dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Central launch profile: auth middleware, cookie auth, antiforgery, static files

Browse Source 
- Add UseAuthentication/UseAuthorization/UseAntiforgery/UseStaticFiles middleware
- Register ASP.NET Core cookie authentication scheme in AddSecurity()
- Update auth endpoints to use SignInAsync/SignOutAsync (proper cookie auth)
- Add [AllowAnonymous] to login page
- Create wwwroot for static file serving
- Regenerate clean EF migration after model changes

Verified with launch profile "ScadaLink Central":
- Host starts, connects to SQL Server, applies EF migrations
- Akka.NET cluster forms (remoting on 8081, node joins self as leader)
- /health/ready returns Healthy (DB + Akka checks)
- LDAP auth works (admin/password via GLAuth → 302 + auth cookie set)
- Login page renders (HTTP 200)
- Unauthenticated requests redirect to /login
This commit is contained in:
Joseph Doherty
2026-03-17 03:43:11 -04:00
parent 121983fd66
commit 0b10747bd2
6 changed files with 1061 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
src/ScadaLink.CentralUI/Auth/AuthEndpoints.cs
View File

@@ -1,3 +1,6 @@
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing;
@@ -8,7 +11,7 @@ namespace ScadaLink.CentralUI.Auth;
/// <summary>
/// Minimal API endpoints for login/logout. These run outside Blazor Server (standard HTTP POST).
/// On success, sets an HTTP-only cookie containing the JWT, then redirects to dashboard.
/// On success, signs in via ASP.NET Core cookie authentication and redirects to dashboard.
/// </summary>
public static class AuthEndpoints
{
@@ -41,37 +44,47 @@ public static class AuthEndpoints
// Map LDAP groups to roles
var roleMappingResult = await roleMapper.MapGroupsToRolesAsync(authResult.Groups ?? []);
var token = jwtService.GenerateToken(
authResult.DisplayName ?? username,
authResult.Username ?? username,
roleMappingResult.Roles,
roleMappingResult.IsSystemWideDeployment ? null : roleMappingResult.PermittedSiteIds);
// Build claims from LDAP auth + role mapping
var claims = new List<Claim>
{
new(ClaimTypes.Name, authResult.Username ?? username),
new(JwtTokenService.DisplayNameClaimType, authResult.DisplayName ?? username),
new(JwtTokenService.UsernameClaimType, authResult.Username ?? username),
};
// Set HTTP-only cookie with the JWT
context.Response.Cookies.Append(
CookieAuthenticationStateProvider.AuthCookieName,
token,
new CookieOptions
foreach (var role in roleMappingResult.Roles)
{
claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
}
if (!roleMappingResult.IsSystemWideDeployment)
{
foreach (var siteId in roleMappingResult.PermittedSiteIds)
{
HttpOnly = true,
Secure = context.Request.IsHttps,
SameSite = SameSiteMode.Strict,
Path = "/",
// Cookie expiry matches JWT idle timeout (30 min default)
MaxAge = TimeSpan.FromMinutes(30)
claims.Add(new Claim(JwtTokenService.SiteIdClaimType, siteId));
}
}
var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
var principal = new ClaimsPrincipal(identity);
await context.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
principal,
new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(30)
});
context.Response.Redirect("/");
});
}).DisableAntiforgery();
endpoints.MapPost("/auth/logout", (HttpContext context) =>
endpoints.MapPost("/auth/logout", async (HttpContext context) =>
{
context.Response.Cookies.Delete(CookieAuthenticationStateProvider.AuthCookieName, new CookieOptions
{
Path = "/"
});
await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
context.Response.Redirect("/login");
});
}).DisableAntiforgery();
return endpoints;
}