WorkFlow/WorkFlow.API/Program.cs

using WorkFlow.Application;
using DigitalData.UserManager.Application;
using Microsoft.EntityFrameworkCore;
using WorkFlow.Infrastructure;
using Microsoft.AspNetCore.Authentication.Cookies;
using DigitalData.Core.API;
using DigitalData.Core.Application;
using DigitalData.UserManager.Application.DTOs.User;
using Microsoft.IdentityModel.Tokens;
using WorkFlow.API.Models;
using NLog;
using NLog.Web;
using WorkFlow.API.Extensions;
using WorkFlow.API.Filters;
using Microsoft.OpenApi.Models;

var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
logger.Info("Logging initialized.");

try
{
    var builder = WebApplication.CreateBuilder(args);
    var config = builder.Configuration;

    // Add NLogger
    builder.Logging.ClearProviders();
    builder.Host.UseNLog();

    // Add services to the container.
    var cnn_str = config.GetConnectionString("Default") ?? throw new("Default connection string not found.");
    builder.Services.AddDbContext<WFDBContext>(options => options.UseSqlServer(cnn_str).EnableDetailedErrors());
    builder.Services.AddWorkFlow().AddUserManager<WFDBContext>();
    builder.Services.AddCookieBasedLocalizer();
    builder.ConfigureBySection<DirectorySearchOptions>();
    builder.Services.AddDirectorySearchService();
    builder.Services.AddJWTService<UserReadDto>(user => new SecurityTokenDescriptor()
    {
        Claims = user.ToClaimList().ToDictionary(claim => claim.Type, claim => claim.Value as object)
    });

    bool disableAPIKeyAuth = config.GetValue<bool>("DisableAPIKeyAuth") && builder.IsDevOrDiP();
    if (disableAPIKeyAuth)
        builder.Services.AddAPIKeyAuth(new());
    else        
        if (config.GetSection("APIKeyAuth").Get<APIKeyAuthOptions>() is APIKeyAuthOptions options)
            builder.Services.AddAPIKeyAuth(options);        
        else
            throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");

    builder.Services.AddControllers();

    builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
            options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
            options.LoginPath = "/api/auth/login";
            options.LogoutPath = "/api/auth/logout";
            options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // timeout.
            options.SlidingExpiration = true; //refreshes the expiration time on each request.
            options.Cookie.Name = "AuthSession";
        });

    builder.Services.AddEndpointsApiExplorer();
    builder.Services.AddSwaggerGen(setupAct =>
    {
        if(!disableAPIKeyAuth)
            setupAct.OperationFilter<APIKeyAuthHeaderOpFilter>();

        if(config.GetSection("OpenApiInfo").Get<OpenApiInfo>() is OpenApiInfo openApiInfo)
            setupAct.SwaggerDoc(openApiInfo?.Version ?? "v1", openApiInfo);
    });

    var app = builder.Build();

    // Configure the HTTP request pipeline.
    if (app.IsDevOrDiP() && app.Configuration.GetValue<bool>("EnableSwagger"))
    {
        app.UseSwagger();
        app.UseSwaggerUI();
    }

    app.UseHttpsRedirection();

    app.UseAuthentication();

    app.UseAuthorization();

    app.UseCookieBasedLocalizer("de-DE");

    app.MapControllers();

    app.Run();
}
catch (Exception ex)
{
    logger.Error(ex, "Stopped program because of exception.");
    throw;
}