Add CORS config and auth with JWT

2026-03-02 22:26:50 +02:00
parent 154b9b66ce
commit 2beeadd42c
17 changed files with 307 additions and 23 deletions
--- a/api/App/Endpoints/AuthEndpoints.cs
+++ b/api/App/Endpoints/AuthEndpoints.cs
@@ -0,0 +1,77 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+
+public record AuthTokenRequest(string Email, string Password);
+
+public class AuthUser
+{
+  public string Email { get; set; } = string.Empty;
+  public string Password { get; set; } = string.Empty;
+}
+
+public class AuthOptions
+{
+  public string Issuer { get; set; } = "klapi-api";
+  public string Audience { get; set; } = "klapi-ui";
+  public string SigningKey { get; set; } = string.Empty;
+  public List<string> AllowedOrigins { get; set; } = [];
+  public List<AuthUser> Users { get; set; } = [];
+}
+
+public static class AuthEndpoints
+{
+  public static void MapAuthEndpoints(WebApplication app)
+  {
+    app.MapPost("/auth/token", (
+      HttpContext httpContext,
+      IOptions<AuthOptions> authOptions,
+      AuthTokenRequest request) =>
+    {
+      if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.Password))
+      {
+        return Results.BadRequest(new { Message = "Email and password are required." });
+      }
+
+      var options = authOptions.Value;
+      var user = options.Users.FirstOrDefault(item =>
+        string.Equals(item.Email, request.Email.Trim(), StringComparison.OrdinalIgnoreCase));
+
+      if (user is null || !string.Equals(user.Password, request.Password, StringComparison.Ordinal))
+      {
+        return Results.Unauthorized();
+      }
+
+      var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(options.SigningKey));
+      var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+      var claims = new List<Claim>
+      {
+        new(JwtRegisteredClaimNames.Sub, user.Email),
+        new(JwtRegisteredClaimNames.Email, user.Email),
+        new(ClaimTypes.Name, user.Email),
+        new("scope", "openhours:write")
+      };
+
+      var token = new JwtSecurityToken(
+        issuer: options.Issuer,
+        audience: options.Audience,
+        claims: claims,
+        expires: DateTime.UtcNow.AddHours(12),
+        signingCredentials: credentials);
+
+      var tokenValue = new JwtSecurityTokenHandler().WriteToken(token);
+
+      return Results.Ok(new
+      {
+        AccessToken = tokenValue,
+        Email = user.Email,
+        TokenType = "Bearer",
+        ExpiresIn = 43200
+      });
+    })
+    .RequireCors("FrontendWriteCors")
+    .WithName("CreateAuthToken");
+  }
+}
--- a/api/App/Endpoints/LokEndpoints.cs
+++ b/api/App/Endpoints/LokEndpoints.cs
@@ -32,6 +32,8 @@ public static class LokEndpoints
      httpContext.Response.Headers.Location = "/lok/open-hours";
      await httpContext.Response.WriteAsJsonAsync(createdOpenHours);
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("CreateLokOpenHours");

    app.MapGet("/lok/open-hours", async (HttpContext httpContext) =>
@@ -51,6 +53,7 @@ public static class LokEndpoints

      await httpContext.Response.WriteAsJsonAsync(openHours);
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetLokOpenHours");

    app.MapDelete("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
@@ -70,6 +73,8 @@ public static class LokEndpoints

      httpContext.Response.StatusCode = StatusCodes.Status204NoContent;
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("DeleteLokOpenHours");

    app.MapPut("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
@@ -111,6 +116,8 @@ public static class LokEndpoints

      await httpContext.Response.WriteAsJsonAsync(updatedOpenHours);
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("UpdateLokOpenHours");

    app.MapPut("/lok/open-hours/{id:long}/active", async (HttpContext httpContext, long id) =>
@@ -134,6 +141,8 @@ public static class LokEndpoints
        IsActive = true
      });
    })
+    .RequireAuthorization("OpenHoursWrite")
+    .RequireCors("FrontendWriteCors")
    .WithName("SetActiveLokOpenHours");
  }
 }
--- a/api/App/Endpoints/SystemEndpoints.cs
+++ b/api/App/Endpoints/SystemEndpoints.cs
@@ -9,6 +9,7 @@ public static class SystemEndpoints
        Version = "1.0.0"
      };
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetVersion");

    app.MapGet("/health/db", async (Microsoft.Data.Sqlite.SqliteConnection connection) =>
@@ -24,6 +25,7 @@ public static class SystemEndpoints
        Result = result
      };
    })
+    .RequireCors("PublicReadCors")
    .WithName("GetDatabaseHealth");
  }
 }