DigitalData.Auth/src/DigitalData.Auth.API/Program.cs

using DigitalData.Auth.API.Config;
using DigitalData.Auth.API.Entities;
using DigitalData.Auth.API.Hubs;
using DigitalData.Auth.API.Services;
using DigitalData.Core.Abstractions.Security.Extensions;
using DigitalData.Core.Abstractions.Security.Services;
using DigitalData.Core.Application;
using DigitalData.Core.Security.Extensions;
using DigitalData.UserManager.Application;
using DigitalData.UserManager.Application.DTOs.User;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.JsonWebTokens;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;
using NLog;
using NLog.Web;

var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
logger.Info("Logging initialized.");

try
{
    var builder = WebApplication.CreateBuilder(args);

    builder.Configuration.AddJsonFile("consumer-repository.json", true, true);

    var config = builder.Configuration;

    var apiParams = config.Get<AuthApiParams>() ?? throw new InvalidOperationException("AuthApiOptions is missing or invalid in appsettings.");

    // Add services to the container.
    builder.Services.Configure<AuthApiParams>(config);
    builder.Services.AddAuthService(config);
    builder.Services.AddRSAPool(config.GetSection("CryptParams"));
    builder.Services.AddJwtSignatureHandler<Consumer>(api => new Dictionary<string, object>
{
    { JwtRegisteredClaimNames.Sub, api.Id },
    { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
});
    builder.Services.AddJwtSignatureHandler<UserReadDto>(user => new Dictionary<string, object>
{
    { JwtRegisteredClaimNames.Sub, user.Id },
    { JwtRegisteredClaimNames.UniqueName, user.Username },
    { JwtRegisteredClaimNames.Email, user.Email ?? string.Empty },
    { JwtRegisteredClaimNames.GivenName, user.Prename ?? string.Empty },
    { JwtRegisteredClaimNames.FamilyName, user.Name ?? string.Empty },
    { JwtRegisteredClaimNames.Iat, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
});
    builder.Services.AddDirectorySearchService(config.GetSection("DirectorySearchOptions"));
    builder.Services.AddSignalR();

    var cnn_str = builder.Configuration.GetConnectionString("Default") ?? throw new InvalidOperationException("Default connection string is not found.");

    builder.Services.AddUserManager(cnn_str);

    builder.Services.AddControllers();

    builder.Services.AddEndpointsApiExplorer();
    builder.Services.AddSwaggerGen(options =>
    {
        options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
        {
            Name = "Authorization",
            Type = SecuritySchemeType.Http,
            Scheme = "bearer",
            BearerFormat = "JWT",
            In = ParameterLocation.Header,
            Description = "Enter 'Bearer' [space] and then your valid token."
        });

        options.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference
                {
                    Type = ReferenceType.SecurityScheme,
                    Id = "Bearer"
                },
                Scheme = "oauth2",
                Name = "Bearer",
                In = ParameterLocation.Header
            },
            new List<string>()
        }
    });
    });

    // Add authentication
    Lazy<SecurityKey>? issuerSigningKeyInitiator = null;

    builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.RequireHttpsMetadata = apiParams!.RequireHttpsMetadata;
            options.ClaimsIssuer = apiParams!.Issuer;
            options.Audience = apiParams.LocalConsumer.Audience;
            options.TokenValidationParameters = new()
            {
                ValidateIssuer = true,
                ValidIssuer = apiParams!.Issuer,
                ValidateAudience = true,
                ValidAudience = apiParams.LocalConsumer.Audience,
                ValidateLifetime = true,
                IssuerSigningKey = issuerSigningKeyInitiator?.Value
            };

            options.Events = new JwtBearerEvents
            {
                OnMessageReceived = context =>
                {
                    // if there is no token read related cookie or query string
                    if (context.Token is null)   // if there is no token
                    {
                        if (context.Request.Cookies.TryGetValue(apiParams!.DefaultCookieName, out var cookieToken) && cookieToken is not null)
                            context.Token = cookieToken;
                        else if (context.Request.Query.TryGetValue(apiParams.DefaultQueryStringKey, out var queryStrToken))
                            context.Token = queryStrToken;
                    }
                    return Task.CompletedTask;
                }
            };
        });

    var app = builder.Build();

    issuerSigningKeyInitiator = new Lazy<SecurityKey>(() =>
    {
        var factory = app.Services.GetRequiredService<IAsymmetricKeyPool>();
        var desc = factory.TokenDescriptors.Get(apiParams.Issuer, apiParams.LocalConsumer.Audience);
        return desc.Validator.SecurityKey;
    });

    // Configure the HTTP request pipeline.
    var use_swagger = config.GetValue<bool>("UseSwagger");
    if (app.Environment.IsDevelopment() || use_swagger)
    {
        app.UseSwagger();
        app.UseSwaggerUI();
    }

    app.UseHttpsRedirection();

    app.UseAuthentication();

    app.UseAuthorization();

    app.MapControllers();

    app.MapHub<AuthHub>("/auth-hub");

    app.Run();
}
catch(Exception ex)
{
    logger.Error(ex, "Stopped program because of exception.");
    throw;
}