feat(auth): Integration von AuthHubClient und JWT-basierter Authentifizierung

- Abhängigkeit `DigitalData.Auth.Client` hinzugefügt - `AuthHubClient` mit konfigurierbarem öffentlichen Schlüssel für Authentifizierung integriert - Cookie-basierte Authentifizierung durch JWT-Bearer-Authentifizierung ersetzt - Token-Validierung so konfiguriert, dass dynamisch auflösbare Signaturschlüssel verwendet werden
chore: Konfigurierte Paket-ID, Version, Firma, Produkt und Titel
2025-03-07 16:10:10 +01:00 · 2024-10-29 14:50:18 +01:00
3 changed files with 39 additions and 17 deletions
--- a/WorkFlow.API/Program.cs
+++ b/WorkFlow.API/Program.cs
@ -13,6 +13,7 @@ using NLog.Web;
 using WorkFlow.API.Extensions;
 using WorkFlow.API.Filters;
 using Microsoft.OpenApi.Models;
+using DigitalData.Auth.Client;

 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Info("Logging initialized.");
@ -26,7 +27,7 @@ try
    builder.Logging.ClearProviders();
    builder.Host.UseNLog();

-    // Add services to the container.
+    // Add services to the container
    var cnn_str = config.GetConnectionString("Default") ?? throw new("Default connection string not found.");
    builder.Services.AddDbContext<WFDBContext>(options => options.UseSqlServer(cnn_str).EnableDetailedErrors());
    builder.Services.AddWorkFlow().AddUserManager<WFDBContext>();
@ -41,34 +42,41 @@ try
    bool disableAPIKeyAuth = config.GetValue<bool>("DisableAPIKeyAuth") && builder.IsDevOrDiP();
    if (disableAPIKeyAuth)
        builder.Services.AddAPIKeyAuth(new APIKeyAuthOptions());
-    else        
+    else
        if (config.GetSection("APIKeyAuth").Get<APIKeyAuthOptions>() is APIKeyAuthOptions options)
-            builder.Services.AddAPIKeyAuth(options);        
-        else
-            throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
+        builder.Services.AddAPIKeyAuth(options);
+    else
+        throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
+
+    var authPublicKey = config.GetSection("AuthPublicKey").Get<ClientPublicKey>() ?? throw new InvalidOperationException("The AuthPublicKey configuration is missing or invalid.");
+
+    builder.Services.AddAuthHubClient(config, opt =>
+    {
+        opt.PublicKeys.Add(authPublicKey);
+    });

    builder.Services.AddControllers();

    builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
-        .AddCookie(options =>
+        .AddJwtBearer(opt =>
        {
-            options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
-            options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
-            options.LoginPath = "/api/auth/login";
-            options.LogoutPath = "/api/auth/logout";
-            options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // timeout.
-            options.SlidingExpiration = true; //refreshes the expiration time on each request.
-            options.Cookie.Name = "AuthSession";
+            opt.TokenValidationParameters = new TokenValidationParameters
+            {
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
+                {
+                    return [authPublicKey.SecurityKey];
+                }
+            };
        });

    builder.Services.AddEndpointsApiExplorer();
    builder.Services.AddSwaggerGen(setupAct =>
    {
-        if(!disableAPIKeyAuth)
+        if (!disableAPIKeyAuth)
            setupAct.OperationFilter<APIKeyAuthHeaderOpFilter>();

-        if(config.GetSection("OpenApiInfo").Get<OpenApiInfo>() is OpenApiInfo openApiInfo)
+        if (config.GetSection("OpenApiInfo").Get<OpenApiInfo>() is OpenApiInfo openApiInfo)
            setupAct.SwaggerDoc(openApiInfo?.Version ?? "v1", openApiInfo);
    });

--- a/WorkFlow.API/WorkFlow.API.csproj
+++ b/WorkFlow.API/WorkFlow.API.csproj
@ -1,13 +1,20 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
+    <PackageId>1.0.0.0</PackageId>
+    <Version>1.0.0.0</Version>
+    <Company>Digital Data GmbH</Company>
+    <Product>WorkFlow.API</Product>
+    <Title>WorkFlow.API</Title>
  </PropertyGroup>

  <ItemGroup>
+    <PackageReference Include="DigitalData.Auth.Client" Version="1.1.4.1" />
    <PackageReference Include="DigitalData.Core.API" Version="2.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.13" />
    <PackageReference Include="NLog" Version="5.3.4" />
    <PackageReference Include="NLog.Web.AspNetCore" Version="5.3.14" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0" />
--- a/WorkFlow.API/appsettings.json
+++ b/WorkFlow.API/appsettings.json
@ -76,5 +76,12 @@
      "Name": "Digital Data GmbH",
      "Url": "https://digitaldata.works/"
    }
+  },
+  "AuthClientParams": {
+    "Url": "https://localhost:7192"
+  },
+  "AuthPublicKey": {
+    "Issuer": "auth.digitaldata.works",
+    "Audience": "work-flow.digitaldata.works"
  }
 }