feat: add IdentityJwt scheme to CoreSync + auth integration tests (#85, #86)

D1: Add IdentityJwt Bearer scheme to CoreSync Web server (Program.cs)
- Register JwtBearer 'IdentityJwt' scheme alongside Entra ID / DevAuth
- Add Microsoft.AspNetCore.Authentication.JwtBearer package to Web.csproj
- Validates tokens using Jwt:SigningKey/Issuer/Audience from config

D2: Fix and extend auth integration tests
- Update TestJwtGenerator issuer/audience to match Identity JWT defaults
- Fix test factories: use UseSetting for config, Development environment,
  isolated SQLite DB with EnsureCreated for Identity tables
- JwtBearerApiFactory overrides default scheme to IdentityJwt
- Add IdentityAuthTests: register, login (unconfirmed/wrong pw),
  confirm email, refresh token flow
- Align package versions (JwtBearer/Mvc.Testing to 10.0.2)

All 16 tests pass. AppHost build succeeds.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

src/SentenceStudio.Web/Program.cs

@@ -1,8 +1,11 @@
 
+using System.Text;
 using CoreSync;
 using CoreSync.Http.Server;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Identity.Web;
+using Microsoft.IdentityModel.Tokens;
 using SentenceStudio.Data;
 using SentenceStudio.Web;
 using SentenceStudio.Web.Auth;
@@ -37,6 +40,24 @@
     builder.Services.AddAuthorization();
 }
 
+// Accept Identity JWTs alongside Entra ID / DevAuth
+builder.Services.AddAuthentication()
+    .AddJwtBearer("IdentityJwt", options =>
+    {
+        options.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidIssuer = builder.Configuration["Jwt:Issuer"] ?? "SentenceStudio",
+            ValidateAudience = true,
+            ValidAudience = builder.Configuration["Jwt:Audience"] ?? "SentenceStudio.Api",
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = new SymmetricSecurityKey(
+                Encoding.UTF8.GetBytes(builder.Configuration["Jwt:SigningKey"]
+                    ?? "DevelopmentSigningKey-AtLeast32Chars!!")),
+            ValidateLifetime = true
+        };
+    });
+
 builder.Services.AddDataServices(databasePath);
 builder.Services.AddSyncServices(databasePath);
 

src/SentenceStudio.Web/SentenceStudio.Web.csproj

@@ -14,6 +14,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.2" />
     <PackageReference Include="Microsoft.Identity.Web" Version="3.8.2" />
   </ItemGroup>
 

tests/SentenceStudio.Api.Tests/IdentityAuthTests.cs

@@ -0,0 +1,176 @@
+using System.Net;
+using System.Net.Http.Json;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
+using SentenceStudio.Api.Auth;
+using SentenceStudio.Api.Tests.Infrastructure;
+using SentenceStudio.Shared.Models;
+
+namespace SentenceStudio.Api.Tests;
+
+/// <summary>
+/// Integration tests for the Identity auth endpoints (register, login, confirm-email, refresh).
+/// Uses JwtBearerApiFactory so Identity services and JWT signing are configured.
+/// </summary>
+public class IdentityAuthTests : IClassFixture<JwtBearerApiFactory>
+{
+    private readonly JwtBearerApiFactory _factory;
+    private readonly HttpClient _client;
+
+    public IdentityAuthTests(JwtBearerApiFactory factory)
+    {
+        _factory = factory;
+        _client = factory.CreateClient();
+    }
+
+    [Fact]
+    public async Task Register_ReturnsOk()
+    {
+        var email = $"register-ok-{Guid.NewGuid():N}@test.local";
+
+        var response = await _client.PostAsJsonAsync("/api/auth/register", new
+        {
+            Email = email,
+            Password = "Test1234!",
+            DisplayName = "Tester"
+        });
+
+        response.StatusCode.Should().Be(HttpStatusCode.OK,
+            "register should succeed for a new user");
+    }
+
+    [Fact]
+    public async Task Login_UnconfirmedEmail_Returns401()
+    {
+        var email = $"unconfirmed-{Guid.NewGuid():N}@test.local";
+
+        // Register but do NOT confirm email
+        var reg = await _client.PostAsJsonAsync("/api/auth/register", new
+        {
+            Email = email,
+            Password = "Test1234!",
+        });
+        reg.EnsureSuccessStatusCode();
+
+        var response = await _client.PostAsJsonAsync("/api/auth/login", new
+        {
+            Email = email,
+            Password = "Test1234!"
+        });
+
+        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized,
+            "login should be rejected when email is not confirmed");
+    }
+
+    [Fact]
+    public async Task Login_WrongPassword_Returns401()
+    {
+        var email = $"wrongpw-{Guid.NewGuid():N}@test.local";
+
+        // Register and confirm
+        await RegisterAndConfirmAsync(email, "Test1234!");
+
+        var response = await _client.PostAsJsonAsync("/api/auth/login", new
+        {
+            Email = email,
+            Password = "WrongPassword99!"
+        });
+
+        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized,
+            "login should be rejected with wrong password");
+    }
+
+    [Fact]
+    public async Task ConfirmEmail_ThenLogin_Succeeds()
+    {
+        var email = $"confirm-{Guid.NewGuid():N}@test.local";
+        const string password = "Test1234!";
+
+        // Register
+        var reg = await _client.PostAsJsonAsync("/api/auth/register", new
+        {
+            Email = email,
+            Password = password,
+        });
+        reg.EnsureSuccessStatusCode();
+
+        // Confirm email via UserManager
+        await ConfirmEmailDirectlyAsync(email);
+
+        // Login should now succeed
+        var response = await _client.PostAsJsonAsync("/api/auth/login", new
+        {
+            Email = email,
+            Password = password
+        });
+
+        response.StatusCode.Should().Be(HttpStatusCode.OK,
+            "login should succeed after email confirmation");
+
+        var auth = await response.Content.ReadFromJsonAsync<AuthResponse>();
+        auth.Should().NotBeNull();
+        auth!.Token.Should().NotBeNullOrWhiteSpace("JWT should be returned");
+        auth.RefreshToken.Should().NotBeNullOrWhiteSpace("refresh token should be returned");
+    }
+
+    [Fact]
+    public async Task RefreshToken_ReturnsNewTokens()
+    {
+        var email = $"refresh-{Guid.NewGuid():N}@test.local";
+        const string password = "Test1234!";
+
+        await RegisterAndConfirmAsync(email, password);
+
+        // Login to get initial tokens
+        var loginResponse = await _client.PostAsJsonAsync("/api/auth/login", new
+        {
+            Email = email,
+            Password = password
+        });
+        loginResponse.EnsureSuccessStatusCode();
+
+        var initial = await loginResponse.Content.ReadFromJsonAsync<AuthResponse>();
+        initial.Should().NotBeNull();
+
+        // Use refresh token to get new tokens
+        var refreshResponse = await _client.PostAsJsonAsync("/api/auth/refresh", new
+        {
+            RefreshToken = initial!.RefreshToken
+        });
+
+        refreshResponse.StatusCode.Should().Be(HttpStatusCode.OK,
+            "refresh should return new tokens");
+
+        var refreshed = await refreshResponse.Content.ReadFromJsonAsync<AuthResponse>();
+        refreshed.Should().NotBeNull();
+        refreshed!.Token.Should().NotBeNullOrWhiteSpace("new JWT should be returned");
+        refreshed.RefreshToken.Should().NotBeNullOrWhiteSpace("new refresh token should be returned");
+        refreshed.RefreshToken.Should().NotBe(initial.RefreshToken,
+            "refresh token should be rotated");
+    }
+
+    // -- helpers --
+
+    private async Task RegisterAndConfirmAsync(string email, string password)
+    {
+        var reg = await _client.PostAsJsonAsync("/api/auth/register", new
+        {
+            Email = email,
+            Password = password,
+        });
+        reg.EnsureSuccessStatusCode();
+        await ConfirmEmailDirectlyAsync(email);
+    }
+
+    private async Task ConfirmEmailDirectlyAsync(string email)
+    {
+        using var scope = _factory.Services.CreateScope();
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
+        var user = await userManager.FindByEmailAsync(email);
+        user.Should().NotBeNull($"user {email} should exist after registration");
+
+        var token = await userManager.GenerateEmailConfirmationTokenAsync(user!);
+        var result = await userManager.ConfirmEmailAsync(user!, token);
+        result.Succeeded.Should().BeTrue("email confirmation should succeed");
+    }
+}

tests/SentenceStudio.Api.Tests/Infrastructure/DevAuthApiFactory.cs

@@ -7,20 +7,14 @@ namespace SentenceStudio.Api.Tests.Infrastructure;
 /// <summary>
 /// Test host using the default DevAuthHandler configuration.
 /// All requests are auto-authenticated with dev claims.
-/// Explicitly sets Auth:UseEntraId=false (local development mode).
+/// Uses Development environment so DevAuthHandler path is active.
 /// </summary>
 public class DevAuthApiFactory : WebApplicationFactory<Program>
 {
     protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
-        builder.UseEnvironment("Testing");
+        builder.UseEnvironment("Development");
 
-        builder.ConfigureAppConfiguration((context, config) =>
-        {
-            config.AddInMemoryCollection(new Dictionary<string, string?>
-            {
-                ["Auth:UseEntraId"] = "false"
-            });
-        });
+        builder.UseSetting("Auth:UseEntraId", "false");
     }
 }

tests/SentenceStudio.Api.Tests/Infrastructure/JwtBearerApiFactory.cs

@@ -2,44 +2,64 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using SentenceStudio.Data;
 
 namespace SentenceStudio.Api.Tests.Infrastructure;
 
 /// <summary>
-/// Test host configured with JWT Bearer authentication.
-/// Replaces DevAuthHandler with real JWT validation using a test signing key.
-/// Explicitly sets Auth:UseEntraId=true to simulate the production Entra ID path.
+/// Test host configured with IdentityJwt Bearer authentication.
+/// Uses an isolated SQLite database per factory instance.
+/// Sets Auth:UseEntraId=false with Development environment, then overrides
+/// the default auth scheme to IdentityJwt.
 /// </summary>
 public class JwtBearerApiFactory : WebApplicationFactory<Program>
 {
+    private readonly string _dbPath = Path.Combine(Path.GetTempPath(),
+        $"sentencestudio_test_{Guid.NewGuid():N}.db");
+
     protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
-        builder.UseEnvironment("Testing");
+        builder.UseEnvironment("Development");
 
-        builder.ConfigureAppConfiguration((context, config) =>
-        {
-            config.AddInMemoryCollection(new Dictionary<string, string?>
-            {
-                ["Auth:UseEntraId"] = "true"
-            });
-        });
+        builder.UseSetting("Auth:UseEntraId", "false");
+        builder.UseSetting("Jwt:SigningKey", TestJwtGenerator.TestSigningKeyValue);
+        builder.UseSetting("Jwt:Issuer", TestJwtGenerator.TestIssuer);
+        builder.UseSetting("Jwt:Audience", TestJwtGenerator.TestAudience);
 
         builder.ConfigureServices(services =>
         {
-            // Override auth to use JWT Bearer instead of DevAuthHandler
+            // Replace the production DbContext with a test-specific SQLite file
+            var descriptor = services.SingleOrDefault(
+                d => d.ServiceType == typeof(DbContextOptions<ApplicationDbContext>));
+            if (descriptor != null)
+                services.Remove(descriptor);
+
+            services.AddDbContext<ApplicationDbContext>(options =>
+                options.UseSqlite($"Data Source={_dbPath}"));
+
+            // Override default auth to use IdentityJwt scheme (already registered by the API
+            // because we provide Jwt:SigningKey via UseSetting above)
             services.Configure<AuthenticationOptions>(options =>
             {
-                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
-                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                options.DefaultAuthenticateScheme = "IdentityJwt";
+                options.DefaultChallengeScheme = "IdentityJwt";
             });
 
-            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-                .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
-                {
-                    options.TokenValidationParameters = TestJwtGenerator.CreateValidationParameters();
-                });
+            // Ensure the database schema is created
+            var sp = services.BuildServiceProvider();
+            using var scope = sp.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
+            db.Database.EnsureCreated();
         });
     }
+
+    protected override void Dispose(bool disposing)
+    {
+        base.Dispose(disposing);
+        if (File.Exists(_dbPath))
+            File.Delete(_dbPath);
+    }
 }

tests/SentenceStudio.Api.Tests/Infrastructure/TestJwtGenerator.cs

@@ -12,12 +12,12 @@ namespace SentenceStudio.Api.Tests.Infrastructure;
 /// </summary>
 public static class TestJwtGenerator
 {
-    private const string TestSigningKeyValue = "SuperSecretTestKey-AtLeast32Characters!!";
+    public const string TestSigningKeyValue = "SuperSecretTestKey-AtLeast32Characters!!";
     public static readonly SymmetricSecurityKey SecurityKey =
         new(Encoding.UTF8.GetBytes(TestSigningKeyValue));
 
-    public const string TestIssuer = "https://test-sts.sentencestudio.local";
-    public const string TestAudience = "api://sentencestudio-test";
+    public const string TestIssuer = "SentenceStudio";
+    public const string TestAudience = "SentenceStudio.Api";
 
     public const string DefaultTenantId = "49c0cd14-bc68-4c6d-b87b-9d65a56fa6df";
     public const string DefaultUserId = "test-user-oid-12345";

tests/SentenceStudio.Api.Tests/SentenceStudio.Api.Tests.csproj

@@ -9,8 +9,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="FluentAssertions" Version="6.12.0" />
     <PackageReference Include="xunit" Version="2.9.2" />