Fixes #260: "Accept license" causes error?

Author: Vincent Wilms

src/Nexus/Core/NexusIdentityProviderExtensions.cs

@@ -127,11 +127,12 @@ public static WebApplication UseNexusIdentityProvider(
                 .LastOrDefault();
 
             authorization ??= await authorizationManager.CreateAsync(
-                    principal: principal,
-                    subject: subject,
-                    client: (await applicationManager.GetIdAsync(client))!,
-                    type: AuthorizationTypes.Permanent,
-                    scopes: principal.GetScopes());
+                principal: principal,
+                subject: subject,
+                client: (await applicationManager.GetIdAsync(client))!,
+                type: AuthorizationTypes.Permanent,
+                scopes: principal.GetScopes()
+            );
 
             principal.SetAuthorizationId(await authorizationManager.GetIdAsync(authorization));
 

src/Nexus/Core/PersonalAccessTokenAuthenticationHandler.cs

@@ -105,7 +105,7 @@ protected async override Task<AuthenticateResult> HandleAuthenticateAsync()
                     var userIdParts = userId.Split('@', count: 2);
                     var scheme = userIdParts.Length == 2 ? userIdParts[1] : default;
 
-                    AuthUtilities.AddEnabledCatalogPatternClaim(principal, scheme, _securityOptions);
+                    AuthUtilities.SetEnabledCatalogPatternClaim(principal, scheme, _securityOptions);
                 }
             }
         }

src/Nexus/Services/CatalogManager.cs

@@ -155,7 +155,7 @@ public async Task<CatalogContainer[]> GetCatalogContainersAsync(
                 var userIdParts = user.Id.Split('@', count: 2);
                 var scheme = userIdParts.Length == 2 ? userIdParts[1] : default;
 
-                AuthUtilities.AddEnabledCatalogPatternClaim(owner, scheme, _securityOptions);
+                AuthUtilities.SetEnabledCatalogPatternClaim(owner, scheme, _securityOptions);
 
                 /* For each pipeline */
                 foreach (var (pipelineId, pipeline) in pipelines)

src/Nexus/Services/CustomCookieAuthenticationEvents.cs

@@ -24,7 +24,7 @@ public override Task ValidatePrincipal(CookieValidatePrincipalContext context)
         if (scheme is null)
             context.RejectPrincipal();
 
-        AuthUtilities.AddEnabledCatalogPatternClaim(context.Principal, scheme, _securityOptions);
+        AuthUtilities.SetEnabledCatalogPatternClaim(context.Principal, scheme, _securityOptions);
 
         return base.ValidatePrincipal(context);
     }

src/Nexus/Utilities/AuthUtilities.cs

@@ -13,10 +13,20 @@ namespace Nexus.Utilities;
 
 internal static class AuthUtilities
 {
-    public static void AddEnabledCatalogPatternClaim(ClaimsPrincipal principal, string? scheme, SecurityOptions options)
+    public static void SetEnabledCatalogPatternClaim(ClaimsPrincipal principal, string? scheme, SecurityOptions options)
     {
         var environmentName = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
 
+        // Do not store the EnabledCatalogsPattern claim in the cookie: it’s tied to the
+        // sign-in scheme and should be inherited by the user, not persisted. When a user
+        // accepts a catalog license, they are re-signed in to refresh the cookie. Since 
+        // the claim has previously been added to the User, it becomes part of the cookie. 
+        // On the next visit, the EnabledCatalogsPattern claim is added again, resulting 
+        // in multiple entries of the same claim. This breaks 
+        // user.GetClaim("EnabledCatalogsPattern"), which correctly expects a single claim
+        // of a given type. To avoid this we remove all existing instances of the claim.
+        principal.RemoveClaims(NexusClaimsConstants.ENABLED_CATALOGS_PATTERN_CLAIM);
+
         if (scheme is null)
         {
             principal.AddClaim(