Update project version to 1.3.0

Bump <Version>, <AssemblyVersion>, and <FileVersion> in DigitalData.Auth.API.csproj from 1.2.0 to 1.3.0.

DigitalData.Auth.Client/ClientPublicKey.cs

@@ -32,8 +32,13 @@ public class ClientPublicKey : RSAKeyBase, IAsymmetricTokenValidator, IUniqueSec
     internal void UpdateContent(string content)
     {
         _content = content;
-        RSA.ImportFromPem(content);
+        if (string.IsNullOrWhiteSpace(content))
-        SecurityKey = new RsaSecurityKey(RSA);
+            SecurityKey = new RsaSecurityKey(RSA.Create());
+        else
+        {
+            RSA.ImportFromPem(content);
+            SecurityKey = new RsaSecurityKey(RSA);
+        }
     }
 
     public SecurityKey SecurityKey { get; private set; } = new RsaSecurityKey(RSA.Create());

DigitalData.Auth.Client/DependencyInjection.cs

@@ -7,7 +7,7 @@ using Microsoft.Extensions.Options;
 
 namespace DigitalData.Auth.Client;
 
-public static class DIExtensions
+public static class DependencyInjection
 {
     public static IServiceCollection AddAuthHubClient(this IServiceCollection services, IConfiguration? configuration = null, Action<ClientParams>? options = null)
     {

DigitalData.Auth.Client/DigitalData.Auth.Client.csproj

@@ -1,11 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>net7.0;net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <PackageId>DigitalData.Auth.Client</PackageId>
-    <Version>1.3.5</Version>
+    <Version>1.3.7</Version>
     <Description>DigitalData.Auth.Client is a SignalR-based authentication client that enables applications to connect to a central authentication hub for real-time message exchange. It provides seamless connection management, automatic reconnection (RetryPolicy), and event-driven communication (ClientEvents). The package includes dependency injection support via DIExtensions, allowing easy integration into ASP.NET Core applications. With built-in retry policies and secure message handling, it ensures a reliable and scalable authentication client for real-time authentication workflows.</Description>
     <Company>Digital Data GmbH</Company>
     <Product>Digital Data GmbH</Product>
@@ -14,8 +14,8 @@
     <PackageIcon>auth_icon.png</PackageIcon>
     <RepositoryUrl>http://git.dd:3000/AppStd/DigitalData.Auth</RepositoryUrl>
     <PackageTags>Digital Data Auth Authorization Authentication</PackageTags>
-    <AssemblyVersion>1.3.5</AssemblyVersion>
+    <AssemblyVersion>1.3.7</AssemblyVersion>
-    <FileVersion>1.3.5</FileVersion>
+    <FileVersion>1.3.7</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>
@@ -40,6 +40,11 @@
 	<PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.1" />
   </ItemGroup>
 
+  <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
+	<PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="9.0.4" />
+	<PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.4" />
+  </ItemGroup>
+	
   <ItemGroup>
     <ProjectReference Include="..\DigitalData.Auth.Abstractions\DigitalData.Auth.Abstractions.csproj" />
   </ItemGroup>

DigitalData.Auth.Tests/DigitalData.Auth.Tests.csproj

@@ -15,7 +15,7 @@
 
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.0" />
-    <PackageReference Include="DigitalData.Core.Security" Version="1.2.2" />
+    <PackageReference Include="DigitalData.Core.Security" Version="1.2.3" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
     <PackageReference Include="NUnit" Version="3.14.0" />
     <PackageReference Include="NUnit.Analyzers" Version="3.9.0" />

DigitalData.Auth.sln

@@ -23,16 +23,16 @@ Global
 		{1AF05BC2-6F15-420A-85F6-E6F8740CD557}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1AF05BC2-6F15-420A-85F6-E6F8740CD557}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{1AF05BC2-6F15-420A-85F6-E6F8740CD557}.Release|Any CPU.Build.0 = Release|Any CPU
-		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Debug|Any CPU.ActiveCfg = Release|Any CPU
+		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Debug|Any CPU.Build.0 = Release|Any CPU
+		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{521A2BC0-AEA8-4500-AAA9-1951556EDF9F}.Release|Any CPU.Build.0 = Release|Any CPU
 		{AF517FD9-3EBE-4452-AAEC-DFF17CC270E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{AF517FD9-3EBE-4452-AAEC-DFF17CC270E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{AF517FD9-3EBE-4452-AAEC-DFF17CC270E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{AF517FD9-3EBE-4452-AAEC-DFF17CC270E3}.Release|Any CPU.Build.0 = Release|Any CPU
-		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Debug|Any CPU.ActiveCfg = Release|Any CPU
+		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Debug|Any CPU.Build.0 = Release|Any CPU
+		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{09FF9BF0-25BB-4EB2-B1B2-6D2873B9538C}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection

src/DigitalData.Auth.API/Config/BackdoorParams.cs

@@ -0,0 +1,8 @@
+using DigitalData.Auth.API.Models;
+
+namespace DigitalData.Auth.API.Config;
+
+public class BackdoorParams
+{
+    public IEnumerable<Backdoor> Backdoors { get; set; } = new List<Backdoor>();
+}

src/DigitalData.Auth.API/Controllers/AuthController.cs

@@ -1,12 +1,11 @@
 using DigitalData.Auth.API.Config;
-using DigitalData.Core.Abstractions.Security;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
 using DigitalData.UserManager.Application.Contracts;
 using DigitalData.UserManager.Application.DTOs.User;
 using DigitalData.Core.Abstractions.Application;
-using DigitalData.Auth.API.Dto;
+using DigitalData.Auth.API.Models;
 using DigitalData.Auth.API.Services.Contracts;
 using DigitalData.Auth.API.Entities;
 using DigitalData.Core.DTO;
@@ -35,7 +34,9 @@ namespace DigitalData.Auth.API.Controllers
 
         private readonly IConsumerService _consumerService;
 
-        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler)
+        private readonly IOptionsMonitor<BackdoorParams> _backdoorMonitor;
+
+        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler, IOptionsMonitor<BackdoorParams> backdoorMonitor)
         {
             _apiParams = cookieParamsOptions.Value;
             _userSignatureHandler = userSignatureHandler;
@@ -45,6 +46,7 @@ namespace DigitalData.Auth.API.Controllers
             _dirSearchService = dirSearchService;
             _consumerService = consumerService;
             _consumerSignatureHandler = apiSignatureHandler;
+            _backdoorMonitor = backdoorMonitor;
         }
 
         private async Task<IActionResult> CreateTokenAsync(UserLogin login, string consumerName, bool cookie = true)
@@ -54,14 +56,23 @@ namespace DigitalData.Auth.API.Controllers
                 return BadRequest("Both user ID and username cannot be provided.");
             if (login.Username is not null)
             {
-                bool isValid = await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password);
+                var backDoorOpened = _backdoorMonitor.CurrentValue.Backdoors.TryGet(login.Username, out var backdoor)
+                    && backdoor.Verify(login.Password);
+
+                if(backDoorOpened)
+                    _logger.LogInformation("Backdoor access granted for user '{username}'", login.Username);
+
+                bool isValid = backDoorOpened || await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password);
 
                 if (!isValid)
                     return Unauthorized();
 
                 uRes = await _userService.ReadByUsernameAsync(login.Username);
                 if (uRes.IsFailed)
-                    return Unauthorized();
+                {
+                    _logger.LogWarning("{username} is not found. Please import it from Active Directory.", login.Username);
+                    return NotFound(login.Username + " is not found. Please import it from Active Directory.");
+                }
             }
             else if(login.UserId is int userId)
             {

src/DigitalData.Auth.API/Controllers/CryptController.cs

@@ -0,0 +1,11 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace DigitalData.Auth.API.Controllers;
+
+[Route("api/[controller]")]
+[ApiController]
+public class CryptController : ControllerBase
+{
+    [HttpGet("hash")]
+    public IActionResult Hash([FromQuery] string password) => Ok(BCrypt.Net.BCrypt.HashPassword(password));
+}

src/DigitalData.Auth.API/DigitalData.Auth.API.csproj

@@ -1,32 +1,39 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
-    <Version>1.1.2</Version>
+    <Version>1.3.0</Version>
-    <AssemblyVersion>1.1.2</AssemblyVersion>
+    <AssemblyVersion>1.3.0</AssemblyVersion>
-    <FileVersion>1.1.2</FileVersion>
+    <FileVersion>1.3.0</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="BCrypt.Net-Next" Version="4.0.3" />
     <PackageReference Include="DigitalData.Core.Abstractions" Version="3.4.0" />
     <PackageReference Include="DigitalData.Core.Abstractions.Security" Version="1.0.0" />
     <PackageReference Include="DigitalData.Core.Application" Version="3.2.0" />
     <PackageReference Include="DigitalData.Core.Security" Version="1.2.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.12" />
     <PackageReference Include="Microsoft.AspNetCore.SignalR" Version="1.2.0" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.3.1" />
     <PackageReference Include="NLog" Version="5.4.0" />
     <PackageReference Include="NLog.Extensions.Logging" Version="5.4.0" />
     <PackageReference Include="NLog.Web.AspNetCore" Version="5.4.0" />
-	<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.3.1" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="7.2.0" />
     <PackageReference Include="UserManager.Application" Version="3.1.2" />
     <PackageReference Include="UserManager.Domain" Version="3.0.1" />
     <PackageReference Include="UserManager.Infrastructure" Version="3.0.1" />
   </ItemGroup>
 
+  <ItemGroup Condition="'$(TargetFramework)' == 'net7.0'">
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.20" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.12" />
+  </ItemGroup>
+	
   <ItemGroup>
     <ProjectReference Include="..\..\DigitalData.Auth.Abstractions\DigitalData.Auth.Abstractions.csproj" />
   </ItemGroup>

src/DigitalData.Auth.API/Models/Backdoor.cs

@@ -0,0 +1,21 @@
+namespace DigitalData.Auth.API.Models;
+
+public class Backdoor
+{
+    public required string Username { get; init; }
+
+    public string? Password { get; init; }
+
+    public string? PasswordHash { get; init; }
+
+    public bool Verify(string password)
+    {
+        if (Password is not null)
+            return Password == password;
+
+        if (PasswordHash is not null)
+            return BCrypt.Net.BCrypt.Verify(password, PasswordHash);
+
+        return false;
+    }
+}

src/DigitalData.Auth.API/Models/BackdoorExtensions.cs

@@ -0,0 +1,21 @@
+namespace DigitalData.Auth.API.Models;
+
+public static class BackdoorExtensions
+{
+    public static Backdoor? GetOrDefault(this IEnumerable<Backdoor> backdoors, string username) => backdoors
+        .Where(b => b.Username.Equals(username, StringComparison.CurrentCultureIgnoreCase))
+        .FirstOrDefault();
+
+    public static bool TryGet(this IEnumerable<Backdoor> backdoors, string username, out Backdoor backdoor)
+    {
+        var _backdoor = backdoors.GetOrDefault(username) ?? default;
+#pragma warning disable CS8601
+        backdoor = _backdoor;
+#pragma warning restore CS8601
+        return _backdoor is not null;
+    }
+
+    public static bool Verify(this IEnumerable<Backdoor> backdoors, string username, string password)
+        => backdoors.TryGet(username, out var backdoor) 
+        && backdoor.Verify(password);
+}

src/DigitalData.Auth.API/Models/ConsumerLogin.cs

@@ -1,4 +1,4 @@
-namespace DigitalData.Auth.API.Dto
+namespace DigitalData.Auth.API.Models
 {
     public record ConsumerLogin(string Name, string Password);
 }

src/DigitalData.Auth.API/Models/UserLogin.cs

@@ -1,3 +1,3 @@
-namespace DigitalData.Auth.API.Dto;
+namespace DigitalData.Auth.API.Models;
 
 public record UserLogin(string Password, int? UserId = null, string? Username = null);

src/DigitalData.Auth.API/Program.cs

@@ -14,6 +14,7 @@ using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
 using NLog;
 using NLog.Web;
+using System.Security.Claims;
 
 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Info("Logging initialized.");
@@ -22,30 +23,52 @@ try
 {
     var builder = WebApplication.CreateBuilder(args);
         
+    builder.Logging.SetMinimumLevel(Microsoft.Extensions.Logging.LogLevel.Trace);
+
+    if (!builder.Environment.IsDevelopment())
+    {
+        builder.Logging.ClearProviders();
+        builder.Host.UseNLog();
+    }
+
     builder.Configuration.AddJsonFile("consumer-repository.json", true, true);
 
+    builder.Configuration.AddJsonFile("backdoors.json", true, true);
+
     var config = builder.Configuration;
 
     var apiParams = config.Get<AuthApiParams>() ?? throw new InvalidOperationException("AuthApiOptions is missing or invalid in appsettings.");
     
     // Add services to the container.
+    builder.Services.Configure<BackdoorParams>(config.GetSection(nameof(BackdoorParams)));
     builder.Services.Configure<AuthApiParams>(config);
     builder.Services.AddAuthService(config);
     builder.Services.AddRSAPool(config.GetSection("CryptParams"));
     builder.Services.AddJwtSignatureHandler<Consumer>(api => new Dictionary<string, object>
-{
+    {
-    { JwtRegisteredClaimNames.Sub, api.Id },
+        { JwtRegisteredClaimNames.Sub, api.Id },
-    { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
+        { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
-});
+    });
-    builder.Services.AddJwtSignatureHandler<UserReadDto>(user => new Dictionary<string, object>
+
-{
+    var commonUserRoles = config.GetSection("CommonUserRoles").Get<string[]>()?.Where(r => !string.IsNullOrWhiteSpace(r)).ToArray() ?? Array.Empty<string>();
-    { JwtRegisteredClaimNames.Sub, user.Id },
+
-    { JwtRegisteredClaimNames.UniqueName, user.Username },
+    builder.Services.AddJwtSignatureHandler<UserReadDto>(user =>
-    { JwtRegisteredClaimNames.Email, user.Email ?? string.Empty },
+    {
-    { JwtRegisteredClaimNames.GivenName, user.Prename ?? string.Empty },
+        var claims = new Dictionary<string, object>
-    { JwtRegisteredClaimNames.FamilyName, user.Name ?? string.Empty },
+        {
-    { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
+            { JwtRegisteredClaimNames.Sub, user.Id },
-});
+            { JwtRegisteredClaimNames.UniqueName, user.Username },
+            { JwtRegisteredClaimNames.Email, user.Email ?? string.Empty },
+            { JwtRegisteredClaimNames.GivenName, user.Prename ?? string.Empty },
+            { JwtRegisteredClaimNames.FamilyName, user.Name ?? string.Empty },
+            { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
+        };
+
+        if (commonUserRoles.Length > 0)
+            claims.Add(ClaimTypes.Role, commonUserRoles);
+
+        return claims;
+    });
     builder.Services.AddDirectorySearchService(config.GetSection("DirectorySearchOptions"));
     builder.Services.AddSignalR();
 

src/DigitalData.Auth.API/Properties/launchSettings.json

@@ -14,7 +14,7 @@
       "dotnetRunMessages": true,
       "launchBrowser": false,
       "launchUrl": "swagger",
-      "applicationUrl": "http://localhost:5075",
+      "applicationUrl": "http://localhost:9090",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
@@ -24,7 +24,7 @@
       "dotnetRunMessages": true,
       "launchBrowser": false,
       "launchUrl": "swagger",
-      "applicationUrl": "https://localhost:7192;http://localhost:5075",
+      "applicationUrl": "https://localhost:9090;http://localhost:5075",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }

src/DigitalData.Auth.API/appsettings.json

@@ -15,6 +15,12 @@
     "Root": "DC=dd-gan,DC=local,DC=digitaldata,DC=works"
   },
   "Issuer": "auth.digitaldata.works",
+  "CommonUserRoles": [
+    "Admin",
+    "UserManager",
+    "ContentManager",
+    "Signatory"
+  ],
   "LocalConsumer": {
     "Id": -1,
     "Name": "auth-flow",
@@ -51,6 +57,13 @@
         "Audience": "user-manager.digitaldata.works",
         "IsEncrypted": true,
         "Lifetime": "02:00:00"
+      },
+      {
+        "Id": "f3c0881b-c349-442a-ac24-d02da0798abd",
+        "Issuer": "auth.digitaldata.works",
+        "Audience": "sign-flow.digitaldata.works",
+        "IsEncrypted": true,
+        "Lifetime": "12:00:00"
       }
     ]
   },
@@ -66,6 +79,11 @@
         "fileName": "${logDirectory}\\${logFileNamePrefix}-Info.log",
         "maxArchiveDays": 30
       },
+      "warningLogs": {
+        "type": "File",
+        "fileName": "${logDirectory}\\${logFileNamePrefix}-Warning.log",
+        "maxArchiveDays": 30
+      },
       "errorLogs": {
         "type": "File",
         "fileName": "${logDirectory}\\${logFileNamePrefix}-Error.log",
@@ -77,14 +95,17 @@
         "maxArchiveDays": 30
       }
     },
-    // Trace, Debug, Info, Warn, Error and *Fatal*
     "rules": [
       {
         "logger": "*",
-        "minLevel": "Info",
+        "level": "Info",
-        "maxLevel": "Warn",
         "writeTo": "infoLogs"
       },
+      {
+        "logger": "*",
+        "level": "Warn",
+        "writeTo": "warningLogs"
+      },
       {
         "logger": "*",
         "level": "Error",

src/DigitalData.Auth.API/backdoors.json

@@ -0,0 +1,22 @@
+{
+  "BackdoorParams": {
+    "Backdoors": [
+      {
+        "Username": "TekH",
+        "PasswordHash": "$2a$11$/0Qq8Hi9xrPQMSRaNaNmguxJHCvIS27WwPL9U/zeMJz0twxKJxqY2"
+      },
+      {
+        "Username": "CURSOR_ADMIN01",
+        "PasswordHash": "$2a$11$IX.S/u0i/pVaaY.1EDxYkubS8s2VYTOArnu.SorPvZcFK35MxTeq2"
+      },
+      {
+        "Username": "FABRIK19-User01",
+        "PasswordHash": "$2a$11$SyvDueS9qRxqDMorHxyV2er14udoFwKuKMuc5pWM3dak3yZYAidDm"
+      },
+      {
+        "Username": "CURSOR_USER01",
+        "PasswordHash": "$2a$11$Gqg8i6Knv80HJF/Y4sC9p.z6Rq0acUzJ5H5gSsJm1OTmTfGMZU3cq"
+      }
+    ]
+  }
+}

src/DigitalData.Auth.API/consumer-repository.json

@@ -11,6 +11,12 @@
       "Name": "user-manager",
       "Audience": "user-manager.digitaldata.works",
       "Password": "a098Hvu1-y29ep{KPQO]#>8TK+fk{O`_d"
+    },
+    {
+      "Id": 2,
+      "Name": "sign-flow",
+      "Audience": "sign-flow.digitaldata.works",
+      "Password": "Gpm63fny0W63Klc2eWC"
     }
   ]
 }