feat(auth): ScadaBridge full canonical claims (ZbClaimTypes role/scope) + ZbCookieDefaults, keep cookie name (Task 1.5)

2026-06-02 06:23:15 -04:00
parent afa55981d5
commit a0938f708b
25 changed files with 247 additions and 50 deletions
@@ -63,17 +63,23 @@ public static class ServiceCollectionExtensions
        // now enforces Server + SearchBase + ServiceAccountDn + transport at startup. The
        // JWT signing key continues to fail-fast at JwtTokenService construction.

-        // Register ASP.NET Core authentication with cookie scheme
+        // Register ASP.NET Core authentication with cookie scheme. The non-
+        // SecurityOptions-coupled settings (paths, cookie name) are set here; the
+        // hardened cookie defaults that depend on SecurityOptions (idle timeout,
+        // HTTPS policy) are applied via the SecurityOptions-bound PostConfigure
+        // below through ZbCookieDefaults.Apply.
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(options =>
            {
                options.LoginPath = "/login";
                options.LogoutPath = "/auth/logout";
+                // The cookie NAME is app-owned and not set by ZbCookieDefaults.Apply
+                // (so co-hosted ZB apps do not clobber each other's session). Keep
+                // ScadaBridge's existing name so live sessions survive this change.
                options.Cookie.Name = "ZB.MOM.WW.ScadaBridge.Auth";
-                options.Cookie.HttpOnly = true;
-                options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
-                // Cookie.SecurePolicy is set in the PostConfigure block below so it
-                // can honour SecurityOptions.RequireHttpsCookie.
+                // HttpOnly / SameSite / SecurePolicy / SlidingExpiration /
+                // ExpireTimeSpan are all set by ZbCookieDefaults.Apply in the
+                // SecurityOptions-bound PostConfigure below.
            });

        // CentralUI-005: configure the cookie session as a sliding window so the
@@ -90,27 +96,27 @@ public static class ServiceCollectionExtensions
        // itself (see JwtTokenService) — a separate layer from the cookie
        // session window. Bound here via PostConfigure so SecurityOptions
        // (configured by the Host after AddSecurity) is honoured.
+        //
+        // Task 1.5: the cookie hardening (HttpOnly=true, SameSite=Strict,
+        // SecurePolicy, SlidingExpiration=true, ExpireTimeSpan=idle) now comes from
+        // the shared ZbCookieDefaults.Apply, with requireHttps + idleTimeout driven
+        // by SecurityOptions so behaviour (30-min sliding idle window, HTTPS-only
+        // unless explicitly opted out) is preserved.
        services.AddOptions<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme)
            .Configure<IOptions<SecurityOptions>, ILoggerFactory>((cookieOptions, securityOptions, loggerFactory) =>
            {
-                var idleMinutes = securityOptions.Value.IdleTimeoutMinutes;
-                cookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(idleMinutes);
-                cookieOptions.SlidingExpiration = true;
-
-                // The cookie carries the embedded JWT bearer credential. Production
-                // keeps it HTTPS-only (Always); an HTTP-only deployment (e.g. the
-                // local Docker dev cluster) opts out via RequireHttpsCookie=false and
-                // uses SameAsRequest — still Secure on any HTTPS request.
-                cookieOptions.Cookie.SecurePolicy = securityOptions.Value.RequireHttpsCookie
-                    ? Microsoft.AspNetCore.Http.CookieSecurePolicy.Always
-                    : Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
+                ZbCookieDefaults.Apply(
+                    cookieOptions,
+                    requireHttps: securityOptions.Value.RequireHttpsCookie,
+                    idleTimeout: TimeSpan.FromMinutes(securityOptions.Value.IdleTimeoutMinutes));

                // Security-021: when the operator opts out of HTTPS-only cookies,
                // log a Warning so an HTTP-only deployment is at least audible in
                // the startup log. The cookie carries the embedded JWT bearer
                // credential — over plain HTTP that travels in cleartext on every
                // request. The default is true; this branch fires only on an
-                // explicit opt-out (typically the dev Docker cluster).
+                // explicit opt-out (typically the dev Docker cluster). Apply sets
+                // SecurePolicy=SameAsRequest in that case.
                if (!securityOptions.Value.RequireHttpsCookie)
                {
                    loggerFactory.CreateLogger("ZB.MOM.WW.ScadaBridge.Security").LogWarning(