nns/food-market
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity
food-market/src
History
nurdotnet b07232521b fix(auth): return 401 instead of 302 for API challenges; persist dev signing key across restarts 
Root cause of the 404 on /api/admin/moysklad/test (and /api/me):
- AddIdentity<> sets DefaultChallengeScheme = IdentityConstants.ApplicationScheme
  (cookies), so unauthorized API calls got 302 → /Account/Login → 404 instead of 401.
- Ephemeral OpenIddict keys (AddEphemeralSigningKey) regenerated on every API
  restart, silently invalidating any JWT already stored in the browser.

Fixes:
- Explicitly set DefaultScheme / DefaultAuthenticateScheme / DefaultChallengeScheme
  to OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme so [Authorize]
  challenges now return 401 (axios interceptor can react + retry or redirect).
- Replace ephemeral RSA keys with a persistent dev RSA key stored in
  src/food-market.api/App_Data/openiddict-dev-key.xml (gitignored). Generated on
  first run, reused on subsequent starts. Dev tokens now survive API restarts.
  Production must register proper X509 certificates via configuration.
- .gitignore: add App_Data/, *.pem, openiddict-dev-key.xml patterns.
- Web axios: on hard 401 with failed refresh, redirect to /login rather than
  leaving the user stuck on a protected screen.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 21:42:53 +05:00
..
food-market.api fix(auth): return 401 instead of 302 for API challenges; persist dev signing key across restarts 2026-04-21 21:42:53 +05:00
food-market.application phase1b: catalog CRUD API (countries, currencies, vat, units, stores, retail points, product groups, counterparties, products) 2026-04-21 19:22:56 +05:00
food-market.domain phase1a: catalog domain (countries, currencies, vat, units, counterparties, stores, retail points, products) 2026-04-21 19:16:10 +05:00
food-market.infrastructure phase1e: MoySklad import integration (admin-only, per-request token, no persistence) 2026-04-21 21:07:58 +05:00
food-market.pos Phase 0: project scaffolding and end-to-end auth 2026-04-21 13:59:13 +05:00
food-market.pos.core Phase 0: project scaffolding and end-to-end auth 2026-04-21 13:59:13 +05:00
food-market.shared Phase 0: project scaffolding and end-to-end auth 2026-04-21 13:59:13 +05:00
food-market.web fix(auth): return 401 instead of 302 for API challenges; persist dev signing key across restarts 2026-04-21 21:42:53 +05:00