fix(security): resolve Security-001/002/003 — reachable StartTLS path, Secure cookie, JWT signing key validation

src/ScadaLink.Security/LdapAuthService.cs

@@ -24,7 +24,7 @@ public class LdapAuthService
             return new LdapAuthResult(false, null, null, null, "Password is required.");
 
         // Enforce TLS unless explicitly allowed for dev/test
-        if (!_options.LdapUseTls && !_options.AllowInsecureLdap)
+        if (_options.LdapTransport == LdapTransport.None && !_options.AllowInsecureLdap)
         {
             return new LdapAuthResult(false, null, null, null,
                 "Insecure LDAP connections are not allowed. Enable TLS or set AllowInsecureLdap for dev/test.");
@@ -34,16 +34,24 @@ public class LdapAuthService
         {
             using var connection = new LdapConnection();
 
-            if (_options.LdapUseTls)
+            // LDAPS: TLS negotiated at connection time. StartTLS: connect plaintext,
+            // then upgrade the session before any credentials are sent.
+            if (_options.LdapTransport == LdapTransport.Ldaps)
             {
                 connection.SecureSocketLayer = true;
             }
 
             await Task.Run(() => connection.Connect(_options.LdapServer, _options.LdapPort), ct);
 
-            if (_options.LdapUseTls && !connection.SecureSocketLayer)
+            if (_options.LdapTransport == LdapTransport.StartTls)
             {
                 await Task.Run(() => connection.StartTls(), ct);
+
+                if (!connection.Tls)
+                {
+                    return new LdapAuthResult(false, null, null, null,
+                        "StartTLS upgrade did not produce an encrypted session.");
+                }
             }
 
             // Resolve the user's actual DN, then bind with their credentials