Merge pull request 'Applied required scope policy' (#72 ) from payments into master

Reviewed-on: #72
Applied required scope policy
2026-06-04 08:58:03 +02:00 · 2026-06-04 08:57:16 +02:00 · 2026-06-04 08:48:15 +02:00 · 2026-06-04 08:47:18 +02:00 · 2026-06-03 17:49:04 +02:00 · 2026-06-03 17:48:38 +02:00
8 changed files with 128 additions and 54 deletions
@@ -363,3 +363,4 @@ MigrationBackup/
 FodyWeavers.xsd
 /LiteCharms.Features.Tests/http/http-client.env.json
 /LiteCharms.Features.Tests/http/midrandshop-api/http-client.env.json
 /LiteCharms.Features.Tests/http/authentik/http-client.env.json
@@ -1,6 +1,6 @@
 {
  "FeatureManagement": {
-    "CategorySeederService": true,
+    "CategorySeederService": false,
    "CustomerSeederService": false,
    "ProductsSeederService": false
  },
@@ -0,0 +1,6 @@
 ### Authentik Token Request (Service Account Explicit)
 POST {{authority}}
 Content-Type: application/x-www-form-urlencoded
 Accept-Encoding: identity
 grant_type={{grantType}}&client_id={{clientId}}&username={{username}}&password={{password}}&scope={{scope}}
@@ -0,0 +1,18 @@
 namespace LiteCharms.Features.Api.Configuration;
 public sealed class AuthentikSettings
 {
    public string? Authority { get; set; }
    public string? IntrospectionUrl { get; set; }
    public string? ApiResourceName { get; set; }
    public string? ApiResourceSecret { get; set; }
    public string? RequiredClaimName { get; set; }
    public string? RequiredClaimNameValue { get; set; }
    public bool RequireHttpsMetadata { get; set; }
 }
@@ -8,7 +8,7 @@ public sealed class OpenApiBearerSecuritySchemeTransformer : IOpenApiDocumentTra
        {
            Type = SecuritySchemeType.Http,
            Scheme = "bearer",
-            Description = "JWT Authorization header using the Bearer scheme. Example: \"Bearer {token}\"",
+            Description = "JWT Authorization header using the Bearer scheme",
        };
        document.AddComponent("Bearer", bearerScheme);
@@ -1,5 +1,6 @@
 using LiteCharms.Features.Abstractions;
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
 namespace LiteCharms.Features.Extensions;
@@ -8,42 +9,41 @@ public static class Api
    public const string Books = nameof(Books);
    public const string Payments = nameof(Payments);
-    public static IApplicationBuilder MapEndpoints(this WebApplication app, IDictionary<int, RouteGroupBuilder> versionGroups)
+    public static IServiceCollection AddAuthentic(this IServiceCollection services, IConfiguration configuration)
    {
-        var endpoints = app.Services.GetRequiredService<IEnumerable<IEndpoint>>();
+        var configSection = configuration.GetSection(nameof(AuthentikSettings));
-        foreach (var endpoint in endpoints)
+        var authOptions = new AuthentikSettings();
-        {
+        configSection.Bind(authOptions);
            var versionAttributes = endpoint.GetType().GetCustomAttributes<ApiVersionTargetAttribute>().ToList();
-            if (versionAttributes.Count != 0)
+        services.Configure<AuthentikSettings>(configSection);
        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
            .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
            {
-                foreach (var attr in versionAttributes)
+                options.Authority = authOptions.Authority;
-                    if (versionGroups.TryGetValue(attr.MajorVersion, out var targetGroup))
+                options.IntrospectionEndpoint = authOptions.IntrospectionUrl;
-                        endpoint.Map(targetGroup);
+                options.ClientId = authOptions.ApiResourceName;
                options.ClientSecret = authOptions.ApiResourceSecret;
                options.NameClaimType = "sub";
                options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
                options.DiscoveryPolicy.ValidateEndpoints = false;
                options.EnableCaching = false;                
            });
        if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
        {
            services.AddAuthorizationBuilder()
                .AddPolicy("RequiredScope", policy =>
                    policy.RequireClaim(authOptions.RequiredClaimName, authOptions.RequiredClaimNameValue));
        }
        else
-                endpoint.Map(app);
+            services.AddAuthorization();
        }
        return app;
    }
    public static IServiceCollection AddEndpoints(this IServiceCollection services, Assembly assembly)
    {
        ServiceDescriptor[] discriptors = [.. assembly.DefinedTypes
            .Where(t => t is { IsInterface: false, IsAbstract: false })
            .Where(t => t.IsAssignableTo(typeof(IEndpoint)))
            .Select(t => ServiceDescriptor.Transient(typeof(IEndpoint), t))];
        services.TryAddEnumerable(discriptors);
        return services;
    }
    public static string ToEndpointName(this Type target, string? annotation = "") =>
        $"{target.Name.Replace("Endpoint", string.Empty)}{annotation}".ToLower(CultureInfo.CurrentCulture);
    public static IServiceCollection AddApiServices(this IServiceCollection services, IConfiguration configuration)
    {
        services.AddHttpClient();
@@ -95,4 +95,41 @@ public static class Api
        return services;
    }
    public static IApplicationBuilder MapEndpoints(this WebApplication app, IDictionary<int, RouteGroupBuilder> versionGroups)
    {
        var endpoints = app.Services.GetRequiredService<IEnumerable<IEndpoint>>();
        foreach (var endpoint in endpoints)
        {
            var versionAttributes = endpoint.GetType().GetCustomAttributes<ApiVersionTargetAttribute>().ToList();
            if (versionAttributes.Count != 0)
            {
                foreach (var attr in versionAttributes)
                    if (versionGroups.TryGetValue(attr.MajorVersion, out var targetGroup))
                        endpoint.Map(targetGroup);
            }
            else
                endpoint.Map(app);
        }
        return app;
    }
    public static IServiceCollection AddEndpoints(this IServiceCollection services, Assembly assembly)
    {
        ServiceDescriptor[] discriptors = [.. assembly.DefinedTypes
            .Where(t => t is { IsInterface: false, IsAbstract: false })
            .Where(t => t.IsAssignableTo(typeof(IEndpoint)))
            .Select(t => ServiceDescriptor.Transient(typeof(IEndpoint), t))];
        services.TryAddEnumerable(discriptors);
        return services;
    }
    public static string ToEndpointName(this Type target, string? annotation = "") =>
        $"{target.Name.Replace("Endpoint", string.Empty)}{annotation}".ToLower(CultureInfo.CurrentCulture);
 }
@@ -4,7 +4,7 @@ namespace LiteCharms.Features.Hasher;
 public sealed partial class HashService(IHashids hasher) : IService
 {
-    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z")]
+    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]
    private static partial Regex HexHashRegex { get; }
    [GeneratedRegex(@"\A[0-9a-fA-F]{32}\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]
@@ -29,6 +29,18 @@
    <None Include="..\icon.png" Pack="true" PackagePath="\" />
  </ItemGroup>
  <!-- Security (IODC)-->
  <ItemGroup>
    <PackageReference Include="IdentityModel.AspNetCore" Version="4.3.0" />
    <PackageReference Include="IdentityModel.AspNetCore.OAuth2introspection" Version="6.2.0" />
    <PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />
    <PackageReference Include="IdentityModel" Version="6.2.0" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.8" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
    <Using Include="IdentityModel.AspNetCore.OAuth2Introspection"/>
  </ItemGroup>
  <!-- API Versioning -->
  <ItemGroup>
    <PackageReference Include="AccessTokenClient.Extensions" Version="5.1.0" />
Author	SHA1	Message	Date
khwezi	f8153e86b4	Merge pull request 'Applied required scope policy' (#72 ) from payments into master Reviewed-on: #72	2026-06-04 08:58:03 +02:00
Khwezi Mngoma	eef1096ec5	Applied required scope policy continuous-integration/drone/pr Build is passing Details	2026-06-04 08:57:16 +02:00
khwezi	84d33d3607	Merge pull request 'Refactored authentication' (#71 ) from payments into master Reviewed-on: #71	2026-06-04 08:48:15 +02:00
Khwezi Mngoma	8f97d7cf38	Refactored authentication continuous-integration/drone/pr Build is passing Details	2026-06-04 08:47:18 +02:00
khwezi	f51cc03327	Merge pull request 'Disabled caching' (#70 ) from payments into master Reviewed-on: #70	2026-06-03 17:49:04 +02:00
Khwezi Mngoma	652ca82a57	Disabled caching continuous-integration/drone/pr Build is passing Details	2026-06-03 17:48:38 +02:00
khwezi	aff6fcabf4	Merge pull request 'payments' (#69 ) from payments into master Reviewed-on: #69	2026-06-03 17:38:45 +02:00
Khwezi Mngoma	a50830ffaa	Refactored auth continuous-integration/drone/pr Build is passing Details	2026-06-03 17:37:56 +02:00
Khwezi Mngoma	ee6f8a283e	Refactored oauth registration	2026-06-03 17:37:33 +02:00
khwezi	8140b5fe65	Merge pull request 'Added authentik configuration and service registration' (#68 ) from payments into master Reviewed-on: #68	2026-06-03 12:53:55 +02:00
Khwezi Mngoma	fda97db5fa	Added authentik configuration and service registration continuous-integration/drone/pr Build is passing Details	2026-06-03 12:52:59 +02:00
khwezi	9285cedfa9	Merge pull request 'Refactored token message' (#67 ) from payments into master Reviewed-on: #67	2026-06-03 12:16:31 +02:00
Khwezi Mngoma	29574f4df0	Refactored token message continuous-integration/drone/pr Build is passing Details	2026-06-03 12:15:31 +02:00