TaskHub.Shared

Security

Security in TaskHub.Shared covers authentication (who is the caller?), authorization (what may they do?), and identity propagation (carrying that context across service hops). Every public endpoint is protected; every internal call carries the caller’s token forward.

🎯 Design Goals

JWT everywhere. Internal services trust each other via signed bearer tokens — no shared secrets, no IP allow-listing.
Identity is ambient. Once authenticated, IUserService.UserId is available anywhere in the request scope. No threading the user ID through method signatures.
Status checks at the edge. Blocked / deleted / disabled users are filtered in middleware, not in every handler.
Result-typed failures. Authorization failures return a Result with a stable code, not an exception — clients see the same shape as any other failure.

📦 Modules

Module	Purpose
Authorization Abstractions	`ITokenService`, `IUserService` — the contracts your code depends on.
Authorization Identity	JWT bearer setup, `UserStatusMiddleware`, token generation, options.

🧭 The Request Lifecycle

   Client ──[Authorization: Bearer eyJ…]──► Service
                                               │
                                               ▼
                          JwtBearer middleware (signature, expiry, audience)
                                               │
                                               ▼
                          UserStatusMiddleware (blocked/deleted/disabled?)
                                               │
                                               ▼
                          IUserService (scoped — UserId available)
                                               │
                                               ▼
                          Endpoint / Command Pipeline

Internal calls forward the same bearer via BearerTokenHandler (see Networking) — the downstream service sees the same UserId.

⚙️ Minimal Configuration

"Jwt": {
  "SigningKey": "<base64 256-bit key>",
  "Issuer": "task-hub",
  "Audience": "task-hub-users",
  "ValidateSigningKey": true,
  "ValidateAudience": true,
  "ValidateIssuer": true,
  "ValidateLifetime": true,
  "ClockSkew": 300000
}

The FullHostBuilder calls AddAppIdentity() automatically when this section is present.

✅ Best Practices

Never log raw tokens. Serilog destructuring policy redacts Authorization headers — keep it that way.
Use ownership checks, not just authentication. RequireAuthorization() proves who, but a job-edit endpoint also needs to prove they own this job — typically as a pre-behavior in the Command Pipeline.
Keep SigningKey out of source. Inject via environment variable or secret manager.
Watch ClockSkew. Generous clock skew (e.g. 5 minutes) prevents clock-drift failures in microservice fleets, but extends the window of validity for stolen tokens.

🔗 See Also

Authorization Identity usage — registration, role checks, custom claims.
Authorization Identity architecture — middleware chain, UserStatusMiddleware internals.
Networking — BearerTokenHandler for forwarding tokens between services.
Response system — how authorization failures become standardized Result codes.

This site is open source. Improve this page.