Merge pull request #331 from meysamhadeli/fix/fix-jwt-config

fix/fix jwt config

Author: meysamhadeli

building-blocks/Jwt/JwtExtensions.cs

@@ -30,7 +30,8 @@ public static IServiceCollection AddJwt(this IServiceCollection services)
                     options.TokenValidationParameters = new TokenValidationParameters
                     {
                         ValidateAudience = false,
-                        ClockSkew = TimeSpan.FromSeconds(2) // For prevent add default value (5min) to life time token!
+                        ClockSkew = TimeSpan.FromSeconds(2), // For prevent add default value (5min) to life time token!
+                        ValidateLifetime = true,       // Enforce token expiry
                     };
 
                     options.RequireHttpsMetadata = jwtOptions.RequireHttpsMetadata;
@@ -48,20 +49,14 @@ public static IServiceCollection AddJwt(this IServiceCollection services)
                             .RequireAuthenticatedUser()
                             .Build();
 
-                    // Add your scope policy (optional)
-                    if (!string.IsNullOrEmpty(jwtOptions.Audience))
-                    {
-                        options.AddPolicy(
-                            nameof(ApiScope),
-                            policy =>
-                            {
-                                policy.AuthenticationSchemes.Add(
-                                    JwtBearerDefaults.AuthenticationScheme);
-
-                                policy.RequireAuthenticatedUser();
-                                policy.RequireClaim("scope", jwtOptions.Audience);
-                            });
-                    }
+                    options.AddPolicy(
+                        nameof(ApiScope),
+                        policy =>
+                        {
+                            policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+                            policy.RequireAuthenticatedUser();
+                            policy.RequireClaim("scope", jwtOptions.Audience);
+                        });
                 });
         }
 

building-blocks/TestBase/TestBase.cs

@@ -7,11 +7,13 @@
 using BuildingBlocks.Mongo;
 using BuildingBlocks.PersistMessageProcessor;
 using BuildingBlocks.Web;
+using Duende.IdentityServer.EntityFramework.Entities;
 using EasyNetQ.Management.Client;
 using Grpc.Net.Client;
 using MassTransit;
 using MassTransit.Testing;
 using MediatR;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Testing;
@@ -57,16 +59,15 @@ public HttpClient HttpClient
     {
         get
         {
-            var claims =
-                new Dictionary<string, object>
-                {
-                    {ClaimTypes.Name, "[email protected]"},
-                    {ClaimTypes.Role, "admin"},
-                    {"scope", "flight-api"}
-                };
+            var claims = new Dictionary<string, object>
+                         {
+                             { ClaimTypes.Name, "[email protected]" },
+                             { ClaimTypes.Role, "admin" },
+                             { "scope", "flight-api" }
+                         };
 
-            var httpClient = _factory?.CreateClient();
-            httpClient.SetFakeBearerToken(claims);
+            var httpClient = _factory.CreateClient();
+            httpClient.SetFakeBearerToken(claims); // Uses FakeJwtBearer
             return httpClient;
         }
     }
@@ -106,19 +107,28 @@ protected TestFixture()
                                               .AsImplementedInterfaces()
                                               .WithScopedLifetime());
 
-                            // add authentication using a fake jwt bearer - we can use SetAdminUser method to set authenticate user to existing HttContextAccessor
+                            // Add Fake JWT Authentication - we can use SetAdminUser method to set authenticate user to existing HttContextAccessor
                             // https://github.com/webmotions/fake-authentication-jwtbearer
                             // https://github.com/webmotions/fake-authentication-jwtbearer/issues/14
                             services.AddAuthentication(
                                     options =>
                                     {
-                                        options.DefaultAuthenticateScheme =
-                                            FakeJwtBearerDefaults.AuthenticationScheme;
+                                        options.DefaultAuthenticateScheme = FakeJwtBearerDefaults.AuthenticationScheme;
 
-                                        options.DefaultChallengeScheme =
-                                            FakeJwtBearerDefaults.AuthenticationScheme;
+                                        options.DefaultChallengeScheme = FakeJwtBearerDefaults.AuthenticationScheme;
                                     })
                                 .AddFakeJwtBearer();
+
+                            // Mock Authorization Policies
+                            services.AddAuthorization(options =>
+                                   {
+                                       options.AddPolicy(nameof(ApiScope), policy =>
+                                       {
+                                           policy.AddAuthenticationSchemes(FakeJwtBearerDefaults.AuthenticationScheme);
+                                           policy.RequireAuthenticatedUser();
+                                           policy.RequireClaim("scope", "flight-api"); // Test-specific scope
+                                       });
+                                   });
                         });
                 });
     }