Merge pull request #1489 from bcgov/stories/ecer-5388

ECER-5388: BCeID Business authentication

Author: pcatkins

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/AuthenticationService.cs

@@ -1,10 +1,10 @@
 using ECER.Clients.PSPPortal.Server.Shared;
-using ECER.Managers.Registry.Contract.Registrants;
 using ECER.Utilities.Security;
 using MediatR;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Options;
 using System.Security.Claims;
+using ECER.Managers.Registry.Contract.PspUsers;
 
 namespace ECER.Clients.PSPPortal.Server;
 
@@ -14,7 +14,7 @@ public class AuthenticationService(IMediator messageBus, IDistributedCache cache
   {
     ArgumentNullException.ThrowIfNull(principal);
 
-    var identityProvider = principal.FindFirst(RegistryPortalClaims.IdenityProvider)?.Value;
+    var identityProvider = principal.FindFirst(PSPPortalClaims.IdentityProvider)?.Value;
     var identityId = principal.FindFirst(ClaimTypes.Name)?.Value;
 
     if (string.IsNullOrEmpty(identityProvider) || string.IsNullOrEmpty(identityId)) return principal;
@@ -31,26 +31,18 @@ public class AuthenticationService(IMediator messageBus, IDistributedCache cache
 
   private async Task<Claim[]?> GetUserClaims(UserIdentity userIdentity, CancellationToken ct)
   {
-    // try to find the registrant
-    var registrant = await cache.GetAsync($"userinfo:{userIdentity.UserId}@{userIdentity.IdentityProvider}",
-      async ct => (await messageBus.Send(new SearchRegistrantQuery { ByUserIdentity = userIdentity }, ct)).Items.SingleOrDefault(),
+    // try to find the psp user
+    var pspRep = await cache.GetAsync($"userinfo:{userIdentity.UserId}@{userIdentity.IdentityProvider}",
+      async ct => (await messageBus.Send(new SearchPspRepQuery { ByUserIdentity = userIdentity }, ct)).Items.SingleOrDefault(),
       new DistributedCacheEntryOptions { AbsoluteExpirationRelativeToNow = TimeSpan.FromSeconds(claimCacheSettings.Value.CacheTimeInSeconds) },
       ct);
 
-    if (registrant == null) return null;
+    if (pspRep == null) return null;
 
     // add registrant claims
-    var userId = new Claim("user_id", registrant.UserId);
-    Claim verificationStatus = new Claim("verified", "");
-    if (registrant.Profile.Status == StatusCode.Verified)
-    {
-      verificationStatus = new Claim("verified", "true");
-    }
-    else if (registrant.Profile.Status is StatusCode.Unverified or StatusCode.PendingforDocuments)
-    {
-      verificationStatus = new Claim("verified", "false");
-    }
-
-    return [userId, verificationStatus];
+    var userId = new Claim("user_id", pspRep.Id);
+    Claim hasTermsOfUse = new Claim("terms_of_use", pspRep.Profile.HasAcceptedTermsOfUse.HasValue && pspRep.Profile.HasAcceptedTermsOfUse.Value ? "true" : "false");
+
+    return [userId, hasTermsOfUse];
   }
 }

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/ConfigurationEndpoints.cs

@@ -0,0 +1,35 @@
+using ECER.Utilities.Hosting;
+using MediatR;
+
+namespace ECER.Clients.PSPPortal.Server;
+
+public class ConfigurationEndpoints : IRegisterEndpoints
+{
+  public void Register(IEndpointRouteBuilder endpointRouteBuilder)
+  {
+    endpointRouteBuilder.MapGet("/api/configuration", async (HttpContext ctx, IMediator messageBus, CancellationToken ct) =>
+    {
+      await Task.CompletedTask;
+      var configuration = ctx.RequestServices.GetRequiredService<IConfiguration>();
+      var appConfig = configuration.Get<ApplicationConfiguration>()!;
+      return TypedResults.Ok(appConfig);
+    }).WithOpenApi("Returns the UI initial configuration", string.Empty, "configuration_get")
+      .CacheOutput(p => p.Expire(TimeSpan.FromMinutes(5)));
+  }
+}
+
+#pragma warning disable CA2227 // Collection properties should be read only
+
+public record ApplicationConfiguration
+{
+  public Dictionary<string, OidcAuthenticationSettings> ClientAuthenticationMethods { get; set; } = [];
+}
+
+#pragma warning restore CA2227 // Collection properties should be read only
+public record OidcAuthenticationSettings
+{
+  public string Authority { get; set; } = null!;
+  public string ClientId { get; set; } = null!;
+  public string Scope { get; set; } = null!;
+  public string? Idp { get; set; }
+}

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/ECER.Clients.PSPPortal.Server.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <SpaRoot>..\ecer.clients.pspportal.client</SpaRoot>
     <SpaProxyLaunchCommand>npm run dev</SpaProxyLaunchCommand>
-    <SpaProxyServerUrl>https://localhost:5123</SpaProxyServerUrl>
+    <SpaProxyServerUrl>https://localhost:5130</SpaProxyServerUrl>
     <UserSecretsId>c88bcf5c-db2f-4814-aa30-1ef3c67d1808</UserSecretsId>
   </PropertyGroup>
 
@@ -16,6 +16,8 @@
   <ItemGroup>
     <ProjectReference Include="..\..\ECER.Managers.Admin.Contract\ECER.Managers.Admin.Contract.csproj" />
     <ProjectReference Include="..\..\ECER.Managers.Admin\ECER.Managers.Admin.csproj" />
+    <ProjectReference Include="..\..\ECER.Managers.Registry.Contract\ECER.Managers.Registry.Contract.csproj" />
+    <ProjectReference Include="..\..\ECER.Managers.Registry\ECER.Managers.Registry.csproj" />
     <ProjectReference Include="..\..\ECER.Utilities.Hosting\ECER.Utilities.Hosting.csproj" />
     <ProjectReference Include="..\..\ECER.Utilities.Security\ECER.Utilities.Security.csproj" />
     <ProjectReference Include="..\ecer.clients.pspportal.client\ecer.clients.pspportal.client.esproj">

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/PortalInvitations/PortalInvitationsEndpoints.cs

@@ -0,0 +1,42 @@
+using AutoMapper;
+using ECER.Managers.Registry.Contract.PortalInvitations;
+using ECER.Utilities.Hosting;
+using MediatR;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc;
+
+namespace ECER.Clients.PSPPortal.Server.PortalInvitations;
+
+public class PortalInvitationsEndpoints : IRegisterEndpoints
+{
+  public void Register(IEndpointRouteBuilder endpointRouteBuilder)
+  {
+    endpointRouteBuilder.MapGet("/api/PortalInvitations/{token?}", async Task<Results<Ok<PortalInvitationQueryResult>, BadRequest<ProblemDetails>>> (string? token, IMediator messageBus, HttpContext httpContext, IMapper mapper, CancellationToken ct) =>
+    {
+      if (string.IsNullOrWhiteSpace(token))
+      {
+        return TypedResults.BadRequest(new ProblemDetails { Status = StatusCodes.Status400BadRequest, Detail = "Provided token is not valid" });
+      }
+      var result = await messageBus.Send(new PortalInvitationVerificationQuery(token), ct);
+
+      if (!result.IsSuccess)
+      {
+        return TypedResults.BadRequest(new ProblemDetails { Status = StatusCodes.Status400BadRequest, Detail = result.ErrorMessage });
+      }
+      return TypedResults.Ok(new PortalInvitationQueryResult(mapper.Map<PortalInvitation>(result.Invitation)));
+    }).WithOpenApi("Handles portal invitation queries", string.Empty, "portal_invitation_get").WithParameterValidation();
+  }
+}
+
+public record PortalInvitationQueryResult(PortalInvitation PortalInvitation);
+
+public record PortalInvitation(string? Id)
+{
+  public string? PspProgramRepresentativeId { get; set; }
+  public InviteType? InviteType { get; set; }
+}
+
+public enum InviteType
+{
+  PSIProgramRepresentative,
+}

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/PortalInvitations/PortalInvitationsMapper.cs

@@ -0,0 +1,11 @@
+using AutoMapper;
+
+namespace ECER.Clients.PSPPortal.Server.PortalInvitations;
+
+public class PortalInvitationMapper : Profile
+{
+  public PortalInvitationMapper()
+  {
+    CreateMap<Managers.Registry.Contract.PortalInvitations.PortalInvitation, PortalInvitation>();
+  }
+}

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/Program.cs

@@ -48,13 +48,13 @@ private static async Task<int> Main(string[] args)
         });
         opts.AddSecurityRequirement(new OpenApiSecurityRequirement
         {
+          {
+            new OpenApiSecurityScheme
             {
-                new OpenApiSecurityScheme
-                {
-                    Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "bearerAuth" }
-                },
-                []
-            }
+              Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "bearerAuth" }
+            },
+            new List<string>() 
+          }
         });
         opts.UseOneOfForPolymorphism();
       });
@@ -87,9 +87,16 @@ private static async Task<int> Main(string[] args)
         {
           policy
             .AddAuthenticationSchemes("kc")
-            .RequireClaim(PSPPortalClaims.IdenityProvider)
-            .RequireClaim(ClaimTypes.Name)
+            .RequireClaim(PSPPortalClaims.IdentityProvider)
+            .RequireAuthenticatedUser();
+        })
+        .AddPolicy("psp_user_has_accepted_terms", policy =>
+        {
+          policy
+            .AddAuthenticationSchemes("kc")
+            .RequireClaim(PSPPortalClaims.IdentityProvider)
             .RequireClaim(PSPPortalClaims.UserId)
+            .RequireClaim(PSPPortalClaims.TermsOfUse, "true")
             .RequireAuthenticatedUser();
         });
 

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/PspUser/ProfileEndpoints.cs

@@ -0,0 +1,139 @@
+using System.ComponentModel.DataAnnotations;
+using AutoMapper;
+using ECER.Managers.Registry.Contract.PspUsers;
+using ECER.Utilities.Hosting;
+using ECER.Utilities.Security;
+using MediatR;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.AspNetCore.Mvc;
+
+namespace ECER.Clients.PSPPortal.Server.Users;
+
+public class ProfileEndpoints : IRegisterEndpoints
+{
+  public void Register(IEndpointRouteBuilder endpointRouteBuilder)
+  {
+    endpointRouteBuilder.MapGet("api/users/profile", async Task<Results<Ok<PspUserProfile>, NotFound>> (HttpContext ctx, CancellationToken ct, IMediator bus, IMapper mapper) =>
+      {
+        var user = ctx.User.GetUserContext()!;
+        var results = await bus.Send<PspRepQueryResults>(new SearchPspRepQuery() { ByUserIdentity = user.Identity }, ct);
+
+        var pspUser = results.Items.SingleOrDefault();
+        if (pspUser == null) return TypedResults.NotFound();
+
+        var pspUserProfile = mapper.Map<PspUserProfile>(pspUser.Profile);
+        return TypedResults.Ok(pspUserProfile);
+      })
+      .WithOpenApi("Gets the currently logged in user profile or NotFound if no profile found", string.Empty, "psp_user_profile_get")
+      .RequireAuthorization("psp_user")
+      .WithParameterValidation();
+
+    endpointRouteBuilder.MapPut("/api/users/profile",
+        () => TypedResults.StatusCode(StatusCodes.Status501NotImplemented))
+      .WithOpenApi("Update a psp user profile", string.Empty, "psp_user_profile_put")
+      .RequireAuthorization("psp_user")
+      .WithParameterValidation();
+
+    endpointRouteBuilder.MapPost("/api/users/register",
+        async Task<Results<Ok, BadRequest<PspRegistrationErrorResponse>>> (
+          RegisterPspUserRequest request, HttpContext ctx,
+          CancellationToken ct, IMediator bus, IMapper mapper) =>
+        {
+          var user = ctx.User.GetUserContext()!;
+          var result = await bus.Send(
+            new RegisterPspUserCommand(
+              request.Token,
+              request.ProgramRepresentativeId,
+              request.BceidBusinessId,
+              mapper.Map<Managers.Registry.Contract.PspUsers.PspUserProfile>(request.Profile)!,
+              user.Identity
+            ),
+            ctx.RequestAborted);
+
+          if (!result.IsSuccess)
+          {
+            var errorCode = PspRegistrationError.GenericError;
+
+            if (result.Error.HasValue)
+            {
+              errorCode = result.Error.Value switch
+              {
+                RegisterPspUserError.PostSecondaryInstitutionNotFound 
+                  => PspRegistrationError.PostSecondaryInstitutionNotFound,
+
+                RegisterPspUserError.PortalInvitationTokenInvalid 
+                  => PspRegistrationError.PortalInvitationTokenInvalid,
+
+                RegisterPspUserError.PortalInvitationWrongStatus 
+                  => PspRegistrationError.PortalInvitationWrongStatus,
+
+                RegisterPspUserError.BceidBusinessIdDoesNotMatch 
+                  => PspRegistrationError.BceidBusinessIdDoesNotMatch,
+
+                _ => PspRegistrationError.GenericError
+              };
+            }
+
+            return TypedResults.BadRequest(new PspRegistrationErrorResponse
+            {
+              ErrorCode = errorCode
+            });
+          }
+
+          return TypedResults.Ok();
+        })
+      .WithOpenApi("Update a psp user profile", string.Empty, "psp_user_register_post")
+      .WithOpenApi()
+      .RequireAuthorization("psp_user");
+  }
+}
+
+/// <summary>
+/// Request to register a new psp user
+/// </summary>
+public record RegisterPspUserRequest([Required] string Token, [Required] string ProgramRepresentativeId, [Required] string BceidBusinessId)
+{
+  [Required]
+  public PspUserProfile Profile { get; set; } = null!;
+};
+
+/// <summary>
+/// User profile information
+/// </summary>
+public record PspUserProfile
+{
+  public string? FirstName { get; set; }
+  public string? LastName { get; set; }
+  public string? Email { get; set; } = null!;
+  public bool? HasAcceptedTermsOfUse { get; set; }
+};
+
+/// <summary>
+/// Error codes for PSP user registration failures
+/// </summary>
+public enum PspRegistrationError
+{
+  /// <summary>The specified post-secondary institution was not found</summary>
+  PostSecondaryInstitutionNotFound,
+  /// <summary>The invitation token is invalid or expired</summary>
+  PortalInvitationTokenInvalid,
+  /// <summary>The invitation is not in correct status for registration</summary>
+  PortalInvitationWrongStatus,
+  /// <summary>The BCeID Business ID doesn't match expected value</summary>
+  BceidBusinessIdDoesNotMatch,
+  /// <summary>A generic error occurred during registration</summary>
+  GenericError
+}
+
+/// <summary>
+/// Error response for PSP user registration failures. Returns only the error code for frontend handling.
+/// </summary>
+public record PspRegistrationErrorResponse
+{
+  /// <summary>
+  /// The specific error code that occurred during registration.
+  /// Frontend should handle localization and user messaging based on this code.
+  /// </summary>
+  /// <example>PostSecondaryInstitutionNotFound</example>
+  public PspRegistrationError ErrorCode { get; set; }
+}

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/PspUser/UserMapper.cs

@@ -0,0 +1,14 @@
+using AutoMapper;
+
+namespace ECER.Clients.PSPPortal.Server.Users;
+
+internal sealed class PspUserMapper : AutoMapper.Profile
+{
+  public PspUserMapper()
+  {
+    CreateMap<PspUserProfile, Managers.Registry.Contract.PspUsers.PspUserProfile>()
+      .ReverseMap()
+      .ValidateMemberList(MemberList.Destination);
+  }
+}
+

src/ECER.Clients.PSPPortal/ECER.Clients.PSPPortal.Server/appsettings.Development.json

@@ -12,26 +12,26 @@
     }
   },
   "cors": {
-    "allowedOrigins": "https://dev.loginproxy.gov.bc.ca/;https://idtest.gov.bc.ca/"
+    "allowedOrigins": "https://test.loginproxy.gov.bc.ca/;https://idtest.gov.bc.ca/"
   },
   "ContentSecurityPolicy": {
-    "ConnectSource": "'self' https://dev.loginproxy.gov.bc.ca/ https://idtest.gov.bc.ca/"
+    "ConnectSource": "'self' https://test.loginproxy.gov.bc.ca/ https://idtest.gov.bc.ca/"
   },
   "clientAuthenticationMethods": {
     "kc": {
-      "authority": "https://dev.loginproxy.gov.bc.ca/auth/realms/childcare-applications",
-      "clientId": "childcare-ecer-dev"
+      "authority": "https://test.loginproxy.gov.bc.ca/auth/realms/childcare-applications",
+      "clientId": "childcare-ecer-psp-test"
     }
   },
   "authentication": {
     "Schemes": {
       "kc": {
-        "Authority": "https://dev.loginproxy.gov.bc.ca/auth/realms/childcare-applications",
+        "Authority": "https://test.loginproxy.gov.bc.ca/auth/realms/childcare-applications",
         "ValidAudiences": [
-          "childcare-ecer-dev"
+          "childcare-ecer-psp-test"
         ],
         "ValidIssuers": [
-          "https://dev.loginproxy.gov.bc.ca/auth/realms/childcare-applications"
+          "https://test.loginproxy.gov.bc.ca/auth/realms/childcare-applications"
         ]
       }
     }