Merge pull request #282 from nbhansen/fix/ci-jwt-secret

fix: Provide default JWT secret for CI tests on fork PRs

may the gods be with you all

Author: nbhansen

Backend/VTA.API/Controllers/UsersController.cs

@@ -422,9 +422,13 @@ private bool UsernameExists(string username)
     /// <exception cref="InvalidOperationException"></exception>
     private string GenerateJwt(User user)
     {
-        var secretKey = config.GetValue<string>("Secret:SecretKey")
-                        ?? Environment.GetEnvironmentVariable("JWT_SECRET") //Someone added this, why, i do not know, cause the key is stored in the appsettings.json not env variables
-                        ?? throw new InvalidOperationException("A JWT secret is required for token generation."); //Throw if no secret is found
+        // Get secret from configuration first, fall back to environment variable
+        // Use helper variables to properly handle empty strings (not just null)
+        var configSecret = config.GetValue<string>("Secret:SecretKey");
+        var envSecret = Environment.GetEnvironmentVariable("JWT_SECRET");
+        var secretKey = !string.IsNullOrWhiteSpace(configSecret) ? configSecret
+                      : !string.IsNullOrWhiteSpace(envSecret) ? envSecret
+                      : throw new InvalidOperationException("A JWT secret is required for token generation.");
         var validIssuer = "api.vta.com";
         var validAudience = "user.vta.com";
 

Backend/VTA.API/Program.cs

@@ -42,18 +42,16 @@
     }
 );
 
-var config = new ConfigurationBuilder()
-    .SetBasePath(Directory.GetCurrentDirectory())
-    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
-    .AddEnvironmentVariables()
-    .Build();
-
-var jwtSecretKey = Environment.GetEnvironmentVariable("JWT_SECRET") //I still do not know why this was added, we are reading the Secretkey from appsettings, not the OS env variables
-                   ?? config["Secret:SecretKey"];//load our secret
-
-if (string.IsNullOrEmpty(jwtSecretKey))
+// Get JWT secret from environment variable (for production/CI) or configuration (for development)
+// Use a helper to treat empty/whitespace strings the same as null
+var envSecret = Environment.GetEnvironmentVariable("JWT_SECRET");
+var jwtSecretKey = !string.IsNullOrWhiteSpace(envSecret)
+    ? envSecret
+    : builder.Configuration["Secret:SecretKey"];
+
+if (string.IsNullOrWhiteSpace(jwtSecretKey))
 {
-    throw new ArgumentNullException("JWT_SECRET_KEY environment variable or SecretKey in appsettings.json is required.");
+    throw new ArgumentNullException("JWT_SECRET environment variable or Secret:SecretKey in configuration is required.");
 }
 /*Configure Json Web Tokens*/
 var jwtIssuer = "api.vta.com";

Backend/VTA.Tests/TestHelpers/CustomApplicationFactory.cs

@@ -14,6 +14,18 @@ public class CustomApplicationFactory : WebApplicationFactory<Program>, IAsyncLi
     {
         private readonly MySqlContainer _mySqlContainer;
 
+        // Static constructor runs once per AppDomain, before any instance is created.
+        // This ensures JWT_SECRET is set before WebApplicationFactory starts any host.
+        static CustomApplicationFactory()
+        {
+            // GitHub Actions doesn't expose secrets to fork PRs for security reasons.
+            // The workflow sets JWT_SECRET from secrets, but it resolves to empty string.
+            if (string.IsNullOrWhiteSpace(Environment.GetEnvironmentVariable("JWT_SECRET")))
+            {
+                Environment.SetEnvironmentVariable("JWT_SECRET", "test-jwt-secret-for-ci-must-be-at-least-32-chars");
+            }
+        }
+
         public CustomApplicationFactory()
         {
             var config = new ConfigurationBuilder()
@@ -27,19 +39,6 @@ public CustomApplicationFactory()
                                    ?? Environment.GetEnvironmentVariable("TEST_CONNECTION_STRING")
                                    ?? "server=localhost;port=3306;user=vta_user;password=vta_password;database=vta_test";
 
-            var jwtSecretConfig = new JwtSecretConfig
-            {
-                SecretKey = config.GetValue<string>("Secret:SecretKey")
-                            ?? Environment.GetEnvironmentVariable("JWT_SECRET_KEY"),
-                ValidIssuer = config.GetValue<string>("Secret:ValidIssuer") ?? "api.vta.com",
-                ValidAudience = config.GetValue<string>("Secret:ValidAudience") ?? "user.vta.com"
-            };
-
-            if (string.IsNullOrEmpty(jwtSecretConfig.SecretKey))
-            {
-                throw new ArgumentNullException("A JWT secret is required for token generation.");
-            }
-
             var builder = new MySqlConnectionStringBuilder(connectionString);
             var database = string.IsNullOrEmpty(builder.Database) ? "vta_test" : builder.Database;
             var username = string.IsNullOrEmpty(builder.UserID) ? "root" : builder.UserID;
@@ -97,7 +96,12 @@ protected override void ConfigureWebHost(IWebHostBuilder builder)
                 config
                     .AddJsonFile("/var/www/VTA.API/appsettings.json", optional: true)
                     .AddJsonFile("appsettings.json", optional: true)
-                    .AddEnvironmentVariables();
+                    .AddEnvironmentVariables()
+                    .AddInMemoryCollection(new Dictionary<string, string?>
+                    {
+                        ["Secret:SecretKey"] = Environment.GetEnvironmentVariable("JWT_SECRET_KEY")
+                                               ?? "test-jwt-secret-for-ci-must-be-at-least-32-chars"
+                    });
             });
 
             builder.ConfigureLogging(logging =>
@@ -108,11 +112,5 @@ protected override void ConfigureWebHost(IWebHostBuilder builder)
             });
         }
 
-        private class JwtSecretConfig
-        {
-            public string? SecretKey { get; set; }
-            public string? ValidIssuer { get; set; }
-            public string? ValidAudience { get; set; }
-        }
     }
 }