ValidateLifetime = true,
+                    ValidIssuer = authOptions.Issuer,
+                    ValidAudience = authOptions.Audience,
+                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(authOptions.SigningKey)),
+                    ClockSkew = TimeSpan.FromMinutes(1)
+                };
+            });
+
+        builder.Services.AddAuthorization(options =>
+        {
+            options.AddPolicy("OpenHoursWrite", policy =>
+            {
+                policy.RequireAuthenticatedUser();
+                policy.RequireClaim("scope", "openhours:write");
+            });
        });

        builder.Services.AddOpenApi();
@@ -137,7 +185,10 @@ public class Program
            app.MapOpenApi();
        }

-        app.UseCors("UiCors");
+        app.UseCors();
+
+        app.UseAuthentication();
+        app.UseAuthorization();

        if (!app.Environment.IsDevelopment())
        {
@@ -145,6 +196,7 @@ public class Program
        }

        SystemEndpoints.MapSystemEndpoints(app);
+        AuthEndpoints.MapAuthEndpoints(app);
        LokEndpoints.MapLokEndpoints(app);

        app.Run();
--- a/api/App/appsettings.Development.json
+++ b/api/App/appsettings.Development.json
@@ -7,5 +7,22 @@
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
+  },
+  "Auth": {
+    "Issuer": "klapi-api",
+    "Audience": "klapi-ui",
+    "SigningKey": "change-this-to-a-long-random-32-char-minimum-key",
+    "AllowedOrigins": [
+      "http://localhost:5173",
+      "http://127.0.0.1:5173",
+      "http://localhost:4173",
+      "http://127.0.0.1:4173"
+    ],
+    "Users": [
+      {
+        "Email": "admin@klapi.local",
+        "Password": "changeme"
+      }
+    ]
  }
 }
--- a/api/App/appsettings.json
+++ b/api/App/appsettings.json
@@ -8,5 +8,22 @@
      "Microsoft.AspNetCore": "Warning"
    }
  },
+  "Auth": {
+    "Issuer": "klapi-api",
+    "Audience": "klapi-ui",
+    "SigningKey": "change-this-to-a-long-random-32-char-minimum-key",
+    "AllowedOrigins": [
+      "http://localhost:5173",
+      "http://127.0.0.1:5173",
+      "http://localhost:4173",
+      "http://127.0.0.1:4173"
+    ],
+    "Users": [
+      {
+        "Email": "admin@klapi.local",
+        "Password": "changeme"
+      }
+    ]
+  },
  "AllowedHosts": "*"
 }