Merge pull request 'feat: implement authentication system for API Gateway and FileService' (#34) from claude/issue-17-add-authentication into master

Reviewed-on: #34

FictionArchive.API/FictionArchive.API.csproj

@@ -13,6 +13,7 @@
         <PackageReference Include="HotChocolate.Data.EntityFramework" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Fusion" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Types.Scalars" Version="15.1.11" />
+        <PackageReference Include="Microsoft.AspNetCore.HeaderPropagation" Version="8.0.22" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.11">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -20,6 +21,7 @@
         <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.11" />
         <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="8.0.7" />
         <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2"/>
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
     
     <!-- Builds the Fusion graph file before building the application itself (skipped in CI) -->

FictionArchive.API/Program.cs

@@ -12,7 +12,11 @@ public class Program
         
         #region Fusion Gateway
 
-        builder.Services.AddHttpClient("Fusion");
+        builder.Services.AddHttpClient("Fusion")
+            .AddHeaderPropagation(opt =>
+            {
+                opt.Headers.Add("Authorization");
+            });
 
         builder.Services
             .AddFusionGatewayServer()
@@ -21,23 +25,29 @@ public class Program
         
         #endregion
         
+        // Add authentication
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        
         builder.Services.AddCors(options =>
         {
-            options.AddPolicy("AllowAllOrigins",
+            options.AddPolicy("AllowFictionArchiveOrigins",
-                builder =>
+                policyBuilder =>
                 {
-                    builder.AllowAnyOrigin()
+                    policyBuilder.WithOrigins("https://fictionarchive.orfl.xyz", "http://localhost:5173")
                         .AllowAnyMethod()
-                        .AllowAnyHeader();
+                        .AllowAnyHeader()
+                        .AllowCredentials();
                 });
         });
 
         var app = builder.Build();
 
-        app.UseCors("AllowAllOrigins");
+        app.UseCors("AllowFictionArchiveOrigins");
         
         app.MapHealthChecks("/healthz");
 
+        app.UseHeaderPropagation();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.API/appsettings.json

@@ -5,5 +5,15 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.FileService/Controllers/S3ProxyController.cs

@@ -2,6 +2,7 @@ using System.Web;
 using Amazon.S3;
 using Amazon.S3.Model;
 using FictionArchive.Service.FileService.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
@@ -10,6 +11,7 @@ namespace FictionArchive.Service.FileService.Controllers
 {
     [Route("api/{*path}")]
     [ApiController]
+    [Authorize]
     public class S3ProxyController : ControllerBase
     {
         private readonly AmazonS3Client _amazonS3Client;

FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj

@@ -21,6 +21,7 @@
       <PackageReference Include="AWSSDK.S3" Version="4.0.13.1" />
       <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" />
       <PackageReference Include="Swashbuckle.AspNetCore" Version="10.0.1" />
+      <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
 
     <ItemGroup>

FictionArchive.Service.FileService/Program.cs

@@ -34,6 +34,10 @@ public class Program
         
         #endregion
         
+        // Add authentication with cookie support
+        builder.Services.AddOidcCookieAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+        
         builder.Services.Configure<ProxyConfiguration>(builder.Configuration.GetSection("ProxyConfiguration"));
         
         // Add S3 Client
@@ -60,6 +64,9 @@ public class Program
             app.UseSwaggerUI();
         }
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+        
         app.MapHealthChecks("/healthz");
         
         app.MapControllers();

FictionArchive.Service.FileService/appsettings.json

@@ -9,7 +9,7 @@
     "BaseUrl": "https://localhost:7247/api"
   },
   "RabbitMQ": {
-    "ConnectionString": "amqp://localhost2",
+    "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "FileService"
   },
   "S3": {
@@ -18,5 +18,15 @@
     "AccessKey": "REPLACE_ME",
     "SecretKey": "REPLACE_ME"
   },
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-files",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  },
   "AllowedHosts": "*"
 }

FictionArchive.Service.NovelService/GraphQL/Mutation.cs

@@ -6,17 +6,20 @@ using FictionArchive.Service.NovelService.Models.SourceAdapters;
 using FictionArchive.Service.NovelService.Services;
 using FictionArchive.Service.NovelService.Services.SourceAdapters;
 using FictionArchive.Service.Shared.Services.EventBus;
+using HotChocolate.Authorization;
 using Microsoft.EntityFrameworkCore;
 
 namespace FictionArchive.Service.NovelService.GraphQL;
 
 public class Mutation
 {
+    [Authorize]
     public async Task<NovelUpdateRequestedEvent> ImportNovel(string novelUrl, NovelUpdateService service)
     {
         return await service.QueueNovelImport(novelUrl);
     }
 
+    [Authorize]
     public async Task<ChapterPullRequestedEvent> FetchChapterContents(uint novelId,
         uint chapterNumber,
         NovelUpdateService service)

FictionArchive.Service.NovelService/GraphQL/Query.cs

@@ -1,5 +1,6 @@
 using FictionArchive.Service.NovelService.Models.Novels;
 using FictionArchive.Service.NovelService.Services;
+using HotChocolate.Authorization;
 using HotChocolate.Data;
 using HotChocolate.Types;
 
@@ -7,6 +8,7 @@ namespace FictionArchive.Service.NovelService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     [UsePaging]
     [UseProjection]
     [UseFiltering]

FictionArchive.Service.NovelService/Program.cs

@@ -43,7 +43,8 @@ public class Program
         
         #region GraphQL
 
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
@@ -75,6 +76,10 @@ public class Program
         
         builder.Services.AddHealthChecks();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
         // Update database (skip in schema export mode)
@@ -89,6 +94,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.NovelService/appsettings.json

@@ -19,5 +19,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "NovelService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "ldi5IpEidq2WW0Ka1lehVskb2SOBjnYRaZCpEyBh",
+    "Audience": "ldi5IpEidq2WW0Ka1lehVskb2SOBjnYRaZCpEyBh",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.NovelService/subgraph-config.json

@@ -1,6 +1,6 @@
 {
   "subgraph": "Novels",
   "http": {
-    "baseAddress": "http://localhost:5101/graphql"
+    "baseAddress": "https://localhost:7208/graphql"
   }
 }

FictionArchive.Service.SchedulerService/GraphQL/Mutation.cs

@@ -1,6 +1,8 @@
 using System.Data;
 using FictionArchive.Service.SchedulerService.Models;
 using FictionArchive.Service.SchedulerService.Services;
+using FictionArchive.Service.Shared.Constants;
+using HotChocolate.Authorization;
 using HotChocolate.Types;
 using Quartz;
 
@@ -10,18 +12,21 @@ public class Mutation
 {
     [Error<DuplicateNameException>]
     [Error<FormatException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<SchedulerJob> ScheduleEventJob(string key, string description, string eventType, string eventData, string cronSchedule, JobManagerService jobManager)
     {
         return await jobManager.ScheduleEventJob(key, description, eventType, eventData, cronSchedule);
     }
 
     [Error<JobPersistenceException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<bool> RunJob(string jobKey, JobManagerService jobManager)
     {
         return await jobManager.TriggerJob(jobKey);
     }
 
     [Error<KeyNotFoundException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<bool> DeleteJob(string jobKey, JobManagerService jobManager)
     {
         bool deleted = await jobManager.DeleteJob(jobKey);

FictionArchive.Service.SchedulerService/Program.cs

@@ -17,10 +17,15 @@ public class Program
         var builder = WebApplication.CreateBuilder(args);
         
         // Services
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         builder.Services.AddHealthChecks();
         builder.Services.AddTransient<JobManagerService>();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         #region Database
         
         builder.Services.RegisterDbContext<SchedulerServiceDbContext>(
@@ -88,6 +93,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
         
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.SchedulerService/appsettings.json

@@ -12,5 +12,15 @@
   "ConnectionStrings": {
     "DefaultConnection": "Host=localhost;Database=FictionArchive_SchedulerService;Username=postgres;password=postgres"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.Shared/Constants/AuthorizationConstants.cs

@@ -0,0 +1,15 @@
+namespace FictionArchive.Service.Shared.Constants;
+
+public static class AuthorizationConstants
+{
+    public static class Roles
+    {
+        public const string Admin = "admin";
+    }
+
+    public static class Policies
+    {
+        public const string Admin = "Admin";
+        public const string User = "User";
+    }
+}

FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs

@@ -0,0 +1,168 @@
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+using FictionArchive.Service.Shared.Constants;
+using FictionArchive.Service.Shared.Models.Authentication;
+using System.Linq;
+
+namespace FictionArchive.Service.Shared.Extensions;
+
+public static class AuthenticationExtensions
+{
+    public static IServiceCollection AddOidcAuthentication(this IServiceCollection services, IConfiguration configuration)
+    {
+        var oidcConfig = configuration.GetSection("OIDC").Get<OidcConfiguration>();
+        
+        if (oidcConfig == null)
+        {
+            throw new InvalidOperationException("OIDC configuration is required but not found in app settings");
+        }
+        
+        ValidateOidcConfiguration(oidcConfig);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.Authority = oidcConfig.Authority;
+                options.Audience = oidcConfig.Audience;
+                options.RequireHttpsMetadata = !string.IsNullOrEmpty(oidcConfig.Authority) && oidcConfig.Authority.StartsWith("https://");
+
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = oidcConfig.ValidateIssuer,
+                    ValidIssuer = oidcConfig.ValidIssuer,
+                    ValidateAudience = oidcConfig.ValidateAudience,
+                    ValidateLifetime = oidcConfig.ValidateLifetime,
+                    ValidateIssuerSigningKey = oidcConfig.ValidateIssuerSigningKey,
+                    ClockSkew = TimeSpan.FromMinutes(5)
+                };
+
+                options.Events = CreateLoggingJwtBearerEvents();
+            });
+
+        return services;
+    }
+
+    private static JwtBearerEvents CreateLoggingJwtBearerEvents(JwtBearerEvents? existingEvents = null)
+    {
+        return new JwtBearerEvents
+        {
+            OnMessageReceived = existingEvents?.OnMessageReceived ?? (_ => Task.CompletedTask),
+            OnAuthenticationFailed = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogWarning(context.Exception, "JWT authentication failed: {Message}", context.Exception.Message);
+
+                return existingEvents?.OnAuthenticationFailed?.Invoke(context) ?? Task.CompletedTask;
+            },
+            OnChallenge = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogDebug(
+                    "JWT challenge issued. Error: {Error}, ErrorDescription: {ErrorDescription}",
+                    context.Error,
+                    context.ErrorDescription);
+
+                return existingEvents?.OnChallenge?.Invoke(context) ?? Task.CompletedTask;
+            },
+            OnTokenValidated = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogDebug(
+                    "JWT token validated for subject: {Subject}",
+                    context.Principal?.FindFirst("sub")?.Value ?? "unknown");
+
+                return existingEvents?.OnTokenValidated?.Invoke(context) ?? Task.CompletedTask;
+            }
+        };
+    }
+
+    public static IServiceCollection AddOidcCookieAuthentication(this IServiceCollection services, IConfiguration configuration, string cookieName = "fa_session")
+    {
+        var oidcConfig = configuration.GetSection("OIDC").Get<OidcConfiguration>();
+        
+        if (oidcConfig == null)
+        {
+            throw new InvalidOperationException("OIDC configuration is required but not found in app settings");
+        }
+        
+        ValidateOidcConfiguration(oidcConfig);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.Authority = oidcConfig.Authority;
+                options.Audience = oidcConfig.Audience;
+                options.RequireHttpsMetadata = !string.IsNullOrEmpty(oidcConfig.Authority) && oidcConfig.Authority.StartsWith("https://");
+
+                var cookieEvents = new JwtBearerEvents
+                {
+                    OnMessageReceived = context =>
+                    {
+                        // Try to get token from cookie first, then from Authorization header
+                        if (context.Request.Cookies.ContainsKey(cookieName))
+                        {
+                            context.Token = context.Request.Cookies[cookieName];
+                        }
+
+                        return Task.CompletedTask;
+                    }
+                };
+                options.Events = CreateLoggingJwtBearerEvents(cookieEvents);
+
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = oidcConfig.ValidateIssuer,
+                    ValidIssuer = oidcConfig.ValidIssuer,
+                    ValidateAudience = oidcConfig.ValidateAudience,
+                    ValidateLifetime = oidcConfig.ValidateLifetime,
+                    ValidateIssuerSigningKey = oidcConfig.ValidateIssuerSigningKey,
+                    ClockSkew = TimeSpan.FromMinutes(5)
+                };
+            });
+
+        return services;
+    }
+
+    public static IServiceCollection AddFictionArchiveAuthorization(this IServiceCollection services)
+    {
+        services.AddAuthorizationBuilder()
+            .AddPolicy(AuthorizationConstants.Policies.Admin, policy => policy.RequireRole(AuthorizationConstants.Roles.Admin))
+            .AddPolicy(AuthorizationConstants.Policies.User, policy => policy.RequireAuthenticatedUser());
+
+        return services;
+    }
+
+    private static void ValidateOidcConfiguration(OidcConfiguration config)
+    {
+        var errors = new List<string>();
+
+        if (string.IsNullOrWhiteSpace(config.Authority))
+            errors.Add("OIDC Authority is required");
+
+        if (string.IsNullOrWhiteSpace(config.ClientId))
+            errors.Add("OIDC ClientId is required");
+
+        if (string.IsNullOrWhiteSpace(config.Audience))
+            errors.Add("OIDC Audience is required");
+
+        if (!Uri.TryCreate(config.Authority, UriKind.Absolute, out var authorityUri))
+            errors.Add($"OIDC Authority '{config.Authority}' is not a valid URI");
+        else if (!authorityUri.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase) && 
+                 !authorityUri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase))
+            errors.Add("OIDC Authority must use HTTPS unless running on localhost");
+
+        if (errors.Any())
+        {
+            throw new InvalidOperationException($"OIDC configuration validation failed:{Environment.NewLine}{string.Join(Environment.NewLine, errors)}");
+        }
+    }
+}

FictionArchive.Service.Shared/FictionArchive.Service.Shared.csproj

@@ -9,6 +9,7 @@
     <ItemGroup>
         <PackageReference Include="GraphQL.Server.Ui.GraphiQL" Version="8.3.3" />
         <PackageReference Include="HotChocolate.AspNetCore" Version="15.1.11" />
+        <PackageReference Include="HotChocolate.AspNetCore.Authorization" Version="15.1.11" />
         <PackageReference Include="HotChocolate.AspNetCore.CommandLine" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Data.EntityFramework" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Types.Scalars" Version="15.1.11" />
@@ -29,6 +30,7 @@
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL.NodaTime" Version="9.0.4" />
         <PackageReference Include="RabbitMQ.Client" Version="7.2.0" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
     
     <ItemGroup>

FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs

@@ -0,0 +1,13 @@
+namespace FictionArchive.Service.Shared.Models.Authentication;
+
+public class OidcConfiguration
+{
+    public string Authority { get; set; } = string.Empty;
+    public string ClientId { get; set; } = string.Empty;
+    public string Audience { get; set; } = string.Empty;
+    public string? ValidIssuer { get; set; }
+    public bool ValidateIssuer { get; set; } = true;
+    public bool ValidateAudience { get; set; } = true;
+    public bool ValidateLifetime { get; set; } = true;
+    public bool ValidateIssuerSigningKey { get; set; } = true;
+}

FictionArchive.Service.TranslationService/GraphQL/Mutation.cs

@@ -5,11 +5,13 @@ using FictionArchive.Service.TranslationService.Models.Enums;
 using FictionArchive.Service.TranslationService.Services;
 using FictionArchive.Service.TranslationService.Services.Database;
 using FictionArchive.Service.TranslationService.Services.TranslationEngines;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.TranslationService.GraphQL;
 
 public class Mutation
 {
+    [Authorize]
     public async Task<TranslationResult> TranslateText(string text, Language from, Language to, string translationEngineKey, TranslationEngineService translationEngineService)
     {
         var result = await translationEngineService.Translate(from, to, text, translationEngineKey);

FictionArchive.Service.TranslationService/GraphQL/Query.cs

@@ -2,12 +2,14 @@ using FictionArchive.Service.TranslationService.Models;
 using FictionArchive.Service.TranslationService.Models.Database;
 using FictionArchive.Service.TranslationService.Services.Database;
 using FictionArchive.Service.TranslationService.Services.TranslationEngines;
+using HotChocolate.Authorization;
 using Microsoft.EntityFrameworkCore;
 
 namespace FictionArchive.Service.TranslationService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     [UseFiltering]
     [UseSorting]
     public IEnumerable<TranslationEngineDescriptor> GetTranslationEngines(IEnumerable<ITranslationEngine> engines)
@@ -15,6 +17,7 @@ public class Query
         return engines.Select(engine => engine.Descriptor);
     }
 
+    [Authorize]
     [UsePaging]
     [UseProjection]
     [UseFiltering]

FictionArchive.Service.TranslationService/Program.cs

@@ -50,7 +50,8 @@ public class Program
         
         #region GraphQL
         
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
@@ -66,6 +67,10 @@ public class Program
 
         #endregion
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
         // Update database (skip in schema export mode)
@@ -80,6 +85,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.TranslationService/appsettings.json

@@ -15,5 +15,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "TranslationService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.UserService/GraphQL/Mutation.cs

@@ -1,10 +1,13 @@
+using FictionArchive.Service.Shared.Constants;
 using FictionArchive.Service.UserService.Models.Database;
 using FictionArchive.Service.UserService.Services;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.UserService.GraphQL;
 
 public class Mutation
 {
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<User> RegisterUser(string username, string email, string oAuthProviderId,
         string? inviterOAuthProviderId, UserManagementService userManagementService)
     {

FictionArchive.Service.UserService/GraphQL/Query.cs

@@ -1,10 +1,12 @@
 using FictionArchive.Service.UserService.Models.Database;
 using FictionArchive.Service.UserService.Services;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.UserService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     public async Task<IQueryable<User>> GetUsers(UserManagementService userManagementService)
     {
         return userManagementService.GetUsers();

FictionArchive.Service.UserService/Program.cs

@@ -1,3 +1,4 @@
+using FictionArchive.Common.Extensions;
 using FictionArchive.Service.Shared;
 using FictionArchive.Service.Shared.Extensions;
 using FictionArchive.Service.Shared.Services.EventBus.Implementations;
@@ -15,6 +16,7 @@ public class Program
         var isSchemaExport = SchemaExportDetector.IsSchemaExportMode(args);
 
         var builder = WebApplication.CreateBuilder(args);
+        builder.AddLocalAppsettings();
 
         #region Event Bus
 
@@ -31,7 +33,8 @@ public class Program
         
         #region GraphQL
         
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
@@ -42,6 +45,10 @@ public class Program
 
         builder.Services.AddHealthChecks();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
         // Update database (skip in schema export mode)
@@ -52,6 +59,9 @@ public class Program
             dbContext.UpdateDatabase();
         }
         
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.MapHealthChecks("/healthz");

FictionArchive.Service.UserService/appsettings.json

@@ -12,5 +12,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "UserService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

docker-compose.yml

@@ -128,6 +128,9 @@ services:
       S3__AccessKey: ${S3_ACCESS_KEY}
       S3__SecretKey: ${S3_SECRET_KEY}
       Proxy__BaseUrl: https://files.orfl.xyz/api
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-files
+      OIDC__Audience: fictionarchive-api
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
       interval: 30s
@@ -151,6 +154,9 @@ services:
     image: git.orfl.xyz/conco/fictionarchive-api:latest
     environment:
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-api
+      OIDC__Audience: fictionarchive-api
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
       interval: 30s

fictionarchive-web/src/auth/AuthContext.tsx

@@ -2,6 +2,29 @@ import { createContext, useCallback, useContext, useEffect, useMemo, useRef, use
 import type { User } from 'oidc-client-ts'
 import { isOidcConfigured, userManager } from './oidcClient'
 
+// Cookie management helper functions
+function setCookieFromUser(user: User) {
+  if (!user?.access_token) return
+  
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  const secure = isProduction
+  const sameSite = isProduction ? 'None' : 'Lax'
+  
+  // Set cookie with JWT token from user
+  const cookieValue = `fa_session=${user.access_token}; path=/; ${secure ? 'secure; ' : ''}samesite=${sameSite}${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
+function clearFaSessionCookie() {
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  
+  // Clear cookie by setting expiration date in the past
+  const cookieValue = `fa_session=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
 type AuthContextValue = {
   user: User | null
   isLoading: boolean
@@ -26,7 +49,12 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     userManager
       .getUser()
       .then((loadedUser) => {
-        if (!cancelled) setUser(loadedUser ?? null)
+        if (!cancelled) {
+          setUser(loadedUser ?? null)
+          if (loadedUser) {
+            setCookieFromUser(loadedUser)
+          }
+        }
       })
       .finally(() => {
         if (!cancelled) setIsLoading(false)
@@ -41,8 +69,14 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     const manager = userManager
     if (!manager) return
 
-    const handleLoaded = (nextUser: User) => setUser(nextUser)
+    const handleLoaded = (nextUser: User) => {
-    const handleUnloaded = () => setUser(null)
+      setUser(nextUser)
+      setCookieFromUser(nextUser)
+    }
+    const handleUnloaded = () => {
+      setUser(null)
+      clearFaSessionCookie()
+    }
 
     manager.events.addUserLoaded(handleLoaded)
     manager.events.addUserUnloaded(handleUnloaded)
@@ -72,6 +106,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       .signinRedirectCallback()
       .then((nextUser) => {
         setUser(nextUser ?? null)
+        if (nextUser) {
+          setCookieFromUser(nextUser)
+        }
       })
       .catch((error) => {
         console.error('Failed to complete sign-in redirect', error)
@@ -103,6 +140,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       console.error('Failed to sign out via redirect, clearing local session instead.', error)
       await manager.removeUser()
       setUser(null)
+      clearFaSessionCookie()
     }
   }, [])