Merge pull request 'Added UI security' (#73 ) from payments into master

Reviewed-on: #73
Added UI security
2026-06-04 14:09:08 +02:00 · 2026-06-04 14:08:27 +02:00 · 2026-06-04 08:58:03 +02:00 · 2026-06-04 08:57:16 +02:00 · 2026-06-04 08:48:15 +02:00 · 2026-06-04 08:47:18 +02:00
7 changed files with 67 additions and 17 deletions
@@ -363,3 +363,4 @@ MigrationBackup/
 FodyWeavers.xsd
 /LiteCharms.Features.Tests/http/http-client.env.json
 /LiteCharms.Features.Tests/http/midrandshop-api/http-client.env.json
+/LiteCharms.Features.Tests/http/authentik/http-client.env.json
@@ -1,6 +1,6 @@
 {
  "FeatureManagement": {
-    "CategorySeederService": true,
+    "CategorySeederService": false,
    "CustomerSeederService": false,
    "ProductsSeederService": false
  },
@@ -0,0 +1,6 @@
+### Authentik Token Request (Service Account Explicit)
+POST {{authority}}
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: identity
+
+grant_type={{grantType}}&client_id={{clientId}}&username={{username}}&password={{password}}&scope={{scope}}
@@ -4,15 +4,15 @@ public sealed class AuthentikSettings
 {
    public string? Authority { get; set; }

-    public string? ApiResourceName { get; set; }
+    public string? IntrospectionUrl { get; set; }

-    public string? ApiResourceSecret { get; set; }
+    public string? ClientId { get; set; }
+
+    public string? ClientSecret { get; set; }

    public string? RequiredClaimName { get; set; }

    public string? RequiredClaimNameValue { get; set; }

    public bool RequireHttpsMetadata { get; set; }
-
-    public bool BypassSslErrors { get; set; }
 }
@@ -9,28 +9,70 @@ public static class Api
    public const string Books = nameof(Books);
    public const string Payments = nameof(Payments);

-    public static IServiceCollection AddAuthentic(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddAuthentikUiSecurity(this IServiceCollection services, IConfiguration configuration)
    {
+        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+
        var authOptions = new AuthentikSettings();
+        configSection.Bind(authOptions);

-        configuration.GetSection("Authentik").Bind(authOptions);
+        services.Configure<AuthentikSettings>(configSection);

-        services.Configure<AuthentikSettings>(configuration.GetSection(nameof(AuthentikSettings)));
+        services.AddAuthentication(options =>
+        {
+            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+        })
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
+        {
+            options.Authority = authOptions.Authority;
+
+            options.ClientId = authOptions.ClientId;
+            options.ClientSecret = authOptions.ClientSecret;
+
+            options.ResponseType = "code";
+            options.SaveTokens = true;
+            options.GetClaimsFromUserInfoEndpoint = true;
+
+            options.Scope.Clear();
+            options.Scope.Add("openid");
+            options.Scope.Add("profile");
+            options.Scope.Add("email");
+        });
+
+        return services;
+    }
+
+    public static IServiceCollection AddAuthentikApiSecurity(this IServiceCollection services, IConfiguration configuration)
+    {
+        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+
+        var authOptions = new AuthentikSettings();
+        configSection.Bind(authOptions);
+
+        services.Configure<AuthentikSettings>(configSection);

        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
-            .AddOAuth2Introspection(options =>
+            .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
            {
-                options.Authority = options.Authority;
-                options.ClientId = options.ClientId;
-                options.ClientSecret = options.ClientSecret;
+                options.Authority = authOptions.Authority;
+                options.IntrospectionEndpoint = authOptions.IntrospectionUrl;
+                options.ClientId = authOptions.ClientId;
+                options.ClientSecret = authOptions.ClientSecret;
+
+                options.NameClaimType = "sub";
                options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
-                options.EnableCaching = true;
-                options.CacheDuration = TimeSpan.FromMinutes(10);
+                options.DiscoveryPolicy.ValidateEndpoints = false;
+                options.EnableCaching = false;
            });

        if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
-            services.AddAuthorizationBuilder().AddPolicy("ApiScope", policy =>
+        {
+            services.AddAuthorizationBuilder()
+                .AddPolicy("RequiredScope", policy =>
                    policy.RequireClaim(authOptions.RequiredClaimName, authOptions.RequiredClaimNameValue));
+        }
        else
            services.AddAuthorization();

@@ -124,5 +166,4 @@ public static class Api

    public static string ToEndpointName(this Type target, string? annotation = "") =>
        $"{target.Name.Replace("Endpoint", string.Empty)}{annotation}".ToLower(CultureInfo.CurrentCulture);
-
 }
@@ -4,7 +4,7 @@ namespace LiteCharms.Features.Hasher;

 public sealed partial class HashService(IHashids hasher) : IService
 {
-    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z")]
+    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]
    private static partial Regex HexHashRegex { get; }

    [GeneratedRegex(@"\A[0-9a-fA-F]{32}\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]
@@ -38,6 +38,8 @@
    <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.8" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />

+    <Using Include="Microsoft.AspNetCore.Authentication.OpenIdConnect"/>
+    <Using Include="Microsoft.AspNetCore.Authentication.Cookies"/>
    <Using Include="IdentityModel.AspNetCore.OAuth2Introspection"/>
  </ItemGroup>
Author	SHA1	Message	Date
khwezi	16dae7c9fb	Merge pull request 'Added UI security' (#73 ) from payments into master Reviewed-on: #73	2026-06-04 14:09:08 +02:00
Khwezi Mngoma	5666ffd474	Added UI security continuous-integration/drone/pr Build is passing Details	2026-06-04 14:08:27 +02:00
khwezi	f8153e86b4	Merge pull request 'Applied required scope policy' (#72 ) from payments into master Reviewed-on: #72	2026-06-04 08:58:03 +02:00
Khwezi Mngoma	eef1096ec5	Applied required scope policy continuous-integration/drone/pr Build is passing Details	2026-06-04 08:57:16 +02:00
khwezi	84d33d3607	Merge pull request 'Refactored authentication' (#71 ) from payments into master Reviewed-on: #71	2026-06-04 08:48:15 +02:00
Khwezi Mngoma	8f97d7cf38	Refactored authentication continuous-integration/drone/pr Build is passing Details	2026-06-04 08:47:18 +02:00
khwezi	f51cc03327	Merge pull request 'Disabled caching' (#70 ) from payments into master Reviewed-on: #70	2026-06-03 17:49:04 +02:00
Khwezi Mngoma	652ca82a57	Disabled caching continuous-integration/drone/pr Build is passing Details	2026-06-03 17:48:38 +02:00
khwezi	aff6fcabf4	Merge pull request 'payments' (#69 ) from payments into master Reviewed-on: #69	2026-06-03 17:38:45 +02:00
Khwezi Mngoma	a50830ffaa	Refactored auth continuous-integration/drone/pr Build is passing Details	2026-06-03 17:37:56 +02:00
Khwezi Mngoma	ee6f8a283e	Refactored oauth registration	2026-06-03 17:37:33 +02:00