From 1d652b24c6600048e423768850f46976c471686e Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Tue, 16 Jun 2026 08:23:14 -0400
Subject: [PATCH] refactor(dashboard): normalize auto-login user in ctor;
 clarify claim-shape doc; add custom-user test

---
 .../DashboardAutoLoginAuthenticationHandler.cs         | 10 ++++++++--
 .../DashboardAutoLoginAuthenticationHandlerTests.cs    | 10 ++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardAutoLoginAuthenticationHandler.cs b/src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardAutoLoginAuthenticationHandler.cs
index bb0adb9..5c49317 100644
--- a/src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardAutoLoginAuthenticationHandler.cs
+++ b/src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardAutoLoginAuthenticationHandler.cs
@@ -36,7 +36,10 @@ public sealed class DashboardAutoLoginAuthenticationHandler
         UrlEncoder encoder,
         IOptions<GatewayOptions> gatewayOptions)
         : base(options, logger, encoder)
-        => _user = gatewayOptions.Value.Dashboard.AutoLoginUser ?? DefaultUser;
+    {
+        string? configured = gatewayOptions.Value.Dashboard.AutoLoginUser;
+        _user = string.IsNullOrWhiteSpace(configured) ? DefaultUser : configured.Trim();
+    }
 
     /// <summary>No-op: auto-login writes no cookie, so a sign-in has nothing to persist.</summary>
     /// <param name="user">Ignored.</param>
@@ -60,7 +63,9 @@ public sealed class DashboardAutoLoginAuthenticationHandler
 
     /// <summary>
     /// Builds the multi-role dev principal. Null/blank <paramref name="user"/> falls back to
-    /// <see cref="DefaultUser"/>. Claim shape mirrors <see cref="DashboardAuthenticator"/>.
+    /// <see cref="DefaultUser"/>. The authorization-relevant claim shape mirrors
+    /// <see cref="DashboardAuthenticator"/>; LDAP group claims (<c>LdapGroupClaimType</c>) are
+    /// intentionally omitted because auto-login has no real LDAP context.
     /// </summary>
     /// <param name="user">The configured auto-login username (may be null/blank).</param>
     /// <returns>An authenticated principal holding both dashboard roles.</returns>
@@ -68,6 +73,7 @@ public sealed class DashboardAutoLoginAuthenticationHandler
     {
         string name = string.IsNullOrWhiteSpace(user) ? DefaultUser : user.Trim();
 
+        // LdapGroupClaimType claims are omitted — no LDAP groups exist in the auto-login context.
         Claim[] claims =
         [
             new Claim(ClaimTypes.NameIdentifier, name),
diff --git a/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardAutoLoginAuthenticationHandlerTests.cs b/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardAutoLoginAuthenticationHandlerTests.cs
index 41b9e78..219e031 100644
--- a/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardAutoLoginAuthenticationHandlerTests.cs
+++ b/src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardAutoLoginAuthenticationHandlerTests.cs
@@ -34,4 +34,14 @@ public sealed class DashboardAutoLoginAuthenticationHandlerTests
 
         Assert.Equal("multi-role", principal.Identity!.Name);
     }
+
+    [Fact]
+    public void CreatePrincipal_CustomUser_PreservesNameAndRoles()
+    {
+        ClaimsPrincipal principal = DashboardAutoLoginAuthenticationHandler.CreatePrincipal("gw-viewer");
+
+        Assert.Equal("gw-viewer", principal.Identity!.Name);
+        Assert.True(principal.IsInRole(DashboardRoles.Admin));
+        Assert.True(principal.IsInRole(DashboardRoles.Viewer));
+    }
 }