Skip to content

feat: migrate VTA backend to Core JWT authentication (Phases 1-6)#289

Closed
nbhansen wants to merge 7 commits intoaau-giraf:dev-mainfrom
nbhansen:feature/core-auth
Closed

feat: migrate VTA backend to Core JWT authentication (Phases 1-6)#289
nbhansen wants to merge 7 commits intoaau-giraf:dev-mainfrom
nbhansen:feature/core-auth

Conversation

@nbhansen
Copy link
Contributor

@nbhansen nbhansen commented Mar 13, 2026

Summary

Migrates the VTA backend (VTA.API + SyncService) from local authentication to giraf-core JWT-based authentication, completing Phases 1-6 of the Core integration plan.

70 files changed, ~810 insertions, ~2740 deletions (net ~1900 lines deleted)

What changed

  • Phases 1-2: JWT validation using shared JWT_SECRET, OrganizationMember/Admin/Owner authorization policies based on org_roles claim, ICoreClient/GirafCoreClient for validating entities in Core
  • Phase 3: Schema migration from string UUIDs to int user IDs (matching Core), updated mysql_schema.sql
  • Phase 4: Deleted legacy auth infrastructure (AccountController, AuthService, UserService, PasswordHasher, role/relation models), added UserSettingsController for VTA-specific preferences
  • Phase 5-6: Updated all domain controllers (Artefact, Board, Category, SavedBoard, TTS) and SyncService to use Core JWT sub claim for user identity
  • Tests: Rebuilt test infrastructure for Core JWT auth, deleted obsolete auth/user tests

Breaking changes

  • VTA no longer handles login/signup — clients must authenticate with giraf-core
  • All user ID columns are now int (previously string UUIDs)
  • Removed endpoints: /api/Account/*, /api/Role/*

How to test

  1. Start giraf-core (cd giraf-core && docker compose up)
  2. Obtain a JWT from Core (POST /api/v1/token/pair)
  3. Use that JWT with VTA.API and SyncService endpoints
  4. Run backend tests: dotnet test

Related PRs

Builds on cleanup work from PRs #282-#288 (Phases 1-4.5 prep work).

Test plan

  • All backend tests pass (dotnet test — updated for Core JWT auth)
  • Manual smoke test with giraf-core running
  • Verify SyncService WebSocket auth with Core JWT

nbhansen added 6 commits March 13, 2026 12:16
@nbhansen
feat: add Core JWT validation, authorization policies, and Core API c…
11d5a55 
…lient (Phases 1-2)

Replace VTA-issued JWT validation with Core-issued token validation:
- Remove issuer/audience validation (Core doesn't set VTA-specific values)
- Add JwtOrgRoleHandler with org_roles claim-based authorization
- Add OrganizationMember/Admin/Owner policy requirements
- Add ICoreClient/GirafCoreClient for validating citizens/orgs in Core
- Remove SecretsProvider singleton, IUserService, IRelationService registrations
@nbhansen
feat: migrate schema from string UUIDs to int user IDs (Phase 3)
206a34a 
- Change UserId from string to int in Artefact, Category, SavedBoard, Session
- Delete User, Relation, UserRole models (Core owns these now)
- Create UserSettings model (VTA-specific prefs keyed by Core int user ID)
- Remove User/Relation EF configurations and navigation properties
- Add UserSettingsConfiguration
- Update mysql_schema.sql: drop user/relation tables, add user_settings/sessions
@nbhansen
feat: delete legacy auth/user/relation code, add UserSettingsControll…
d25cddb 
…er (Phase 4)

Delete (delegated to Core):
- UsersController, AdminController, ContactsController, RelationController
- UserService, IUserService, RelationService, IRelationService
- SecretsProvider, UserCleanupHelper
- UserDTO, RelationDTO, AdminDTO
- User mapping methods from DTOConverter
- Test user seeding from WebApplicationExtensions

Add:
- UserSettingsController (GET/PATCH for VTA-specific user preferences)

Update:
- ArtefactDTO/CategoryDTO UserId fields from string to int
@nbhansen
feat: update domain controllers and SyncService for Core JWT auth (Ph…
83da616 
…ases 5-6)

- Change all controllers from User.FindFirst("id") to User.FindFirst("sub") with int parsing
- Update all service interfaces/implementations from string userId to int userId
- Convert userId to string only at filesystem utility boundaries (ImageUtilities, SoundUtilities)
- Update BoardHub to parse string SignalR params to int for Session model
@nbhansen
test: update test infrastructure for Core JWT auth, delete obsolete a…
6eee813 
…uth tests

- Replace login-based test helpers with JWT generation using sub/org_roles claims
- Delete UsersControllerTests (tested deleted login/signup endpoints)
- Delete UserServiceTests (tested deleted local auth logic)
- Update all remaining tests for int user IDs
- Update SyncService tests to remove User model references
@nbhansen
chore: gitignore CLAUDE.md and remove from tracking
3b236a6
@nbhansen
test: fix BoardsControllerTests assuming auto-created default board
580bb25 
Remove assumptions about a default "Board1" existing for each user,
since the old SignUpAsync that auto-created it was deleted in Phase 4.
Tests now explicitly create boards before asserting.
@nbhansen nbhansen closed this by deleting the head repository Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Visual Tangible Artefacts - 2025
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbhansen