EnvelopeGenerator/EnvelopeGenerator.GeneratorAPI/Program.cs

using DigitalData.Core.API;
using DigitalData.Core.Application;
using EnvelopeGenerator.Infrastructure;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Localization;
using Microsoft.EntityFrameworkCore;
using System.Globalization;
using Scalar.AspNetCore;
using Microsoft.OpenApi.Models;
using DigitalData.UserManager.DependencyInjection;
using EnvelopeGenerator.Application;
using DigitalData.Auth.Client;
using DigitalData.Core.Abstractions;
using EnvelopeGenerator.GeneratorAPI.Models;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using DigitalData.Core.Abstractions.Security.Extensions;

var builder = WebApplication.CreateBuilder(args);

var config = builder.Configuration;

var deferredProvider = new DeferredServiceProvider();

builder.Services.AddControllers();

//CORS Policy
var allowedOrigins = config.GetSection("AllowedOrigins").Get<string[]>() ??
    throw new InvalidOperationException("AllowedOrigins section is missing in the configuration.");
builder.Services.AddCors(options =>
    {
        options.AddPolicy("AllowSpecificOriginsPolicy", builder =>
        {
            builder.WithOrigins(allowedOrigins)
                   .SetIsOriginAllowedToAllowWildcardSubdomains()
                   .AllowAnyMethod()
                   .AllowAnyHeader()
                   .AllowCredentials();
        });
    });

// Swagger
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(options =>
{
    options.SwaggerDoc("v1", new OpenApiInfo
    {
        Version = "v1",
        Title = "signFLOW Absender-API",
        Description = "Eine API zur Verwaltung der Erstellung, des Versands und der Nachverfolgung von Umschlägen in der signFLOW-Anwendung.",
        Contact = new OpenApiContact
        {
            Name = "Digital Data GmbH",
            Url = new Uri("https://digitaldata.works/digitale-signatur#kontakt"),
            Email = "info-flow@digitaldata.works"
        },
    });

    options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
    {
        Name = "Authorization",
        Type = SecuritySchemeType.Http,
        Scheme = "bearer",
        BearerFormat = "JWT",
        In = ParameterLocation.Header,
        Description = "JWT-Autorisierungs-Header unter Verwendung des Bearer-Schemas.",
    });

    options.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference
                {
                    Type = ReferenceType.SecurityScheme,
                    Id = "Bearer"
                }
            },
            new string[] {}
        }
    });

    var xmlFiles = Directory.GetFiles(AppContext.BaseDirectory, "*.xml");
    foreach (var xmlFile in xmlFiles)
    {
        options.IncludeXmlComments(xmlFile);
    }
});
builder.Services.AddOpenApi();
// DbContext
var connStr = config.GetConnectionString("Default") ?? throw new InvalidOperationException("There is no default connection string in appsettings.json.");
builder.Services.AddDbContext<EGDbContext>(options => options.UseSqlServer(connStr));

builder.Services.AddAuthHubClient(config.GetSection("AuthClientParams"));

var authTokenKeys = config.GetOrDefault<AuthTokenKeys>();

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
    .AddJwtBearer(opt =>
    {
        opt.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
            {
                var clientParams = deferredProvider.GetOptions<ClientParams>();
                var publicKey = clientParams!.PublicKeys.Get(authTokenKeys.Issuer, authTokenKeys.Audience);
                return new List<SecurityKey>() { publicKey.SecurityKey };
            },
            ValidateIssuer = true,
            ValidIssuer = authTokenKeys.Issuer,
            ValidateAudience = true,
            ValidAudience = authTokenKeys.Audience,
        };

        opt.Events = new JwtBearerEvents
        {
            OnMessageReceived = context =>
            {
                // if there is no token read related cookie or query string
                if (context.Token is null)   // if there is no token
                {
                    if (context.Request.Cookies.TryGetValue(authTokenKeys.Cookie, out var cookieToken) && cookieToken is not null)
                        context.Token = cookieToken;
                    else if (context.Request.Query.TryGetValue(authTokenKeys.QueryString, out var queryStrToken))
                        context.Token = queryStrToken;
                }
                return Task.CompletedTask;
            }
        };
    });

// Authentication
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
    options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
    options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
    options.LoginPath = "/api/auth/login";
    options.LogoutPath = "/api/auth/logout";
    options.SlidingExpiration = true;
});

// User manager
builder.Services.AddUserManager<EGDbContext>();

// LDAP
builder.ConfigureBySection<DirectorySearchOptions>();
builder.Services.AddDirectorySearchService(config.GetSection("DirectorySearchOptions"));

// Localizer
builder.Services.AddCookieBasedLocalizer() ;

// Envelope generator serives
builder.Services
    .AddEnvelopeGeneratorInfrastructureServices(sqlExecutorConfigureOptions: executor => executor.ConnectionString = connStr)
    .AddEnvelopeGeneratorServices(config);

var app = builder.Build();

deferredProvider.Factory = () => app.Services;

app.MapOpenApi();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment() || (app.IsDevOrDiP() && config.GetValue<bool>("UseSwagger")))
{
	app.UseSwagger();
	app.UseSwaggerUI();
    app.MapScalarApiReference();
}

// Set CORS policy
app.UseCors("AllowSpecificOriginsPolicy");

// Localizer
string[] supportedCultureNames = { "de-DE", "en-US" };
IList<CultureInfo> list = supportedCultureNames.Select((string cn) => new CultureInfo(cn)).ToList();
CultureInfo cultureInfo = list.FirstOrDefault() ?? throw new ArgumentNullException("supportedCultureNames", "Supported cultures cannot be empty.");
RequestLocalizationOptions requestLocalizationOptions = new RequestLocalizationOptions
{
    SupportedCultures = list,
    SupportedUICultures = list
};
requestLocalizationOptions.RequestCultureProviders.Add(new QueryStringRequestCultureProvider());
app.UseRequestLocalization(requestLocalizationOptions);


app.UseHttpsRedirection();

app.UseDefaultFiles();
app.UseStaticFiles();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();