conco/FictionArchive
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Add Authentication #17

New Issue
Closed
opened 2025-11-22 04:10:52 +00:00 by conco · 2 comments
conco commented 2025-11-22 04:10:52 +00:00
Owner
Copy Link

[FA-17] Implement Authentication for API Gateway and FileService

Summary

Add authentication to FictionArchive microservices:

  • API Gateway: JWT Bearer token validation for all GraphQL requests
  • FileService: Cookie-based authentication for browser image requests

Architecture

Frontend (fictionarchive.orfl.xyz)
    │
    │  1. User logs in via OIDC (Authentik)
    │  2. Frontend stores JWT in localStorage (oidc-client-ts)
    │  3. Frontend sets fa_session cookie on .orfl.xyz domain
    │
    ├─► API Gateway (api.fictionarchive.orfl.xyz)
    │   - Validates JWT Bearer tokens (Authorization header)
    │   - Federates to subgraph services
    │
    └─► FileService (files.orfl.xyz)
        - Validates JWT from fa_session cookie
        - Serves files from S3

Tasks

Phase 1: Shared Authentication Infrastructure

  • Add Microsoft.AspNetCore.Authentication.JwtBearer package to FictionArchive.Service.Shared
  • Create FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs
  • Create FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs with AddOidcAuthentication() and AddFictionArchiveAuthorization() helpers

Phase 2: API Gateway Authentication

  • Add auth package reference to FictionArchive.API.csproj
  • Update FictionArchive.API/Program.cs to add auth middleware and restrict CORS
  • Add OIDC configuration to FictionArchive.API/appsettings.json

Phase 3: FileService Cookie Authentication

  • Add auth package reference to FictionArchive.Service.FileService.csproj
  • Update FictionArchive.Service.FileService/Program.cs with cookie-based JWT validation (reads from fa_session cookie)
  • Add [Authorize] attribute to S3ProxyController
  • Add OIDC configuration to FictionArchive.Service.FileService/appsettings.json

Phase 4: Frontend Cookie Setting

  • Update fictionarchive-web/src/auth/AuthContext.tsx to set fa_session cookie after login
  • Handle localhost vs production cookie settings (secure, samesite, domain)
  • Clear cookie on logout

Phase 5: Authorization Attributes

  • Add [Authorize] attributes to GraphQL resolvers as needed
  • Add role-based authorization ([Authorize(Roles = new[] { "admin" })]) for admin-only operations

Configuration

  • Add OIDC environment variables to docker-compose.yml for api-gateway and file-service

Files to Modify

File Changes
FictionArchive.Service.Shared/FictionArchive.Service.Shared.csproj Add JWT package
FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs New - JWT setup helpers
FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs New - Config model
FictionArchive.API/Program.cs Add auth middleware
FictionArchive.API/appsettings.json Add OIDC config
FictionArchive.Service.FileService/Program.cs Add cookie-based JWT validation
FictionArchive.Service.FileService/Controllers/S3ProxyController.cs Add [Authorize]
FictionArchive.Service.FileService/appsettings.json Add OIDC config
fictionarchive-web/src/auth/AuthContext.tsx Set cookie after login
docker-compose.yml Add OIDC environment variables

Security Notes

  • Production cookies: secure; samesite=none required for cross-subdomain on HTTPS
  • Localhost cookies: samesite=lax without secure (allows HTTP)
  • Cookie lifetime: Should match or be shorter than JWT expiration
  • HTTPS: Required in production for Secure cookies
## [FA-17] Implement Authentication for API Gateway and FileService ### Summary Add authentication to FictionArchive microservices: - **API Gateway**: JWT Bearer token validation for all GraphQL requests - **FileService**: Cookie-based authentication for browser image requests ### Architecture ``` Frontend (fictionarchive.orfl.xyz) │ │ 1. User logs in via OIDC (Authentik) │ 2. Frontend stores JWT in localStorage (oidc-client-ts) │ 3. Frontend sets fa_session cookie on .orfl.xyz domain │ ├─► API Gateway (api.fictionarchive.orfl.xyz) │ - Validates JWT Bearer tokens (Authorization header) │ - Federates to subgraph services │ └─► FileService (files.orfl.xyz) - Validates JWT from fa_session cookie - Serves files from S3 ``` ### Tasks #### Phase 1: Shared Authentication Infrastructure - [ ] Add `Microsoft.AspNetCore.Authentication.JwtBearer` package to `FictionArchive.Service.Shared` - [ ] Create `FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs` - [ ] Create `FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs` with `AddOidcAuthentication()` and `AddFictionArchiveAuthorization()` helpers #### Phase 2: API Gateway Authentication - [ ] Add auth package reference to `FictionArchive.API.csproj` - [ ] Update `FictionArchive.API/Program.cs` to add auth middleware and restrict CORS - [ ] Add OIDC configuration to `FictionArchive.API/appsettings.json` #### Phase 3: FileService Cookie Authentication - [ ] Add auth package reference to `FictionArchive.Service.FileService.csproj` - [ ] Update `FictionArchive.Service.FileService/Program.cs` with cookie-based JWT validation (reads from `fa_session` cookie) - [ ] Add `[Authorize]` attribute to `S3ProxyController` - [ ] Add OIDC configuration to `FictionArchive.Service.FileService/appsettings.json` #### Phase 4: Frontend Cookie Setting - [ ] Update `fictionarchive-web/src/auth/AuthContext.tsx` to set `fa_session` cookie after login - [ ] Handle localhost vs production cookie settings (secure, samesite, domain) - [ ] Clear cookie on logout #### Phase 5: Authorization Attributes - [ ] Add `[Authorize]` attributes to GraphQL resolvers as needed - [ ] Add role-based authorization (`[Authorize(Roles = new[] { "admin" })]`) for admin-only operations #### Configuration - [ ] Add OIDC environment variables to `docker-compose.yml` for api-gateway and file-service ### Files to Modify | File | Changes | |------|---------| | `FictionArchive.Service.Shared/FictionArchive.Service.Shared.csproj` | Add JWT package | | `FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs` | New - JWT setup helpers | | `FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs` | New - Config model | | `FictionArchive.API/Program.cs` | Add auth middleware | | `FictionArchive.API/appsettings.json` | Add OIDC config | | `FictionArchive.Service.FileService/Program.cs` | Add cookie-based JWT validation | | `FictionArchive.Service.FileService/Controllers/S3ProxyController.cs` | Add `[Authorize]` | | `FictionArchive.Service.FileService/appsettings.json` | Add OIDC config | | `fictionarchive-web/src/auth/AuthContext.tsx` | Set cookie after login | | `docker-compose.yml` | Add OIDC environment variables | ### Security Notes - **Production cookies**: `secure; samesite=none` required for cross-subdomain on HTTPS - **Localhost cookies**: `samesite=lax` without `secure` (allows HTTP) - **Cookie lifetime**: Should match or be shorter than JWT expiration - **HTTPS**: Required in production for Secure cookies
conco added the enhancement label 2025-11-22 06:13:20 +00:00
conco added this to the Phase 3 project 2025-11-24 02:18:28 +00:00
conco moved this to To Do in Phase 3 on 2025-11-24 18:38:09 +00:00
conco moved this to In Progress in Phase 3 on 2025-11-26 23:40:09 +00:00
conco commented 2025-11-27 13:58:34 +00:00
Author
Owner
Copy Link

@claude can you try handling this issue please?

@claude can you try handling this issue please?
Claude commented 2025-11-27 14:01:27 +00:00
Copy Link

Claude finished @conco's task —— View job

Authentication System Implementation Complete

I have successfully implemented the authentication system for FictionArchive as outlined in FA-17. All changes have been committed and pushed to the claude/issue-17-add-authentication branch.

Completed Tasks:

  • Phase 1: Shared Authentication Infrastructure
    • Add JWT package to FictionArchive.Service.Shared
    • Create OidcConfiguration.cs model
    • Create AuthenticationExtensions.cs with helpers
  • Phase 2: API Gateway Authentication
    • Add auth package reference to API project
    • Update API Program.cs with auth middleware
    • Add OIDC config to API appsettings.json
  • Phase 3: FileService Cookie Authentication
    • Add auth package reference to FileService project
    • Update FileService Program.cs with cookie-based JWT validation
    • Add [Authorize] to S3ProxyController
    • Add OIDC config to FileService appsettings.json
  • Phase 4: Frontend Cookie Setting
    • Update AuthContext.tsx to set fa_session cookie
    • Handle localhost vs production cookie settings
    • Clear cookie on logout
  • Phase 5: Authorization Attributes
    • Add [Authorize] attributes to GraphQL resolvers
    • Add role-based authorization for admin operations
  • Configuration
    • Add OIDC environment variables to docker-compose.yml
  • Commit changes and push to branch

Key Implementation Details

Authentication Flow:

  1. Frontend handles OIDC login via Authentik
  2. JWT stored in localStorage + fa_session cookie set on .orfl.xyz domain
  3. API Gateway validates JWT Bearer tokens from Authorization header
  4. FileService validates JWT from fa_session cookie for file requests

Security Features:

  • Restricted CORS policy (no more wildcard origins)
  • Production cookies: secure; samesite=none; domain=.orfl.xyz
  • Development cookies: samesite=lax (no secure flag for HTTP localhost)
  • Role-based authorization for admin operations
  • Full JWT validation (issuer, audience, lifetime, signing key)

Branch: claude/issue-17-add-authentication
Files Modified: 14 files across shared infrastructure, API Gateway, FileService, frontend, and GraphQL resolvers

Next Steps

Please create a pull request from the claude/issue-17-add-authentication branch to merge these authentication changes.

**Claude finished @conco's task** —— [View job](https://git.orfl.xyz/conco/FictionArchive/actions/runs/67) --- ### Authentication System Implementation Complete ✅ I have successfully implemented the authentication system for FictionArchive as outlined in FA-17. All changes have been committed and pushed to the `claude/issue-17-add-authentication` branch. #### Completed Tasks: - [x] **Phase 1: Shared Authentication Infrastructure** - [x] Add JWT package to FictionArchive.Service.Shared - [x] Create OidcConfiguration.cs model - [x] Create AuthenticationExtensions.cs with helpers - [x] **Phase 2: API Gateway Authentication** - [x] Add auth package reference to API project - [x] Update API Program.cs with auth middleware - [x] Add OIDC config to API appsettings.json - [x] **Phase 3: FileService Cookie Authentication** - [x] Add auth package reference to FileService project - [x] Update FileService Program.cs with cookie-based JWT validation - [x] Add [Authorize] to S3ProxyController - [x] Add OIDC config to FileService appsettings.json - [x] **Phase 4: Frontend Cookie Setting** - [x] Update AuthContext.tsx to set fa_session cookie - [x] Handle localhost vs production cookie settings - [x] Clear cookie on logout - [x] **Phase 5: Authorization Attributes** - [x] Add [Authorize] attributes to GraphQL resolvers - [x] Add role-based authorization for admin operations - [x] **Configuration** - [x] Add OIDC environment variables to docker-compose.yml - [x] Commit changes and push to branch ### Key Implementation Details **Authentication Flow:** 1. Frontend handles OIDC login via Authentik 2. JWT stored in localStorage + `fa_session` cookie set on `.orfl.xyz` domain 3. API Gateway validates JWT Bearer tokens from Authorization header 4. FileService validates JWT from `fa_session` cookie for file requests **Security Features:** - Restricted CORS policy (no more wildcard origins) - Production cookies: `secure; samesite=none; domain=.orfl.xyz` - Development cookies: `samesite=lax` (no secure flag for HTTP localhost) - Role-based authorization for admin operations - Full JWT validation (issuer, audience, lifetime, signing key) **Branch:** `claude/issue-17-add-authentication` **Files Modified:** 14 files across shared infrastructure, API Gateway, FileService, frontend, and GraphQL resolvers ### Next Steps Please create a pull request from the `claude/issue-17-add-authentication` branch to merge these authentication changes. ---
conco closed this issue 2025-11-28 04:26:34 +00:00
conco moved this to Done in Phase 3 on 2025-11-28 04:26:39 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 question
More information is needed
 source
New novel source
 wontfix
This won't be fixed
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project Phase 3
Assignees
Clear assignees
conco
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: conco/FictionArchive#17
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?