Added authenication/authorization. Refactored api startup.

JSMR.Api/JSMR.Api.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net9.0</TargetFramework>

JSMR.Api/JSMR.Api.http

@@ -1,6 +1,31 @@
 @host = http://localhost:5226
 @contentType = application/json
 
+### Login
+POST {{host}}/auth/login
+Content-Type: {{contentType}}
+
+{
+  "Username": "brister",
+  "Password": "password"
+}
+
+### Logout
+POST {{host}}/auth/logout
+Content-Type: {{contentType}}
+
+{
+
+}
+
+### Get current user
+GET {{host}}/api/me
+Content-Type: {{contentType}}
+
+{
+
+}
+
 ### Search tags by name
 POST {{host}}/api/tags/search
 Content-Type: {{contentType}}

JSMR.Api/Program.cs

@@ -1,158 +1,23 @@
-using JSMR.Application.Circles.Queries.Search;
-using JSMR.Application.Creators.Queries.Search;
-using JSMR.Application.DI;
-using JSMR.Application.Tags.Queries.Search;
-using JSMR.Application.VoiceWorks.Queries.Search;
-using JSMR.Infrastructure.Data;
-using JSMR.Infrastructure.DI;
-using Microsoft.AspNetCore.Http.Json;
-using Microsoft.EntityFrameworkCore;
-using Serilog;
-using Serilog.Events;
-using System.Diagnostics;
-using System.Text.Json;
-using System.Text.Json.Serialization;
+using JSMR.Api.Startup;
 
-var builder = WebApplication.CreateBuilder(args);
+WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
 
-// Add services to the container.
 builder.Services
-    .AddMemoryCache() // TODO
-    .AddApplication()
-    .AddInfrastructure();
+    .AddAppServices(builder)
+    .AddAppJson()
+    .AddAppOpenApi()
+    .AddAppAuthentication()
+    .AddAppCors(builder)
+    .AddAppLogging(builder);
 
-// DbContext (MySQL here; swap to Npgsql when you migrate)
-var cs = builder.Configuration.GetConnectionString("AppDb")
-         ?? throw new InvalidOperationException("Missing ConnectionStrings:AppDb2");
+builder.Host.UseAppSerilog();
 
-builder.Services.AddDbContextFactory<AppDbContext>(opt =>
-    opt.UseMySql(cs, ServerVersion.AutoDetect(cs))
-       .EnableSensitiveDataLogging(false));
+WebApplication app = builder.Build();
+app.UseAppPipeline(app.Environment);
 
-builder.Services.AddControllers();
-// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
-builder.Services.AddOpenApi();
-
-builder.Services.Configure<JsonOptions>(options =>
-{
-    options.SerializerOptions.PropertyNameCaseInsensitive = true;
-    options.SerializerOptions.Converters.Add(
-        new JsonStringEnumConverter(JsonNamingPolicy.CamelCase)); // or null for exact names
-});
-
-// Serilog bootstrap (before Build)
-Log.Logger = new LoggerConfiguration()
-    .ReadFrom.Configuration(builder.Configuration)
-    .MinimumLevel.Override("Microsoft", LogEventLevel.Warning)
-    .Enrich.WithProperty("Service", "JSMR.Api")
-    .Enrich.WithProperty("Environment", builder.Environment.EnvironmentName)
-    .CreateLogger();
-builder.Host.UseSerilog();
-
-builder.Services.AddCors(o =>
-{
-    o.AddPolicy("ui-dev", p => p
-        .AllowAnyOrigin()
-        //.WithOrigins(
-        //    "*",
-        //    "https://localhost:5173", // vite-like
-        //    "https://localhost:5001", // typical https dev
-        //    "http://localhost:5000",  // typical http dev
-        //    "https://localhost:7112", // blazor wasm dev https (adjust to your port)
-        //    "http://localhost:5153"   // blazor wasm dev http (adjust to your port)
-        //)
-        .AllowAnyHeader()
-        .AllowAnyMethod());
-});
-
-var app = builder.Build();
-app.UseCors("ui-dev");
-
-// Configure the HTTP request pipeline.
 if (app.Environment.IsDevelopment())
-{
-    app.MapOpenApi();
-}
+    await app.SeedDevelopmentAsync();
 
-app.UseHttpsRedirection();
+app.MapAppEndpoints();
 
-app.UseAuthorization();
-
-app.MapControllers();
-
-// Request logging with latency, status, path
-app.UseSerilogRequestLogging(opts =>
-{
-    opts.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms";
-});
-
-// Correlation: ensure every log has traceId and return it to clients
-app.Use(async (ctx, next) =>
-{
-    // Use current Activity if present (W3C trace context), else fall back
-    var traceId = Activity.Current?.TraceId.ToString() ?? ctx.TraceIdentifier;
-    using (Serilog.Context.LogContext.PushProperty("TraceId", traceId))
-    {
-        ctx.Response.Headers["x-trace-id"] = traceId;
-        await next();
-    }
-});
-
-
-// Health check
-app.MapGet("/health", () => Results.Ok(new { status = "ok" }));
-
-// ---- Endpoints ----
-
-// Circles Search
-app.MapPost("/api/circles/search", async (
-    SearchCirclesRequest request,
-    SearchCirclesHandler handler,
-    CancellationToken cancallationToken) =>
-{
-    try
-    {
-        SearchCirclesResponse result = await handler.HandleAsync(request, cancallationToken);
-
-        return Results.Ok(result);
-    }
-    catch (OperationCanceledException) when (cancallationToken.IsCancellationRequested)
-    {
-        return Results.StatusCode(StatusCodes.Status499ClientClosedRequest);
-    }
-});
-
-// Voice Works Search
-app.MapPost("/api/voiceworks/search", async (
-    SearchVoiceWorksRequest request,
-    SearchVoiceWorksHandler handler,
-    CancellationToken cancallationToken) =>
-{
-    var result = await handler.HandleAsync(request, cancallationToken);
-
-    return Results.Ok(result);
-});
-
-// Tags Search
-app.MapPost("/api/tags/search", async (
-    SearchTagsRequest request,
-    SearchTagsHandler handler,
-    CancellationToken cancallationToken) =>
-{
-    var result = await handler.HandleAsync(request, cancallationToken);
-
-    return Results.Ok(result);
-});
-
-// Creators Search
-app.MapPost("/api/creators/search", async (
-    SearchCreatorsRequest request,
-    SearchCreatorsHandler handler,
-    CancellationToken cancallationToken) =>
-{
-    var result = await handler.HandleAsync(request, cancallationToken);
-
-    return Results.Ok(result);
-});
-
-app.Run();
+app.Run();

JSMR.Api/Startup/DevSeeding.cs

@@ -0,0 +1,30 @@
+using JSMR.Domain.Entities;
+using JSMR.Infrastructure.Data;
+using Microsoft.EntityFrameworkCore;
+
+namespace JSMR.Api.Startup;
+
+public static class DevSeeding
+{
+    public static async Task SeedDevelopmentAsync(this WebApplication app)
+    {
+        using var scope = app.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<AppDbContext>();
+
+        var username = "brister";
+
+        if (!await db.Users.AnyAsync(u => u.Username == username))
+        {
+            db.Users.Add(new User
+            {
+                Username = username,
+                PasswordHash = BCrypt.Net.BCrypt.HashPassword("password"),
+                Role = "Admin",
+                IsActive = true
+            });
+
+            await db.SaveChangesAsync();
+            Console.WriteLine("✅ Seeded development user: brister / password");
+        }
+    }
+}

JSMR.Api/Startup/HostBuilderExtensions.cs

@@ -0,0 +1,9 @@
+using Serilog;
+
+namespace JSMR.Api.Startup;
+
+public static class HostBuilderExtensions
+{
+    public static IHostBuilder UseAppSerilog(this IHostBuilder host)
+        => host.UseSerilog();
+}

JSMR.Api/Startup/ServiceCollectionExtensions.cs

@@ -0,0 +1,118 @@
+using JSMR.Application.DI;
+using JSMR.Infrastructure.Data;
+using JSMR.Infrastructure.DI;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.EntityFrameworkCore;
+using Serilog;
+using Serilog.Events;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace JSMR.Api.Startup;
+
+public static class ServiceCollectionExtensions
+{
+    public static IServiceCollection AddAppServices(this IServiceCollection services, IHostApplicationBuilder builder)
+    {
+        services
+            .AddMemoryCache()
+            .AddApplication()
+            .AddInfrastructure();
+
+        string connectionString = builder.Configuration.GetConnectionString("AppDb")
+                 ?? throw new InvalidOperationException("Missing ConnectionStrings:AppDb");
+
+        services.AddDbContextFactory<AppDbContext>(opt =>
+            opt.UseMySql(connectionString, ServerVersion.AutoDetect(connectionString))
+               .EnableSensitiveDataLogging(false));
+
+        services.AddControllers();
+
+        return services;
+    }
+
+    public static IServiceCollection AddAppJson(this IServiceCollection services)
+    {
+        services.Configure<JsonOptions>(options =>
+        {
+            options.SerializerOptions.PropertyNameCaseInsensitive = true;
+            options.SerializerOptions.Converters.Add(
+                new JsonStringEnumConverter(JsonNamingPolicy.CamelCase));
+        });
+
+        return services;
+    }
+
+    public static IServiceCollection AddAppOpenApi(this IServiceCollection services)
+    {
+        services.AddOpenApi();
+
+        return services;
+    }
+
+    public static IServiceCollection AddAppAuthentication(this IServiceCollection services)
+    {
+        services.AddAuthorization();
+
+        services
+            .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+            .AddCookie(options =>
+            {
+                options.Cookie.Name = "vw_auth";
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SameSite = SameSiteMode.None;
+                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+
+                options.Events = new CookieAuthenticationEvents
+                {
+                    OnRedirectToLogin = ctx =>
+                    {
+                        ctx.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                        return Task.CompletedTask;
+                    },
+                    OnRedirectToAccessDenied = ctx =>
+                    {
+                        ctx.Response.StatusCode = StatusCodes.Status403Forbidden;
+                        return Task.CompletedTask;
+                    }
+                };
+            });
+
+        return services;
+    }
+
+    public static IServiceCollection AddAppCors(this IServiceCollection services, IHostApplicationBuilder builder)
+    {
+        // Prefer config-based origins so you stop editing code for ports.
+        // appsettings.Development.json:
+        // "Cors": { "AllowedOrigins": [ "https://localhost:7112", ... ] }
+        string[] origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? [];
+
+        services.AddCors(options =>
+        {
+            options.AddPolicy("ui", policyBuilder =>
+                policyBuilder.WithOrigins(origins)
+                 .AllowAnyHeader()
+                 .AllowAnyMethod()
+                 .AllowCredentials());
+        });
+
+        return services;
+    }
+
+    public static IServiceCollection AddAppLogging(this IServiceCollection services, IHostApplicationBuilder builder)
+    {
+        var config = builder.Configuration;
+        var env = builder.Environment;
+
+        Log.Logger = new LoggerConfiguration()
+            .ReadFrom.Configuration(config)
+            .MinimumLevel.Override("Microsoft", LogEventLevel.Warning)
+            .Enrich.WithProperty("Service", "JSMR.Api")
+            .Enrich.WithProperty("Environment", env.EnvironmentName)
+            .CreateLogger();
+
+        return services;
+    }
+}

JSMR.Api/Startup/WebApplicationExtensions.cs

@@ -0,0 +1,145 @@
+using JSMR.Application.Circles.Queries.Search;
+using JSMR.Application.Creators.Queries.Search;
+using JSMR.Application.Tags.Queries.Search;
+using JSMR.Application.Users;
+using JSMR.Application.VoiceWorks.Queries.Search;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Serilog;
+using System.Diagnostics;
+using System.Security.Claims;
+
+namespace JSMR.Api.Startup;
+
+public static class WebApplicationExtensions
+{
+    public static WebApplication UseAppPipeline(this WebApplication app, IHostEnvironment env)
+    {
+        app.UseCors("ui");
+
+        if (env.IsDevelopment())
+            app.MapOpenApi();
+
+        app.UseHttpsRedirection();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.MapControllers();
+
+        app.UseSerilogRequestLogging(opts =>
+        {
+            opts.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms";
+        });
+
+        app.Use(async (ctx, next) =>
+        {
+            var traceId = Activity.Current?.TraceId.ToString() ?? ctx.TraceIdentifier;
+            using (Serilog.Context.LogContext.PushProperty("TraceId", traceId))
+            {
+                ctx.Response.Headers["x-trace-id"] = traceId;
+                await next();
+            }
+        });
+
+        return app;
+    }
+
+    public static void MapAppEndpoints(this WebApplication app)
+    {
+        app.MapGet("/health", () => Results.Ok(new { status = "ok" }));
+
+        app.MapSearchEndpoints();
+        app.MapAuthenticationEndpoints();
+    }
+
+    private static void MapSearchEndpoints(this WebApplication app)
+    {
+        app.MapPost("/api/circles/search", async (
+            SearchCirclesRequest request,
+            SearchCirclesHandler handler,
+            CancellationToken ct) =>
+        {
+            try
+            {
+                var result = await handler.HandleAsync(request, ct);
+                return Results.Ok(result);
+            }
+            catch (OperationCanceledException) when (ct.IsCancellationRequested)
+            {
+                return Results.StatusCode(StatusCodes.Status499ClientClosedRequest);
+            }
+        });
+
+        app.MapPost("/api/voiceworks/search", async (
+            SearchVoiceWorksRequest request,
+            SearchVoiceWorksHandler handler,
+            CancellationToken ct) =>
+        {
+            var result = await handler.HandleAsync(request, ct);
+            return Results.Ok(result);
+        });
+
+        app.MapPost("/api/tags/search", async (
+            SearchTagsRequest request,
+            SearchTagsHandler handler,
+            CancellationToken ct) =>
+        {
+            var result = await handler.HandleAsync(request, ct);
+            return Results.Ok(result);
+        });
+
+        app.MapPost("/api/creators/search", async (
+            SearchCreatorsRequest request,
+            SearchCreatorsHandler handler,
+            CancellationToken ct) =>
+        {
+            var result = await handler.HandleAsync(request, ct);
+            return Results.Ok(result);
+        });
+    }
+
+    private static void MapAuthenticationEndpoints(this WebApplication app)
+    {
+        app.MapPost("/auth/login", async (LoginRequest req, IUserRepository users, HttpContext http) =>
+        {
+            var user = await users.FindByUsernameAsync(req.Username);
+            if (user is null || !user.IsActive)
+                return Results.Unauthorized();
+
+            if (!users.VerifyPassword(user, req.Password))
+                return Results.Unauthorized();
+
+            var claims = new List<Claim>
+            {
+                new(ClaimTypes.NameIdentifier, user.Id.ToString()),
+                new(ClaimTypes.Name, user.Username),
+                new(ClaimTypes.Role, user.Role ?? "User")
+            };
+
+            var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+            var principal = new ClaimsPrincipal(identity);
+
+            await http.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);
+            return Results.Ok(new { ok = true });
+        });
+
+        app.MapPost("/auth/logout", async (HttpContext http) =>
+        {
+            await http.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+            return Results.Ok(new { ok = true });
+        });
+
+        app.MapGet("/api/me", (ClaimsPrincipal user) =>
+        {
+            return Results.Ok(new
+            {
+                name = user.Identity?.Name,
+                id = user.FindFirstValue(ClaimTypes.NameIdentifier),
+                role = user.FindFirstValue(ClaimTypes.Role)
+            });
+        }).RequireAuthorization();
+    }
+
+    public record LoginRequest(string Username, string Password);
+}

JSMR.Api/appsettings.json

@@ -6,6 +6,15 @@
     }
   },
   "AllowedHosts": "*",
+  "Cors": {
+    "AllowedOrigins": [
+      "https://localhost:5173", // vite-like
+      "https://localhost:5001", // typical https dev
+      "http://localhost:5000", // typical http dev
+      "https://localhost:7112", // blazor wasm dev https (adjust to your port)
+      "http://localhost:5153" // blazor wasm dev http (adjust to your port)
+    ]
+  },
   "Serilog": {
     "MinimumLevel": {
       "Default": "Information",