Merge pull request 'Updated API to use LiteCharms Security' (#83) from payments into master

Reviewed-on: #83

LiteCharms.Features.MidrandBooks.Seed/appsettings.json

@@ -1,6 +1,6 @@
 {
   "FeatureManagement": {
-    "CategorySeederService": true,
+    "CategorySeederService": false,
     "CustomerSeederService": false,
     "ProductsSeederService": false
   },

LiteCharms.Features.Tests/http/litecharms/app.http

@@ -1,6 +1,6 @@
-## Authentik Token Request
+### Authentik Token Request (Service Account Explicit)
-POST {{authority}}
+POST {{authority}}/connect/token
 Content-Type: application/x-www-form-urlencoded
 Accept-Encoding: identity
 
-grant_type={{grantType}}&client_id={{clientId}}&client_secret={{clientSecret}}&username={{username}}&password={{password}}&scope={{scope}}
+grant_type={{grantType}}&client_id={{clientId}}&client_secret={{clientSecret}}&scope={{scope}}

LiteCharms.Features.Tests/http/litecharms/http-client.env.json

@@ -0,0 +1,9 @@
+{
+  "uat": {
+    "authority": "https://sts.security.khongisa.co.za",
+    "grantType": "client_credentials",
+    "clientId": "midrandbooks-api-uat",
+    "clientSecret": "secret_5a36d0024980544c875447a4b052938becc3fbbb10b8b2c097310c1a53ba3c0a",
+    "scope": "midrandbooks-api"
+  }
+}

LiteCharms.Features/Api/Configuration/AuthentikSettings.cs

@@ -1,18 +0,0 @@
-namespace LiteCharms.Features.Api.Configuration;
-
-public sealed class AuthentikSettings
-{
-    public string? Authority { get; set; }
-
-    public string? ApiResourceName { get; set; }
-
-    public string? ApiResourceSecret { get; set; }
-
-    public string? RequiredClaimName { get; set; }
-
-    public string? RequiredClaimNameValue { get; set; }
-
-    public bool RequireHttpsMetadata { get; set; }
-
-    public bool BypassSslErrors { get; set; }
-}

LiteCharms.Features/Api/Configuration/LiteCharmsSettings.cs

@@ -0,0 +1,16 @@
+namespace LiteCharms.Features.Api.Configuration;
+
+public sealed class LiteCharmsSettings
+{
+    public string? Authority { get; set; }
+
+    public string? ClientId { get; set; }
+
+    public string? ClientSecret { get; set; }
+
+    public string? Audience { get; set; }
+
+    public string? RequiredClaimName { get; set; }
+
+    public string? RequiredClaimNameValue { get; set; }
+}

LiteCharms.Features/Extensions/Api.cs

@@ -1,6 +1,7 @@
 using LiteCharms.Features.Abstractions;
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace LiteCharms.Features.Extensions;
 
@@ -9,31 +10,76 @@ public static class Api
     public const string Books = nameof(Books);
     public const string Payments = nameof(Payments);
 
-    public static IServiceCollection AddAuthentic(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddLiteCharmsUiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
-        var configSection = configuration.GetSection(nameof(AuthentikSettings));
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
 
-        var authOptions = new AuthentikSettings();
+        var authOptions = new LiteCharmsSettings();
         configSection.Bind(authOptions);
 
-        services.Configure<AuthentikSettings>(configSection);
+        services.Configure<LiteCharmsSettings>(configSection);
 
-        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
+        services.AddAuthentication(options =>
-            .AddOAuth2Introspection(OAuth2IntrospectionDefaults.AuthenticationScheme, options =>
+        {
+            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+        })
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
+        {
+            options.Authority = authOptions.Authority;           
+
+            options.ClientId = authOptions.ClientId;
+            options.ClientSecret = authOptions.ClientSecret;
+            options.SignedOutCallbackPath = "/signout-callback-oidc";
+
+            options.ResponseType = "code";
+            options.SaveTokens = true;
+            options.GetClaimsFromUserInfoEndpoint = true;
+
+            options.Scope.Clear();
+            options.Scope.Add("openid");
+            options.Scope.Add("profile");
+            options.Scope.Add("email");
+
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
+            options.CorrelationCookie.HttpOnly = true;
+
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.NonceCookie.SameSite = SameSiteMode.None;
+            options.NonceCookie.HttpOnly = true;
+        });
+
+        return services;
+    }
+
+    public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
+    {
+        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
+
+        var authOptions = new LiteCharmsSettings();
+        configSection.Bind(authOptions);
+
+        services.Configure<LiteCharmsSettings>(configSection);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
             {
                 options.Authority = authOptions.Authority;
-                options.ClientId = authOptions.ApiResourceName;
+                options.Audience = authOptions.Audience;
-                options.ClientSecret = authOptions.ApiResourceSecret;
+                options.TokenValidationParameters = new TokenValidationParameters
-
+                {
-                options.DiscoveryPolicy.RequireHttps = authOptions.RequireHttpsMetadata;
+                    ValidIssuer = authOptions.Authority,
-                options.EnableCaching = true;
+                    ValidateAudience = true,
-                options.CacheDuration = TimeSpan.FromMinutes(10);
+                    ValidateIssuer = true,
+                };
             });
 
         if (!string.IsNullOrWhiteSpace(authOptions.RequiredClaimName) && !string.IsNullOrWhiteSpace(authOptions.RequiredClaimNameValue))
         {
             services.AddAuthorizationBuilder()
-                .AddPolicy("ApiScope", policy =>
+                .AddPolicy("RequiredScope", policy =>
                     policy.RequireClaim(authOptions.RequiredClaimName, authOptions.RequiredClaimNameValue));
         }
         else
@@ -42,6 +88,31 @@ public static class Api
         return services;
     }
 
+    public static WebApplication AddSecurityEndpoints(this WebApplication app)
+    {
+        app.MapGet("/login", async (HttpContext context, string redirectUri = "/") =>
+        {
+            await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
+            {
+                RedirectUri = redirectUri,                
+            });
+        });
+
+        app.MapGet("/logout", async (HttpContext context, IHttpClientFactory httpClientFactory, IOptions<LiteCharmsSettings> settings) =>
+        {
+            await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+
+            string currentBaseUrl = $"https://{context.Request.Host}{context.Request.PathBase}/";
+
+            await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
+            {
+                RedirectUri = currentBaseUrl
+            });
+        });
+
+        return app;
+    }
+
     public static IServiceCollection AddApiServices(this IServiceCollection services, IConfiguration configuration)
     {
         services.AddHttpClient();
@@ -129,5 +200,4 @@ public static class Api
 
     public static string ToEndpointName(this Type target, string? annotation = "") =>
         $"{target.Name.Replace("Endpoint", string.Empty)}{annotation}".ToLower(CultureInfo.CurrentCulture);
-
 }

LiteCharms.Features/Hasher/HashService.cs

@@ -4,7 +4,7 @@ namespace LiteCharms.Features.Hasher;
 
 public sealed partial class HashService(IHashids hasher) : IService
 {
-    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z")]
+    [GeneratedRegex(@"\A\b[0-9a-fA-F]+\b\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]
     private static partial Regex HexHashRegex { get; }
 
     [GeneratedRegex(@"\A[0-9a-fA-F]{32}\Z", RegexOptions.None, matchTimeoutMilliseconds: 100)]

LiteCharms.Features/LiteCharms.Features.csproj

@@ -38,6 +38,9 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.8" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
 
+    <Using Include="Microsoft.AspNetCore.Authentication"/>
+    <Using Include="Microsoft.AspNetCore.Authentication.OpenIdConnect"/>
+    <Using Include="Microsoft.AspNetCore.Authentication.Cookies"/>
     <Using Include="IdentityModel.AspNetCore.OAuth2Introspection"/>
   </ItemGroup>