Enable ASP.NET Identity with JWT bearer token authentication (#220)

* Initial plan

* Enable ASP.NET Identity authentication and authorization system

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

* Add integration tests for Identity endpoints and fix test infrastructure

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

* Address code review: improve null handling in test setup

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

* Implement JWT bearer token authentication

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

* formatting

* Address code review feedback: fix middleware order, improve security, add authenticated test

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>
Co-authored-by: Benjamin Sutas <benjamin.sutas@gmail.com>

Author: Copilot

ObjectService/Program.cs

@@ -9,6 +9,11 @@
 using System.Threading.RateLimiting;
 using Definitions.ObjectModels;
 using Microsoft.OpenApi;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Authentication.BearerToken;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -117,47 +122,57 @@
 		};
 	}));
 
-//builder.Services
-//.AddIdentityApiEndpoints<TblUser>()
-//.AddEntityFrameworkStores<LocoDbContext>();
-
-//builder.Services.AddAuthentication(options =>
-//{
-//	options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
-//	options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
-//})
-//.AddJwtBearer(options =>
-//{
-//	options.TokenValidationParameters = new TokenValidationParameters
-//	{
-//		ValidateIssuer = true,
-//		ValidateAudience = true,
-//		ValidateLifetime = true,
-//		ValidateIssuerSigningKey = true,
-//		ValidIssuer = builder.Configuration["JwtSettings:Issuer"],
-//		ValidAudience = builder.Configuration["JwtSettings:Audience"],
-//		IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["JwtSettings:Key"])),
-//	};
-//});
-
-//builder.Services.AddAuthorization();
-//builder.Services
-//	.AddAuthorizationBuilder()
-//	.AddPolicy(AdminPolicy.Name, AdminPolicy.Build);
+builder.Services
+	.AddIdentityApiEndpoints<TblUser>()
+	.AddEntityFrameworkStores<LocoDbContext>();
+
+// Configure bearer token expiration from settings
+builder.Services.Configure<BearerTokenOptions>(IdentityConstants.BearerScheme, options =>
+{
+	var durationInMinutes = builder.Configuration.GetValue<int?>("JwtSettings:DurationInMinutes") ?? 60;
+	options.BearerTokenExpiration = TimeSpan.FromMinutes(durationInMinutes);
+});
+
+builder.Services.AddAuthentication()
+.AddJwtBearer(options =>
+{
+	options.TokenValidationParameters = new TokenValidationParameters
+	{
+		ValidateIssuer = true,
+		ValidateAudience = true,
+		ValidateLifetime = true,
+		ValidateIssuerSigningKey = true,
+		ValidIssuer = builder.Configuration["JwtSettings:Issuer"],
+		ValidAudience = builder.Configuration["JwtSettings:Audience"],
+		IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["JwtSettings:Key"] ?? throw new InvalidOperationException("JWT Key not configured"))),
+	};
+});
+
+builder.Services.AddAuthorization(options =>
+{
+	// Configure the default policy to accept both Identity Bearer tokens and JWT tokens
+	options.DefaultPolicy = new Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder()
+		.AddAuthenticationSchemes(IdentityConstants.BearerScheme, JwtBearerDefaults.AuthenticationScheme)
+		.RequireAuthenticatedUser()
+		.Build();
+});
 
 // Used for the Identity stuff to send emails to users
 // disabling this line effectively disables all email sending, as a default NoOpEmailSender is used in place
-//builder.Services.AddTransient<IEmailSender, EmailSender>();
+// builder.Services.AddTransient<IEmailSender, EmailSender>();
 
 var app = builder.Build();
 
 app.UseForwardedHeaders();
 app.UseHttpLogging();
 app.UseRateLimiter();
-//app.MapLocoIdentityApi<TblUser>();
+app.UseAuthentication();
+app.UseAuthorization();
 
-// defining routes here, after MapLocoIdentityApi, will overwrite them, allowing us to customise them
-//app.MapPost("/register", () => Results.Ok());
+app.MapIdentityApi<TblUser>();
+
+// defining routes here, after MapIdentityApi, will overwrite them, allowing us to customise them
+// app.MapPost("/register", () => Results.Ok());
 
 _ = app
 	.MapHealthChecks("/health")
@@ -181,15 +196,11 @@
 		_ = options
 			.WithTitle("OpenLoco Object Service")
 			.WithTheme(ScalarTheme.Solarized)
-			.WithDefaultHttpClient(ScalarTarget.CSharp, ScalarClient.HttpClient);
-
-		//.AddPreferredSecuritySchemes("Bearer");
+			.WithDefaultHttpClient(ScalarTarget.CSharp, ScalarClient.HttpClient)
+			.AddPreferredSecuritySchemes("Bearer");
 	});
 }
 
-//app.UseAuthentication();
-//app.UseAuthorization();
-
 app.Run();
 
 #pragma warning disable CA1050 // Declare types in namespaces

ObjectService/RouteHandlers/V1RouteBuilderExtensions.cs

@@ -21,11 +21,7 @@ public static IEndpointConventionBuilder MapV2Routes(this IEndpointRouteBuilder
 	{
 		var v2 = endpoints.MapGroup(RoutesV2.Prefix);
 		_ = v2.MapServerRoutes();
-
-#if DEBUG
-		// not ready for prime time yet
 		_ = v2.MapAdminRoutes().RequireAuthorization();
-#endif
 
 		return v2;
 	}

ObjectService/appsettings.Development.json

@@ -4,5 +4,11 @@
       "Default": "Information",
       "Microsoft.AspNetCore": "Warning"
     }
+  },
+  "JwtSettings": {
+    "Key": "ThisIsAVerySecretKeyThatShouldBeAtLeast32CharactersLongAndStoredSecurelyInProduction",
+    "Issuer": "https://openloco.leftofzen.dev",
+    "Audience": "https://openloco.leftofzen.dev",
+    "DurationInMinutes": 60
   }
 }

ObjectService/appsettings.json

@@ -33,13 +33,13 @@
             "TokensReplenishedPerPeriod": 50,
             "AutoReplenishment": true
         }
-    },
-    //"JwtSettings": {
-    //    "Key": "ThisIsAVerySecretKeyThatShouldBeAtLeast32CharactersLongAndStoredSecurelyInProduction", // MUST be strong and secret!
-    //    "Issuer": "https://openloco.leftofzen.dev", // Your API's URL
-    //    "Audience": "???", // The client's URL or a logical name for the audience
-    //    "DurationInMinutes": 60 // How long the token is valid
-    //},
+    }
+    // JWT Settings should be configured via environment variables or user secrets in production:
+    // - JwtSettings:Key (required, minimum 32 characters)
+    // - JwtSettings:Issuer (required)
+    // - JwtSettings:Audience (required)
+    // - JwtSettings:DurationInMinutes (optional, defaults to 60)
+    // For development, these are configured in appsettings.Development.json
     //"SmtpSettings": {
     //    "Host": "smtp.yourprovider.com", // e.g., smtp.gmail.com, smtp.sendgrid.net
     //    "Port": "587", // Often 587 for TLS, or 465 for SSL

Tests/ObjectServiceIntegrationTests/IdentityRoutesTest.cs

@@ -0,0 +1,192 @@
+using Definitions.Database;
+using Definitions.DTO.Identity;
+using Definitions.Web;
+using NUnit.Framework;
+using System.Net;
+using System.Net.Http.Json;
+
+namespace ObjectService.Tests.Integration;
+
+[TestFixture]
+public class IdentityRoutesTest : BaseRouteHandlerTestFixture
+{
+	public override string BaseRoute => string.Empty;
+
+	protected override Task SeedDataCoreAsync(LocoDbContext db)
+	{
+		// No seed data needed for identity tests
+		return Task.CompletedTask;
+	}
+
+	[Test]
+	[Ignore("Not applicable for identity endpoints")]
+	public override async Task ListAsync()
+	{
+		// Not applicable for identity endpoints
+		await Task.CompletedTask;
+	}
+
+	[Test]
+	[Ignore("Not applicable for identity endpoints")]
+	public override async Task PostAsync()
+	{
+		// Not applicable for identity endpoints
+		await Task.CompletedTask;
+	}
+
+	[Test]
+	[Ignore("Not applicable for identity endpoints")]
+	public override async Task GetAsync()
+	{
+		// Not applicable for identity endpoints
+		await Task.CompletedTask;
+	}
+
+	[Test]
+	[Ignore("Not applicable for identity endpoints")]
+	public override async Task PutAsync()
+	{
+		// Not applicable for identity endpoints
+		await Task.CompletedTask;
+	}
+
+	[Test]
+	[Ignore("Not applicable for identity endpoints")]
+	public override async Task DeleteAsync()
+	{
+		// Not applicable for identity endpoints
+		await Task.CompletedTask;
+	}
+
+	[Test]
+	public async Task Register_ShouldSucceed()
+	{
+		// arrange
+		var registerRequest = new DtoRegisterRequest(
+			Email: "test@example.com",
+			UserName: "testuser",
+			Password: "TestPassword123!"
+		);
+
+		// act
+		var response = await HttpClient!.PostAsJsonAsync("/register", registerRequest);
+
+		// assert
+		Assert.That(response.IsSuccessStatusCode, Is.True);
+	}
+
+	[Test]
+	public async Task Register_WithInvalidEmail_ShouldFail()
+	{
+		// arrange
+		var registerRequest = new DtoRegisterRequest(
+			Email: "invalid-email",
+			UserName: "testuser",
+			Password: "TestPassword123!"
+		);
+
+		// act
+		var response = await HttpClient!.PostAsJsonAsync("/register", registerRequest);
+
+		// assert
+		Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest));
+	}
+
+	[Test]
+	public async Task Login_WithValidCredentials_ShouldSucceed()
+	{
+		// arrange - First register a user
+		var registerRequest = new DtoRegisterRequest(
+			Email: "login@example.com",
+			UserName: "loginuser",
+			Password: "TestPassword123!"
+		);
+		_ = await HttpClient!.PostAsJsonAsync("/register", registerRequest);
+
+		var loginRequest = new
+		{
+			Email = "login@example.com",
+			Password = "TestPassword123!"
+		};
+
+		// act
+		var response = await HttpClient!.PostAsJsonAsync("/login?useCookies=false", loginRequest);
+
+		// assert
+		Assert.That(response.IsSuccessStatusCode, Is.True);
+		var result = await response.Content.ReadAsStringAsync();
+		Assert.That(result, Is.Not.Empty);
+	}
+
+	[Test]
+	public async Task Login_WithInvalidCredentials_ShouldFail()
+	{
+		// arrange
+		var loginRequest = new
+		{
+			Email = "nonexistent@example.com",
+			Password = "WrongPassword123!"
+		};
+
+		// act
+		var response = await HttpClient!.PostAsJsonAsync("/login?useCookies=false", loginRequest);
+
+		// assert
+		Assert.That(response.IsSuccessStatusCode, Is.False);
+	}
+
+	[Test]
+	public async Task Users_WithoutAuthentication_ShouldReturnUnauthorized()
+	{
+		// act
+		var response = await HttpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.Users}");
+
+		// assert
+		Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
+	}
+
+	[Test]
+	public async Task Roles_WithoutAuthentication_ShouldReturnUnauthorized()
+	{
+		// act
+		var response = await HttpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.Roles}");
+
+		// assert
+		Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
+	}
+
+	[Test]
+	public async Task Users_WithAuthentication_ShouldSucceed()
+	{
+		// arrange - Register a user
+		var registerRequest = new DtoRegisterRequest(
+			Email: "authtest@example.com",
+			UserName: "authuser",
+			Password: "TestPassword123!"
+		);
+		_ = await HttpClient!.PostAsJsonAsync("/register", registerRequest);
+
+		// Login to get bearer token
+		var loginRequest = new
+		{
+			Email = "authtest@example.com",
+			Password = "TestPassword123!"
+		};
+		var loginResponse = await HttpClient!.PostAsJsonAsync("/login?useCookies=false", loginRequest);
+		Assert.That(loginResponse.IsSuccessStatusCode, Is.True);
+
+		var loginResult = await loginResponse.Content.ReadFromJsonAsync<System.Text.Json.JsonElement>();
+		var accessToken = loginResult.GetProperty("accessToken").GetString();
+		Assert.That(accessToken, Is.Not.Null.And.Not.Empty);
+
+		// Add token to Authorization header
+		HttpClient!.DefaultRequestHeaders.Authorization = 
+			new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);
+
+		// act - Call protected endpoint with valid bearer token
+		var response = await HttpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.Users}");
+
+		// assert - Should succeed with valid authentication
+		Assert.That(response.IsSuccessStatusCode, Is.True);
+	}
+}

Tests/ObjectServiceIntegrationTests/TestWebApplicationFactory.cs

@@ -43,15 +43,29 @@ public class TestWebApplicationFactory<TProgram>
 		return testDirectory;
 	}
 
+	static void CreateDummyPaletteFile(string path)
+	{
+		// Create a 16x16 pixel PNG file for testing (palette map expects 16x16)
+		using var image = new SixLabors.ImageSharp.Image<SixLabors.ImageSharp.PixelFormats.Rgba32>(16, 16);
+		using var stream = File.Create(path);
+		image.Save(stream, new SixLabors.ImageSharp.Formats.Png.PngEncoder());
+	}
+
 	protected override void ConfigureWebHost(IWebHostBuilder builder)
 	{
 		var testFolder = MakeServerFolderManagerTestDirectories();
+		ArgumentNullException.ThrowIfNull(testFolder, nameof(testFolder));
+
+		// Create a dummy palette file for testing
+		var dummyPaletteFile = Path.Combine(testFolder.FullName, "palette.png");
+		CreateDummyPaletteFile(dummyPaletteFile);
 
 		var testConfigurationBuilder =
 			new ConfigurationBuilder()
 				.AddInMemoryCollection(
 				[
-					new("ObjectService:RootFolder", testFolder?.FullName),
+					new("ObjectService:RootFolder", testFolder.FullName),
+					new("ObjectService:PaletteMapFile", dummyPaletteFile),
 					new("ObjectService:ShowScalar", "False"),
 				])
 				.Build();