From 8876f5c286ef566da758261884424d63b986dfd0 Mon Sep 17 00:00:00 2001
From: TekH <h.tek@digitaldata.works>
Date: Fri, 29 May 2026 13:10:42 +0200
Subject: [PATCH] Add token validation for envelope key in request path

Enhanced token validation logic by introducing an `OnTokenValidated` event handler. This ensures the `envelopeKey` in the request path matches the token's subject (`sub` claim). Added `return Task.CompletedTask;` to complete asynchronous operations. These changes improve security by preventing mismatches or unauthorized access.
---
 EnvelopeGenerator.API/Program.cs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/EnvelopeGenerator.API/Program.cs b/EnvelopeGenerator.API/Program.cs
index 658995e7..f2478083 100644
--- a/EnvelopeGenerator.API/Program.cs
+++ b/EnvelopeGenerator.API/Program.cs
@@ -206,6 +206,19 @@ try
                             context.Token = cookieToken;
                     }
 
+                    return Task.CompletedTask;
+                },
+                OnTokenValidated = context =>
+                {
+                    var paths = context.Request.Path.Value?.Split('/', StringSplitOptions.RemoveEmptyEntries);
+                    var envelopeKey = paths?.LastOrDefault();
+
+                    var sub = context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value
+                           ?? context.Principal?.FindFirst("sub")?.Value;
+
+                    if (envelopeKey is null || sub != envelopeKey)
+                        context.Fail("Envelope key in the path does not match the token subject.");
+
                     return Task.CompletedTask;
                 }
             };