namespace ZB.MOM.WW.ScadaBridge.Security;
///
/// Non-LDAP security configuration: the cookie-embedded JWT signing/lifetime
/// settings and the session idle-timeout / cookie-security policy.
///
///
/// Task 1.2/1.4 cutover: the LDAP connection settings that used to live here as
/// flat Ldap* keys (server, port, transport, search base, service account,
/// attributes, timeout) moved into a nested ScadaBridge:Security:Ldap
/// sub-section bound to the shared ZB.MOM.WW.Auth.Abstractions.Ldap.LdapOptions
/// and registered via AddZbLdapAuth. This is a BREAKING config-key change —
/// see CHANGELOG. The non-LDAP fields below are unchanged and still bound from
/// ScadaBridge:Security.
///
public class SecurityOptions
{
///
/// Symmetric HMAC-SHA256 signing key for cookie-embedded JWTs. Must be at least
/// 32 bytes (256 bits) — validated at construction.
///
public string JwtSigningKey { get; set; } = string.Empty;
///
/// Minimum signing-key length in bytes required for HMAC-SHA256 (256 bits).
///
public const int MinJwtSigningKeyBytes = 32;
/// Cookie-embedded JWT lifetime in minutes before it must be refreshed.
public int JwtExpiryMinutes { get; set; } = 15;
/// Session idle timeout in minutes; sessions inactive beyond this are expired.
public int IdleTimeoutMinutes { get; set; } = 30;
///
/// Minutes before token expiry to trigger refresh.
///
public int JwtRefreshThresholdMinutes { get; set; } = 5;
///
/// When true (default) the authentication cookie is always marked
/// Secure (sent only over HTTPS) — the correct production setting,
/// since the cookie carries the embedded JWT bearer credential. Set false
/// for an HTTP-only deployment such as the local Docker dev cluster: the
/// cookie then uses SameAsRequest, so it is still Secure on
/// any HTTPS request but is usable over plain HTTP.
///
public bool RequireHttpsCookie { get; set; } = true;
}