feat(auth): add Identity auth service, login/register pages (#82, #83, #84)

C1: IdentityAuthService - JWT-based auth against API Identity endpoints
- Implements IAuthService with email/password sign-in
- Token storage via ISecureStorageService (auth_jwt, auth_refresh, auth_expires)
- Auto-refresh on GetAccessTokenAsync when token is expired
- JWT claim parsing for UserName
- Added SignInAsync(email, password) and RegisterAsync to IAuthService
- Updated DevAuthService (returns null) and MsalAuthService (throws NotSupportedException)

C2: Login and Register Blazor pages
- /auth/login - email/password form with error handling
- /auth/register - registration form with email confirmation flow
- Updated /auth page with Sign In / Create Account buttons + local user selection

C3: Updated AuthenticatedHttpMessageHandler
- Removed scope-length guard so Identity tokens (no scopes) are attached
- Updated ServiceCollectionExtentions to register IdentityAuthService when
  Auth:UseEntraId is false, and register AuthClient named HttpClient

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

src/SentenceStudio.AppLib/SentenceStudio.AppLib.csproj

@@ -52,6 +52,7 @@
 		<PackageReference Include="ElevenLabs-DotNet" Version="3.7.1" />
 		<PackageReference Include="NAudio" Version="2.2.1" />
 		<PackageReference Include="NLayer.NAudioSupport" Version="1.4.0" />
+		<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.16.0" />
 		<PackageReference Include="YoutubeExplode" Version="6.5.6" />
 		<PackageReference Include="AsyncFixer" Version="1.6.0">
 			<PrivateAssets>all</PrivateAssets>

src/SentenceStudio.AppLib/ServiceCollectionExtentions.cs

@@ -71,7 +71,19 @@ public static IServiceCollection AddAuthServices(this IServiceCollection service
         }
         else
         {
-            services.AddSingleton<IAuthService, DevAuthService>();
+            services.AddSingleton<IAuthService, IdentityAuthService>();
+        }
+
+        // Register a named HttpClient for auth endpoints (login, register, refresh).
+        // Uses the same API base URL as other clients but without the auth handler
+        // to avoid a circular dependency (auth client cannot require auth).
+        var apiBaseUrl = configuration.GetValue<string>("ApiBaseUrl");
+        if (!string.IsNullOrEmpty(apiBaseUrl))
+        {
+            services.AddHttpClient("AuthClient", client =>
+            {
+                client.BaseAddress = new Uri(apiBaseUrl);
+            });
         }
 
         services.AddTransient<AuthenticatedHttpMessageHandler>();

src/SentenceStudio.AppLib/Services/AuthenticatedHttpMessageHandler.cs

@@ -9,9 +9,11 @@ namespace SentenceStudio.Services;
 
 /// <summary>
 /// Delegating handler that attaches a Bearer token to outgoing requests.
-/// Attempts token acquisition unconditionally. If it returns null, the
-/// request proceeds without an Authorization header so the server's
-/// DevAuthHandler handles unauthenticated requests during development.
+/// For Entra ID, uses configured scopes. For Identity auth (no scopes configured),
+/// requests the token with an empty scope array — IdentityAuthService returns the
+/// stored JWT regardless of scopes.
+/// If token acquisition returns null, the request proceeds unauthenticated so the
+/// server's DevAuthHandler can handle it during development.
 /// </summary>
 public class AuthenticatedHttpMessageHandler : DelegatingHandler
 {
@@ -34,9 +36,6 @@ public AuthenticatedHttpMessageHandler(
     protected override async Task<HttpResponseMessage> SendAsync(
         HttpRequestMessage request, CancellationToken cancellationToken)
     {
-        if (_defaultScopes.Length == 0)
-            return await base.SendAsync(request, cancellationToken);
-
         try
         {
             var token = await _authService.GetAccessTokenAsync(_defaultScopes);

src/SentenceStudio.AppLib/Services/DevAuthService.cs

@@ -13,6 +13,8 @@ public class DevAuthService : IAuthService
     public string? UserName => "dev@localhost";
 
     public Task<AuthResult?> SignInAsync() => Task.FromResult<AuthResult?>(null);
+    public Task<AuthResult?> SignInAsync(string email, string password) => Task.FromResult<AuthResult?>(null);
+    public Task<AuthResult?> RegisterAsync(string email, string password, string displayName) => Task.FromResult<AuthResult?>(null);
     public Task SignOutAsync() => Task.CompletedTask;
     public Task<string?> GetAccessTokenAsync(string[] scopes) => Task.FromResult<string?>(null);
 }

src/SentenceStudio.AppLib/Services/IAuthService.cs

@@ -5,6 +5,8 @@ namespace SentenceStudio.Services;
 public interface IAuthService
 {
     Task<AuthResult?> SignInAsync();
+    Task<AuthResult?> SignInAsync(string email, string password);
+    Task<AuthResult?> RegisterAsync(string email, string password, string displayName);
     Task SignOutAsync();
     Task<string?> GetAccessTokenAsync(string[] scopes);
     bool IsSignedIn { get; }

src/SentenceStudio.AppLib/Services/IdentityAuthService.cs

@@ -0,0 +1,247 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Net.Http;
+using System.Net.Http.Json;
+using System.Security.Claims;
+using Microsoft.Extensions.Logging;
+using SentenceStudio.Abstractions;
+
+namespace SentenceStudio.Services;
+
+/// <summary>
+/// Auth service that authenticates against the API's ASP.NET Identity endpoints
+/// using email/password credentials and JWT tokens.
+/// </summary>
+public sealed class IdentityAuthService : IAuthService
+{
+    private const string JwtKey = "auth_jwt";
+    private const string RefreshKey = "auth_refresh";
+    private const string ExpiresKey = "auth_expires";
+
+    private readonly HttpClient _http;
+    private readonly ISecureStorageService _secureStorage;
+    private readonly ILogger<IdentityAuthService> _logger;
+
+    private string? _cachedToken;
+    private DateTimeOffset _cachedExpires;
+    private string? _cachedUserName;
+
+    public IdentityAuthService(
+        IHttpClientFactory httpClientFactory,
+        ISecureStorageService secureStorage,
+        ILogger<IdentityAuthService> logger)
+    {
+        _http = httpClientFactory.CreateClient("AuthClient");
+        _secureStorage = secureStorage;
+        _logger = logger;
+    }
+
+    public bool IsSignedIn => _cachedToken is not null && _cachedExpires > DateTimeOffset.UtcNow;
+
+    public string? UserName => _cachedUserName;
+
+    /// <summary>
+    /// Silent sign-in: tries to restore a session from stored refresh token.
+    /// Returns null if no stored token or refresh fails (UI should show login).
+    /// </summary>
+    public async Task<AuthResult?> SignInAsync()
+    {
+        try
+        {
+            var refreshToken = await _secureStorage.GetAsync(RefreshKey);
+            if (string.IsNullOrEmpty(refreshToken))
+                return null;
+
+            return await RefreshTokenAsync(refreshToken);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Silent sign-in failed");
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Sign in with email and password against POST /api/auth/login.
+    /// </summary>
+    public async Task<AuthResult?> SignInAsync(string email, string password)
+    {
+        try
+        {
+            var response = await _http.PostAsJsonAsync("/api/auth/login", new { Email = email, Password = password });
+
+            if (!response.IsSuccessStatusCode)
+            {
+                _logger.LogWarning("Login failed with status {Status}", response.StatusCode);
+                return null;
+            }
+
+            var authResponse = await response.Content.ReadFromJsonAsync<AuthResponseDto>();
+            if (authResponse is null)
+                return null;
+
+            await StoreTokens(authResponse);
+            return ToAuthResult(authResponse);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Sign-in with credentials failed");
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Register a new account via POST /api/auth/register.
+    /// On success returns an AuthResult if the API auto-logs-in, or null
+    /// if the user needs to confirm their email first.
+    /// </summary>
+    public async Task<AuthResult?> RegisterAsync(string email, string password, string displayName)
+    {
+        try
+        {
+            var response = await _http.PostAsJsonAsync("/api/auth/register", new
+            {
+                Email = email,
+                Password = password,
+                DisplayName = displayName
+            });
+
+            if (!response.IsSuccessStatusCode)
+            {
+                _logger.LogWarning("Registration failed with status {Status}", response.StatusCode);
+                return null;
+            }
+
+            // Some APIs return tokens on register; try to read them
+            try
+            {
+                var authResponse = await response.Content.ReadFromJsonAsync<AuthResponseDto>();
+                if (authResponse?.Token is not null)
+                {
+                    await StoreTokens(authResponse);
+                    return ToAuthResult(authResponse);
+                }
+            }
+            catch
+            {
+                // Registration succeeded but no token returned (email confirmation required)
+            }
+
+            return null;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Registration failed");
+            return null;
+        }
+    }
+
+    public async Task SignOutAsync()
+    {
+        _cachedToken = null;
+        _cachedExpires = DateTimeOffset.MinValue;
+        _cachedUserName = null;
+
+        _secureStorage.Remove(JwtKey);
+        _secureStorage.Remove(RefreshKey);
+        _secureStorage.Remove(ExpiresKey);
+
+        _logger.LogInformation("Signed out, tokens cleared");
+    }
+
+    /// <summary>
+    /// Returns a valid JWT access token. If the cached token is expired,
+    /// attempts a refresh. Returns null if no valid token is available.
+    /// </summary>
+    public async Task<string?> GetAccessTokenAsync(string[] scopes)
+    {
+        // Return cached token if still valid (with 60s buffer)
+        if (_cachedToken is not null && _cachedExpires > DateTimeOffset.UtcNow.AddSeconds(60))
+            return _cachedToken;
+
+        // Try refresh
+        try
+        {
+            var refreshToken = await _secureStorage.GetAsync(RefreshKey);
+            if (string.IsNullOrEmpty(refreshToken))
+                return null;
+
+            var result = await RefreshTokenAsync(refreshToken);
+            return result?.AccessToken;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Token refresh failed");
+            return null;
+        }
+    }
+
+    private async Task<AuthResult?> RefreshTokenAsync(string refreshToken)
+    {
+        var response = await _http.PostAsJsonAsync("/api/auth/refresh", new { RefreshToken = refreshToken });
+
+        if (!response.IsSuccessStatusCode)
+        {
+            _logger.LogWarning("Token refresh returned {Status}", response.StatusCode);
+            // Clear invalid refresh token
+            _secureStorage.Remove(RefreshKey);
+            _cachedToken = null;
+            _cachedExpires = DateTimeOffset.MinValue;
+            _cachedUserName = null;
+            return null;
+        }
+
+        var authResponse = await response.Content.ReadFromJsonAsync<AuthResponseDto>();
+        if (authResponse is null)
+            return null;
+
+        await StoreTokens(authResponse);
+        return ToAuthResult(authResponse);
+    }
+
+    private async Task StoreTokens(AuthResponseDto response)
+    {
+        _cachedToken = response.Token;
+        _cachedExpires = new DateTimeOffset(response.ExpiresAt, TimeSpan.Zero);
+        _cachedUserName = response.UserName ?? ExtractUserNameFromJwt(response.Token);
+
+        await _secureStorage.SetAsync(JwtKey, response.Token);
+        await _secureStorage.SetAsync(RefreshKey, response.RefreshToken);
+        await _secureStorage.SetAsync(ExpiresKey, response.ExpiresAt.ToString("O"));
+
+        _logger.LogInformation("Tokens stored, expires at {Expires}", _cachedExpires);
+    }
+
+    private AuthResult ToAuthResult(AuthResponseDto response)
+    {
+        return new AuthResult(
+            response.Token,
+            response.UserName ?? ExtractUserNameFromJwt(response.Token),
+            new DateTimeOffset(response.ExpiresAt, TimeSpan.Zero));
+    }
+
+    private static string? ExtractUserNameFromJwt(string token)
+    {
+        try
+        {
+            var handler = new JwtSecurityTokenHandler();
+            var jwt = handler.ReadJwtToken(token);
+            return jwt.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value
+                ?? jwt.Claims.FirstOrDefault(c => c.Type == "email")?.Value
+                ?? jwt.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name)?.Value
+                ?? jwt.Claims.FirstOrDefault(c => c.Type == "name")?.Value;
+        }
+        catch
+        {
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Maps the API's AuthResponse JSON shape.
+    /// </summary>
+    private sealed record AuthResponseDto(
+        string Token,
+        string RefreshToken,
+        DateTime ExpiresAt,
+        string? UserName);
+}

src/SentenceStudio.AppLib/Services/MsalAuthService.cs

@@ -57,6 +57,12 @@ public MsalAuthService(IConfiguration configuration, ILogger<MsalAuthService> lo
         }
     }
 
+    public Task<AuthResult?> SignInAsync(string email, string password)
+        => throw new NotSupportedException("Email/password sign-in is not supported with Entra ID. Use interactive sign-in.");
+
+    public Task<AuthResult?> RegisterAsync(string email, string password, string displayName)
+        => throw new NotSupportedException("Registration is not supported with Entra ID.");
+
     public async Task SignOutAsync()
     {
         try

src/SentenceStudio.UI/Pages/Auth.razor

@@ -6,12 +6,22 @@
     <div class="card card-ss p-4 mt-4">
         <h1 class="ss-title1 mb-2">Welcome to SentenceStudio</h1>
         <p class="ss-body2 text-secondary-ss mb-4">
-            Select a user to continue, or register to create a new account.
+            Sign in to your account or select a local user to continue.
         </p>
 
+        <div class="d-grid gap-2 mb-4">
+            <a href="/auth/login" class="btn btn-ss-primary btn-lg">
+                <i class="bi bi-box-arrow-in-right me-2"></i>Sign In
+            </a>
+            <a href="/auth/register" class="btn btn-ss-secondary btn-lg">
+                <i class="bi bi-person-plus me-2"></i>Create Account
+            </a>
+        </div>
+
         @if (_profiles.Count > 0)
         {
-            <h2 class="ss-title3 mb-2">Choose a user</h2>
+            <hr class="my-3" />
+            <h2 class="ss-title3 mb-2">Or choose a local user</h2>
             <div class="d-grid gap-2 mb-3">
                 @foreach (var profile in _profiles)
                 {
@@ -27,12 +37,11 @@
                     </button>
                 }
             </div>
-            <hr class="my-3" />
         }
 
         <div class="d-grid gap-2">
-            <button class="btn btn-ss-primary btn-lg" @onclick="RegisterAsync">
-                <i class="bi bi-plus-circle me-2"></i>Create New User
+            <button class="btn btn-outline-secondary btn-lg" @onclick="RegisterLocalAsync">
+                <i class="bi bi-plus-circle me-2"></i>Create Local User
             </button>
         </div>
     </div>
@@ -65,7 +74,7 @@
         NavManager.NavigateTo("/", forceLoad: true);
     }
 
-    private void RegisterAsync()
+    private void RegisterLocalAsync()
     {
         Preferences.Set(AuthenticatedPreferenceKey, true);
         Preferences.Set("is_onboarded", false);