feat(web): add auth and fix deployment checks
Quant Engine CI/CD Pipeline / validate-core (push) Failing after 9s
WBS-9.3 - NULL Policy CI Gate / NULL Policy Validation (push) Failing after 6s
Quant Engine CI/CD Pipeline / validate-ui-and-storage (push) Has been skipped
Snapshot Admin Deployment / build-and-deploy (push) Failing after 2m30s
Deploy to Production / Build & Deploy to Production (push) Failing after 3m49s

This commit is contained in:
2026-07-01 13:02:10 +09:00
parent 3e4d545e01
commit 90bbb1860d
17 changed files with 445 additions and 53 deletions
+94 -10
View File
@@ -13,6 +13,9 @@ using Serilog;
using QuantEngine.Web.Client.Infrastructure;
using QuantEngine.Web.Client.Services;
using QuantEngine.Web.Endpoints;
using System.Security.Cryptography;
using System.Text;
using QuantEngine.Core.Models;
// Serilog Configuration with Telegram Sink
Log.Logger = new LoggerConfiguration()
@@ -30,6 +33,8 @@ builder.Services.AddRazorComponents()
// Authentication and Custom State Provider (Shared client components)
builder.Services.AddCascadingAuthenticationState();
builder.Services.AddAuthentication();
builder.Services.AddAuthorization();
builder.Services.AddScoped<LocalStorageService>();
builder.Services.AddScoped<AuthenticationStateProvider, CustomAuthenticationStateProvider>();
builder.Services.AddAuthorizationCore();
@@ -41,6 +46,7 @@ builder.Services.AddFluentUIComponents();
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
?? "Host=127.0.0.1;Database=giteadb;Username=gitea;Password=C8RFlZ9fdQrBA1vyLhLDS4v70I8dJfRS2ERJW4+zsS4=;Search Path=quantengine;";
builder.Services.AddSingleton<IDbConnectionFactory>(new DbConnectionFactory(connectionString));
builder.Services.AddSingleton<DbMigrator>();
builder.Services.AddScoped<IWorkspaceRepository, WorkspaceRepository>();
builder.Services.AddScoped<IPostgresqlHistoryStore, PostgresqlHistoryStore>();
builder.Services.AddScoped<IPostgresqlHistorySnapshotReader, PostgresqlHistorySnapshotReader>();
@@ -61,14 +67,18 @@ var app = builder.Build();
// Initialize database tables (PostgreSQL-backed repositories)
using (var scope = app.Services.CreateScope())
{
var migrator = scope.ServiceProvider.GetRequiredService<DbMigrator>();
var tokenCache = scope.ServiceProvider.GetRequiredService<ITokenCache>();
var collectionRepo = scope.ServiceProvider.GetRequiredService<ICollectionRepository>();
var workspaceRepo = scope.ServiceProvider.GetRequiredService<IWorkspaceRepository>();
try
{
migrator.Migrate();
// Ensure tables exist on startup
await tokenCache.GetCachedTokenAsync("_init_test_");
await collectionRepo.GetDashboardStateAsync();
await workspaceRepo.GetAccountsAsync();
Log.Information("Database tables initialized successfully");
}
catch (Exception ex)
@@ -77,9 +87,6 @@ using (var scope = app.Services.CreateScope())
}
}
// Enable reverse proxy subpath mapping
app.UsePathBase("/quant");
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
@@ -96,6 +103,8 @@ app.UseStatusCodePages(async ctx =>
app.UseHttpsRedirection();
app.UseAntiforgery();
app.UseAuthentication();
app.UseAuthorization();
app.MapStaticAssets();
@@ -103,16 +112,91 @@ app.MapStaticAssets();
app.MapCollectionEndpoints();
// Login API (API-First for Blazor WASM client authentication)
app.MapPost("/api/auth/login", (LoginRequest request, IConfiguration config) =>
app.MapPost("/api/auth/login", async (LoginRequest request, IWorkspaceRepository workspaceRepo) =>
{
var expectedUser = config["AdminSettings:Username"] ?? "admin";
var expectedPass = config["AdminSettings:Password"] ?? "quant123!";
if (request.Username == expectedUser && request.Password == expectedPass)
if (string.IsNullOrWhiteSpace(request.Username) || string.IsNullOrWhiteSpace(request.Password))
{
return Results.Ok(new { success = true, username = request.Username });
return Results.BadRequest(new { success = false, error = "missing_credentials" });
}
return Results.Json(new { success = false, error = "invalid_credentials" }, statusCode: 401);
var account = await workspaceRepo.GetAccountByUsernameAsync(request.Username.Trim());
if (account is null || !string.Equals(account.IsActive, "true", StringComparison.OrdinalIgnoreCase))
{
return Results.Json(new { success = false, error = "invalid_credentials" }, statusCode: 401);
}
var passwordHash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(request.Password)));
if (!string.Equals(account.PasswordHash, passwordHash, StringComparison.OrdinalIgnoreCase))
{
return Results.Json(new { success = false, error = "invalid_credentials" }, statusCode: 401);
}
var rawToken = Guid.NewGuid().ToString("N");
var tokenHash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(rawToken)));
var now = DateTimeOffset.UtcNow;
var expiresAt = now.AddDays(7);
await workspaceRepo.UpsertSessionAsync(new WorkspaceSession
{
SessionTokenHash = tokenHash,
Username = account.Username,
Role = account.Role,
CreatedAt = now.ToString("O"),
ExpiresAt = expiresAt.ToString("O"),
RevokedAt = null
});
return Results.Ok(new
{
success = true,
username = account.Username,
role = account.Role,
accessToken = rawToken,
expiresAt = expiresAt.ToString("O")
});
});
app.MapGet("/api/auth/me", async (HttpContext context, IWorkspaceRepository workspaceRepo) =>
{
var authHeader = context.Request.Headers.Authorization.ToString();
if (string.IsNullOrWhiteSpace(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
return Results.Unauthorized();
}
var token = authHeader["Bearer ".Length..].Trim();
if (string.IsNullOrWhiteSpace(token))
{
return Results.Unauthorized();
}
var tokenHash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(token)));
var session = await workspaceRepo.GetSessionByTokenHashAsync(tokenHash);
if (session is null || !string.IsNullOrWhiteSpace(session.RevokedAt) || DateTimeOffset.TryParse(session.ExpiresAt, out var expiresAt) && expiresAt <= DateTimeOffset.UtcNow)
{
return Results.Unauthorized();
}
return Results.Ok(new { authenticated = true, username = session.Username, role = session.Role });
});
app.MapPost("/api/auth/logout", async (HttpContext context, IWorkspaceRepository workspaceRepo) =>
{
var authHeader = context.Request.Headers.Authorization.ToString();
if (string.IsNullOrWhiteSpace(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
return Results.Unauthorized();
}
var token = authHeader["Bearer ".Length..].Trim();
if (string.IsNullOrWhiteSpace(token))
{
return Results.Unauthorized();
}
var tokenHash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(token)));
await workspaceRepo.RevokeSessionAsync(tokenHash, DateTimeOffset.UtcNow.ToString("O"));
return Results.Ok(new { success = true });
});
// Operational Report serving API (WASM safe file loading substitute)