Add whitelisting service + update the jwt valid audience

2025-11-07 19:38:33 +07:00
parent 5578d272fa
commit 21110cd771
17 changed files with 2575 additions and 7 deletions
--- a/src/Managing.Api/Program.cs
+++ b/src/Managing.Api/Program.cs
@@ -14,6 +14,7 @@ using Managing.Infrastructure.Databases.InfluxDb.Models;
 using Managing.Infrastructure.Databases.PostgreSql;
 using Managing.Infrastructure.Databases.PostgreSql.Configurations;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
@@ -223,7 +224,8 @@ if (jwtSecret.Length < 32)

 // Get issuer and audience configuration
 var validIssuer = builder.Configuration["Authentication:Schemes:Bearer:ValidIssuer"];
-var validAudience = builder.Configuration["Authentication:Schemes:Bearer:ValidAudiences"];
+var validAudiences = builder.Configuration.GetSection("Authentication:Schemes:Bearer:ValidAudiences")
+    .Get<string[]>() ?? Array.Empty<string>();

 // Determine if validation should be enabled (enable in production, allow override via config)
 var enableIssuerValidation = builder.Configuration.GetValue<bool>("Jwt:ValidateIssuer", 
@@ -247,11 +249,11 @@ builder.Services
        o.TokenValidationParameters = new TokenValidationParameters
        {
            ValidIssuer = validIssuer,
-            ValidAudience = validAudience,
+            ValidAudiences = validAudiences.Length > 0 ? validAudiences : null,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecret)),
            ValidateIssuerSigningKey = true,
            ValidateIssuer = enableIssuerValidation && !string.IsNullOrWhiteSpace(validIssuer),
-            ValidateAudience = enableAudienceValidation && !string.IsNullOrWhiteSpace(validAudience),
+            ValidateAudience = enableAudienceValidation && validAudiences.Length > 0,
            ValidateLifetime = true, // Explicitly validate token expiration
            ClockSkew = clockSkew, // Configure clock skew tolerance
            RequireExpirationTime = true, // Ensure tokens have expiration
@@ -275,6 +277,19 @@ builder.Services
                var logger = context.HttpContext.RequestServices
                    .GetService<ILogger<Program>>();
                
+                // Check if the endpoint allows anonymous access
+                var endpoint = context.HttpContext.GetEndpoint();
+                var allowAnonymous = endpoint?.Metadata.GetMetadata<IAllowAnonymous>() != null;
+                
+                // For anonymous endpoints with malformed tokens, skip authentication instead of failing
+                if (allowAnonymous && context.Exception is SecurityTokenMalformedException)
+                {
+                    logger?.LogDebug("Skipping malformed token validation for anonymous endpoint: {Path}", 
+                        context.Request.Path);
+                    context.NoResult(); // Skip authentication, don't fail
+                    return Task.CompletedTask;
+                }
+                
                if (context.Exception is SecurityTokenExpiredException)
                {
                    context.Response.Headers["Token-Expired"] = "true";