feat(api): add /api/v1/config endpoint for client configuration

Enables the Blazor WASM client to fetch OIDC configuration from the API at
startup instead of using static wwwroot/appsettings.json. This allows Docker
deployments to configure auth via environment variables without rebuilding.

Changes:
- Add ClientConfigDto, AuthenticationConfigDto, OidcConfigDto in Contracts
- Add ClientConfigOptions with ToDto() mapping in API
- Add ConfigController with [AllowAnonymous] GET endpoint
- Wire up ClientConfigOptions from IConfiguration in Program.cs
- Update Blazor Client to fetch config from API at startup
- Add ClientId property to AuthentikOptions
- Clear static auth settings from Client wwwroot/appsettings.json
- Add unit tests for ClientConfigOptions.ToDto() mapping (6 tests)
- Add integration tests for /api/v1/config endpoint (4 tests)

Closes #56

Author: fortinbra

docs/056-api-config-endpoint.md

@@ -22,9 +22,16 @@ public sealed class AuthentikOptions
 
     /// <summary>
     /// Gets or sets the audience (typically the client ID or API identifier).
+    /// Used for API JWT token validation.
     /// </summary>
     public string Audience { get; set; } = string.Empty;
 
+    /// <summary>
+    /// Gets or sets the client ID for the OIDC client (Blazor WASM).
+    /// If not specified, defaults to the Audience value.
+    /// </summary>
+    public string ClientId { get; set; } = string.Empty;
+
     /// <summary>
     /// Gets or sets a value indicating whether HTTPS metadata is required.
     /// Should be true in production, can be false for local development.

src/BudgetExperiment.Api/AuthentikOptions.cs

@@ -0,0 +1,77 @@
+// <copyright file="ClientConfigOptions.cs" company="BecauseImClever">
+// Copyright (c) BecauseImClever. All rights reserved.
+// </copyright>
+
+namespace BudgetExperiment.Api;
+
+using BudgetExperiment.Contracts.Dtos;
+
+/// <summary>
+/// Strongly-typed options for client configuration.
+/// Maps from IConfiguration and exposes settings safe for client consumption.
+/// </summary>
+public sealed class ClientConfigOptions
+{
+    /// <summary>
+    /// The configuration section name.
+    /// </summary>
+    public const string SectionName = "ClientConfig";
+
+    /// <summary>
+    /// Gets or sets the authentication mode: "none" or "oidc".
+    /// </summary>
+    public string AuthMode { get; set; } = "oidc";
+
+    /// <summary>
+    /// Gets or sets the OIDC authority URL.
+    /// </summary>
+    public string OidcAuthority { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Gets or sets the OIDC client ID.
+    /// </summary>
+    public string OidcClientId { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Gets or sets the OAuth2 response type.
+    /// </summary>
+    public string OidcResponseType { get; set; } = "code";
+
+    /// <summary>
+    /// Gets or sets the OIDC scopes.
+    /// </summary>
+    public List<string> OidcScopes { get; set; } = ["openid", "profile", "email"];
+
+    /// <summary>
+    /// Gets or sets the post-logout redirect URI.
+    /// </summary>
+    public string OidcPostLogoutRedirectUri { get; set; } = "/";
+
+    /// <summary>
+    /// Gets or sets the redirect URI after login.
+    /// </summary>
+    public string OidcRedirectUri { get; set; } = "authentication/login-callback";
+
+    /// <summary>
+    /// Converts this options instance to a client-safe DTO.
+    /// </summary>
+    /// <returns>A <see cref="ClientConfigDto"/> containing the client configuration.</returns>
+    public ClientConfigDto ToDto() => new()
+    {
+        Authentication = new AuthenticationConfigDto
+        {
+            Mode = this.AuthMode,
+            Oidc = string.Equals(this.AuthMode, "oidc", StringComparison.OrdinalIgnoreCase)
+                ? new OidcConfigDto
+                {
+                    Authority = this.OidcAuthority,
+                    ClientId = this.OidcClientId,
+                    ResponseType = this.OidcResponseType,
+                    Scopes = this.OidcScopes,
+                    PostLogoutRedirectUri = this.OidcPostLogoutRedirectUri,
+                    RedirectUri = this.OidcRedirectUri,
+                }
+                : null,
+        },
+    };
+}

src/BudgetExperiment.Api/ClientConfigOptions.cs

@@ -0,0 +1,51 @@
+// <copyright file="ConfigController.cs" company="BecauseImClever">
+// Copyright (c) BecauseImClever. All rights reserved.
+// </copyright>
+
+using BudgetExperiment.Contracts.Dtos;
+
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+
+namespace BudgetExperiment.Api.Controllers;
+
+/// <summary>
+/// REST API controller for client configuration.
+/// Provides configuration settings for the Blazor WebAssembly client.
+/// </summary>
+[ApiController]
+[AllowAnonymous]
+[Route("api/v1/[controller]")]
+[Produces("application/json")]
+public sealed class ConfigController : ControllerBase
+{
+    private readonly IOptions<ClientConfigOptions> _clientConfigOptions;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ConfigController"/> class.
+    /// </summary>
+    /// <param name="clientConfigOptions">The client configuration options.</param>
+    public ConfigController(IOptions<ClientConfigOptions> clientConfigOptions)
+    {
+        _clientConfigOptions = clientConfigOptions;
+    }
+
+    /// <summary>
+    /// Gets the client configuration settings.
+    /// </summary>
+    /// <remarks>
+    /// This endpoint is public (no authentication required) because the client
+    /// needs configuration before it can authenticate. Only non-secret settings
+    /// are exposed.
+    /// </remarks>
+    /// <returns>The client configuration.</returns>
+    [HttpGet]
+    [ProducesResponseType<ClientConfigDto>(StatusCodes.Status200OK)]
+    [ResponseCache(Duration = 3600, Location = ResponseCacheLocation.Any)]
+    public ActionResult<ClientConfigDto> GetConfig()
+    {
+        var options = _clientConfigOptions.Value;
+        return Ok(options.ToDto());
+    }
+}

src/BudgetExperiment.Api/Controllers/ConfigController.cs

@@ -41,6 +41,9 @@ public static async Task Main(string[] args)
         builder.Services.AddScoped<IUserContext, UserContext>();
         ConfigureAuthentication(builder.Services, builder.Configuration);
 
+        // Client configuration (exposed via /api/v1/config endpoint)
+        ConfigureClientConfig(builder.Services, builder.Configuration);
+
         // Application & Infrastructure
         builder.Services.AddApplication();
         builder.Services.AddInfrastructure(builder.Configuration);
@@ -251,4 +254,37 @@ private static void ConfigureAuthentication(IServiceCollection services, IConfig
 
         services.AddAuthorization();
     }
+
+    /// <summary>
+    /// Configures client configuration options for the /api/v1/config endpoint.
+    /// Maps Authentik settings to client-safe configuration.
+    /// </summary>
+    /// <param name="services">The service collection.</param>
+    /// <param name="configuration">The configuration root.</param>
+    private static void ConfigureClientConfig(IServiceCollection services, IConfiguration configuration)
+    {
+        services.Configure<ClientConfigOptions>(options =>
+        {
+            var authentikSection = configuration.GetSection(AuthentikOptions.SectionName);
+
+            // Determine auth mode based on whether Authentik is enabled
+            var enabled = authentikSection.GetValue<bool?>("Enabled") ?? true;
+            options.AuthMode = enabled ? "oidc" : "none";
+
+            // OIDC settings from Authentik config
+            options.OidcAuthority = authentikSection.GetValue<string>("Authority") ?? string.Empty;
+
+            // ClientId can be explicitly set, or fall back to Audience (common in Authentik setups)
+            options.OidcClientId = authentikSection.GetValue<string>("ClientId")
+                ?? authentikSection.GetValue<string>("Audience")
+                ?? string.Empty;
+
+            // Apply any explicit ClientConfig overrides
+            var clientSection = configuration.GetSection(ClientConfigOptions.SectionName);
+            if (clientSection.Exists())
+            {
+                clientSection.Bind(options);
+            }
+        });
+    }
 }

src/BudgetExperiment.Api/Program.cs

@@ -1,5 +1,8 @@
+using System.Net.Http.Json;
+
 using BudgetExperiment.Client;
 using BudgetExperiment.Client.Services;
+using BudgetExperiment.Contracts.Dtos;
 
 using Microsoft.AspNetCore.Components.Web;
 using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
@@ -9,15 +12,56 @@
 builder.RootComponents.Add<App>("#app");
 builder.RootComponents.Add<HeadOutlet>("head::after");
 
-// Configure OIDC authentication with Authentik
-builder.Services.AddOidcAuthentication(options =>
+// Fetch configuration from API before configuring services
+using var httpClient = new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) };
+ClientConfigDto? clientConfig = null;
+try
+{
+    clientConfig = await httpClient.GetFromJsonAsync<ClientConfigDto>("api/v1/config");
+}
+catch (HttpRequestException)
+{
+    // API not available - will fall back to static config if present
+}
+
+// Register config as singleton for injection (if available)
+if (clientConfig is not null)
+{
+    builder.Services.AddSingleton(clientConfig);
+    builder.Services.AddSingleton(clientConfig.Authentication);
+}
+
+// Configure OIDC authentication
+if (clientConfig?.Authentication.Mode == "oidc" && clientConfig.Authentication.Oidc is not null)
+{
+    // Use configuration from API
+    var oidc = clientConfig.Authentication.Oidc;
+    builder.Services.AddOidcAuthentication(options =>
+    {
+        options.ProviderOptions.Authority = oidc.Authority;
+        options.ProviderOptions.ClientId = oidc.ClientId;
+        options.ProviderOptions.ResponseType = oidc.ResponseType;
+        options.ProviderOptions.PostLogoutRedirectUri = oidc.PostLogoutRedirectUri;
+        options.ProviderOptions.RedirectUri = oidc.RedirectUri;
+
+        foreach (var scope in oidc.Scopes)
+        {
+            options.ProviderOptions.DefaultScopes.Add(scope);
+        }
+    });
+}
+else
 {
-    builder.Configuration.Bind("Authentication:Authentik", options.ProviderOptions);
-    options.ProviderOptions.ResponseType = "code";
-    options.ProviderOptions.DefaultScopes.Add("openid");
-    options.ProviderOptions.DefaultScopes.Add("profile");
-    options.ProviderOptions.DefaultScopes.Add("email");
-});
+    // Fall back to static configuration (legacy support or API unavailable)
+    builder.Services.AddOidcAuthentication(options =>
+    {
+        builder.Configuration.Bind("Authentication:Authentik", options.ProviderOptions);
+        options.ProviderOptions.ResponseType = "code";
+        options.ProviderOptions.DefaultScopes.Add("openid");
+        options.ProviderOptions.DefaultScopes.Add("profile");
+        options.ProviderOptions.DefaultScopes.Add("email");
+    });
+}
 
 // Register ScopeService as singleton so it persists across the app lifetime
 builder.Services.AddSingleton<ScopeService>();

src/BudgetExperiment.Client/Program.cs

@@ -1,8 +1,9 @@
 {
+  "_comment": "Client configuration is now fetched from the API at /api/v1/config. This file is kept as a fallback only.",
   "Authentication": {
     "Authentik": {
-      "Authority": "https://authentik.becauseimclever.com/application/o/budget-experiment/",
-      "ClientId": "kt22z8MtUCs7d7MBIZQlQfXvV9DjHd98ahp3iT3H",
+      "Authority": "",
+      "ClientId": "",
       "ResponseType": "code",
       "PostLogoutRedirectUri": "/",
       "RedirectUri": "authentication/login-callback"

src/BudgetExperiment.Client/wwwroot/appsettings.json

@@ -0,0 +1,70 @@
+// <copyright file="ClientConfigDto.cs" company="BecauseImClever">
+// Copyright (c) BecauseImClever. All rights reserved.
+// </copyright>
+
+namespace BudgetExperiment.Contracts.Dtos;
+
+/// <summary>
+/// Configuration settings exposed to the Blazor WebAssembly client.
+/// This DTO contains ONLY non-secret, client-appropriate settings.
+/// </summary>
+public sealed class ClientConfigDto
+{
+    /// <summary>
+    /// Gets or sets the authentication configuration.
+    /// </summary>
+    public required AuthenticationConfigDto Authentication { get; init; }
+}
+
+/// <summary>
+/// Authentication configuration for the client.
+/// </summary>
+public sealed class AuthenticationConfigDto
+{
+    /// <summary>
+    /// Gets or sets the authentication mode: "none" or "oidc".
+    /// When "none", authentication is disabled and all users get default scope.
+    /// </summary>
+    public required string Mode { get; init; }
+
+    /// <summary>
+    /// Gets or sets the OIDC provider settings (populated when Mode = "oidc").
+    /// </summary>
+    public OidcConfigDto? Oidc { get; init; }
+}
+
+/// <summary>
+/// OIDC provider configuration.
+/// </summary>
+public sealed class OidcConfigDto
+{
+    /// <summary>
+    /// Gets or sets the OIDC authority URL (issuer).
+    /// </summary>
+    public required string Authority { get; init; }
+
+    /// <summary>
+    /// Gets or sets the OAuth2 client ID (public identifier, NOT a secret for PKCE flows).
+    /// </summary>
+    public required string ClientId { get; init; }
+
+    /// <summary>
+    /// Gets or sets the OAuth2 response type (typically "code" for PKCE).
+    /// </summary>
+    public string ResponseType { get; init; } = "code";
+
+    /// <summary>
+    /// Gets or sets the scopes to request during authentication.
+    /// </summary>
+    public IReadOnlyList<string> Scopes { get; init; } = ["openid", "profile", "email"];
+
+    /// <summary>
+    /// Gets or sets the redirect URI after logout.
+    /// </summary>
+    public string PostLogoutRedirectUri { get; init; } = "/";
+
+    /// <summary>
+    /// Gets or sets the redirect URI after login callback.
+    /// </summary>
+    public string RedirectUri { get; init; } = "authentication/login-callback";
+}