feat: implement authentication system for API Gateway and FileService

- Add JWT Bearer token validation to API Gateway with restricted CORS - Add cookie-based JWT validation to FileService for browser image requests - Create shared authentication infrastructure in FictionArchive.Service.Shared - Update frontend to set fa_session cookie after OIDC login - Add [Authorize] attributes to GraphQL mutations with role-based restrictions - Configure OIDC settings for both services in docker-compose Implements FA-17: Authentication for microservices architecture
2025-11-27 14:05:54 +00:00
parent 4412a1f658
commit 78612ea29d
14 changed files with 201 additions and 9 deletions
--- a/FictionArchive.Service.FileService/Controllers/S3ProxyController.cs
+++ b/FictionArchive.Service.FileService/Controllers/S3ProxyController.cs
@@ -2,6 +2,7 @@ using System.Web;
 using Amazon.S3;
 using Amazon.S3.Model;
 using FictionArchive.Service.FileService.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
@@ -10,6 +11,7 @@ namespace FictionArchive.Service.FileService.Controllers
 {
    [Route("api/{*path}")]
    [ApiController]
+    [Authorize]
    public class S3ProxyController : ControllerBase
    {
        private readonly AmazonS3Client _amazonS3Client;
--- a/FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj
+++ b/FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj
@@ -21,6 +21,7 @@
      <PackageReference Include="AWSSDK.S3" Version="4.0.13.1" />
      <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" />
      <PackageReference Include="Swashbuckle.AspNetCore" Version="10.0.1" />
+      <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
    </ItemGroup>

    <ItemGroup>
--- a/FictionArchive.Service.FileService/Program.cs
+++ b/FictionArchive.Service.FileService/Program.cs
@@ -34,6 +34,10 @@ public class Program
        
        #endregion
        
+        // Add authentication with cookie support
+        builder.Services.AddOidcCookieAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+        
        builder.Services.Configure<ProxyConfiguration>(builder.Configuration.GetSection("ProxyConfiguration"));
        
        // Add S3 Client
@@ -60,6 +64,9 @@ public class Program
            app.UseSwaggerUI();
        }

+        app.UseAuthentication();
+        app.UseAuthorization();
+        
        app.MapHealthChecks("/healthz");
        
        app.MapControllers();
--- a/FictionArchive.Service.FileService/appsettings.json
+++ b/FictionArchive.Service.FileService/appsettings.json
@@ -18,5 +18,14 @@
    "AccessKey": "REPLACE_ME",
    "SecretKey": "REPLACE_ME"
  },
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fictionarchive/",
+    "ClientId": "fictionarchive-files",
+    "Audience": "fictionarchive-api",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  },
  "AllowedHosts": "*"
 }