food-market

nns/food-market

Fork 0

Commit graph

Author	SHA1	Message	Date
nurdotnet	b07232521b	fix(auth): return 401 instead of 302 for API challenges; persist dev signing key across restarts Root cause of the 404 on /api/admin/moysklad/test (and /api/me): - AddIdentity<> sets DefaultChallengeScheme = IdentityConstants.ApplicationScheme (cookies), so unauthorized API calls got 302 → /Account/Login → 404 instead of 401. - Ephemeral OpenIddict keys (AddEphemeralSigningKey) regenerated on every API restart, silently invalidating any JWT already stored in the browser. Fixes: - Explicitly set DefaultScheme / DefaultAuthenticateScheme / DefaultChallengeScheme to OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme so [Authorize] challenges now return 401 (axios interceptor can react + retry or redirect). - Replace ephemeral RSA keys with a persistent dev RSA key stored in src/food-market.api/App_Data/openiddict-dev-key.xml (gitignored). Generated on first run, reused on subsequent starts. Dev tokens now survive API restarts. Production must register proper X509 certificates via configuration. - .gitignore: add App_Data/, *.pem, openiddict-dev-key.xml patterns. - Web axios: on hard 401 with failed refresh, redirect to /login rather than leaving the user stuck on a protected screen. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-21 21:42:53 +05:00
nns	fd2f5ae4f3	Phase 0: project scaffolding and end-to-end auth - .NET 8 LTS solution with 7 projects (domain/application/infrastructure/api/shared/pos.core/pos[WPF]) - Central package management (Directory.Packages.props), .editorconfig, global.json pin to 8.0.417 - PostgreSQL 14 dev DB via existing brew service; food_market database created - ASP.NET Identity + OpenIddict 5 (password + refresh token flows) with ephemeral dev keys - EF Core 8 + Npgsql; multi-tenant query filter via reflection over ITenantEntity - Initial migration: 13 tables (Identity + OpenIddict + organizations) - AuthorizationController implements /connect/token; seeders create demo org + admin - Protected /api/me endpoint returns current user + org claims - React 19 + Vite 8 + Tailwind v4 SPA with TanStack Query, React Router 7 - Login flow with dev-admin placeholder, bearer interceptor + refresh token fallback - docs/architecture.md, CLAUDE.md, README.md Verified end-to-end: health check, password grant issues JWT with org_id, web app builds successfully (310 kB gzipped). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-21 13:59:13 +05:00

Author

SHA1

Message

Date

nurdotnet

b07232521b

fix(auth): return 401 instead of 302 for API challenges; persist dev signing key across restarts

Root cause of the 404 on /api/admin/moysklad/test (and /api/me):
- AddIdentity<> sets DefaultChallengeScheme = IdentityConstants.ApplicationScheme
  (cookies), so unauthorized API calls got 302 → /Account/Login → 404 instead of 401.
- Ephemeral OpenIddict keys (AddEphemeralSigningKey) regenerated on every API
  restart, silently invalidating any JWT already stored in the browser.

Fixes:
- Explicitly set DefaultScheme / DefaultAuthenticateScheme / DefaultChallengeScheme
  to OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme so [Authorize]
  challenges now return 401 (axios interceptor can react + retry or redirect).
- Replace ephemeral RSA keys with a persistent dev RSA key stored in
  src/food-market.api/App_Data/openiddict-dev-key.xml (gitignored). Generated on
  first run, reused on subsequent starts. Dev tokens now survive API restarts.
  Production must register proper X509 certificates via configuration.
- .gitignore: add App_Data/, *.pem, openiddict-dev-key.xml patterns.
- Web axios: on hard 401 with failed refresh, redirect to /login rather than
  leaving the user stuck on a protected screen.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-21 21:42:53 +05:00

nns

fd2f5ae4f3

Phase 0: project scaffolding and end-to-end auth

- .NET 8 LTS solution with 7 projects (domain/application/infrastructure/api/shared/pos.core/pos[WPF])
- Central package management (Directory.Packages.props), .editorconfig, global.json pin to 8.0.417
- PostgreSQL 14 dev DB via existing brew service; food_market database created
- ASP.NET Identity + OpenIddict 5 (password + refresh token flows) with ephemeral dev keys
- EF Core 8 + Npgsql; multi-tenant query filter via reflection over ITenantEntity
- Initial migration: 13 tables (Identity + OpenIddict + organizations)
- AuthorizationController implements /connect/token; seeders create demo org + admin
- Protected /api/me endpoint returns current user + org claims
- React 19 + Vite 8 + Tailwind v4 SPA with TanStack Query, React Router 7
- Login flow with dev-admin placeholder, bearer interceptor + refresh token fallback
- docs/architecture.md, CLAUDE.md, README.md

Verified end-to-end: health check, password grant issues JWT with org_id,
web app builds successfully (310 kB gzipped).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-21 13:59:13 +05:00

2 commits