Refactor erroror (#22)

* feat(validation): add ValidationHelper for FluentValidation integration

refactor(validators): update password validation to use IdmtPasswordOptions

chore(solution): remove old .sln file and add new .slnx format

fix(dependencies): update package versions for Idmt.BasicSample project

test(integration): remove obsolete system info tests from AdminIntegrationTests

test(integration): update AuthIntegrationTests to reflect new endpoint naming conventions

test(integration): modify ManageIntegrationTests to use new reset-password endpoint

test(integration): adjust MultiTenancyIntegrationTests for updated endpoint paths

chore(tests): update Idmt.UnitTests project dependencies and remove unused tests

test(unit): refactor ValidatorsTests to use IdmtPasswordOptions and remove obsolete validations

* feat(auth): require authorization for logout endpoint

feat(auth): enhance refresh token handling with tenant validation

fix(auth): add logging for password reset errors

refactor(health): simplify health check by removing tenant user count

feat(manage): update GetUserInfo to return detailed errors

refactor(manage): streamline user registration process

fix(manage): ensure user info updates only when changes occur

fix(middleware): improve error handling in ValidateBearerTokenTenantMiddleware

fix(persistence): use enum for audit actions in IdmtDbContext

chore(tests): add unit tests for tenant operation service

chore(tests): implement fluent validation tests for various requests

chore(tests): update integration tests for tenant management

* fix: address 8 high-priority bugs across auth, admin, and health endpoints

Security:
- Close refresh token tenant validation bypass by rejecting when tenant
  claim or context is null instead of silently allowing through
- Block inactive users from resetting passwords via ResetPassword endpoint

Correctness:
- Return Unhealthy when database CanConnectAsync returns false (was always
  reporting Healthy) and propagate CancellationToken
- Convert Logout handler to ErrorOr pattern with proper error handling
  instead of re-throwing raw exceptions to the client
- Map Tenant.NotResolved (Validation type) to 400 in login endpoints
  instead of falling through to the default 500 arm
- Return 409 Conflict when creating a tenant that already exists and is
  active, instead of silently returning 201 Created

API consistency:
- Rename RevokeTenantAccess route param from tenantId to tenantIdentifier
  to match GrantTenantAccess endpoint convention
- Remove dead Ok<AccessTokenResponse> from RefreshToken Results<> type
  union since only SignInHttpResult is returned on success

* feat: enhance tenant management with validation and logging improvements

* Add unit tests for user info update handler and middleware

- Implement `UpdateUserInfoHandlerTests` to validate user info update logic, including scenarios for missing claims, inactive users, and unchanged fields.
- Add `CurrentUserMiddlewareTests` to ensure current user is set correctly from authenticated requests.
- Enhance `ValidateBearerTokenTenantMiddlewareTests` with additional tests for empty tenant claims and custom claim types.
- Create `IdmtTenantInfoTests` to validate tenant info model behavior and constraints.
- Introduce `TokenRevocationServiceTests` to verify token revocation logic and cleanup of expired tokens.
- Update `FluentValidatorTests` to check password reset request validation for weak passwords.
- Modify `IdmtLinkGeneratorTests` to ensure email confirmation links are generated correctly with Base64 URL encoding.
- Update project dependencies in `Idmt.UnitTests.csproj` for SQLite and testing utilities.

* fix(tests): update RefreshTokenHandlerTests to handle null tenant context correctly

* feat: add TokenRevocationCleanupService and enhance authorization for tenant management endpoints

* feat(auth): Implement rate limiting for authentication endpoints

- Added a rate limiter policy to the authentication endpoints to prevent brute-force attacks and email flooding.
- Integrated the rate limiting feature based on configuration options.

refactor(manage): Change user role representation to a list

- Updated the GetUserInfo response to return a list of roles instead of a single role.
- Adjusted related tests to validate the new roles structure.

chore(project): Add Microsoft.AspNetCore.App framework reference

- Included a framework reference for Microsoft.AspNetCore.App in the project file.

fix(token): Handle concurrent token revocation gracefully

- Implemented a retry mechanism for concurrent token revocation to ensure correct expiration handling.
- Added tests to verify the behavior under race conditions.

test(tests): Enhance integration tests for user management and authentication

- Updated tests to reflect changes in user roles and authentication flow.
- Added new tests for pagination and role retrieval in user management.

test(tests): Add unit tests for IdmtOptions and RateLimitingOptions

- Created unit tests to validate the configuration options for IdmtOptions and RateLimitingOptions.
- Ensured default values and custom configurations are correctly handled.

test(tests): Improve LogoutHandler tests for tenant context handling

- Enhanced tests for LogoutHandler to verify behavior with tenant context and claims.
- Added assertions for logging warnings when tenant information is missing.

* feat(auth): Enhance login and refresh token handling with improved error responses and options integration

- Added handling for locked-out users during login attempts in Login.cs.
- Integrated IdmtOptions for cookie expiration in login authentication properties.
- Updated refresh token logic to utilize DateTimeOffset for issued and expiration times in RefreshToken.cs.
- Refactored middleware to return ProblemDetails for unauthorized and forbidden responses in ValidateBearerTokenTenantMiddleware.cs.
- Changed timestamp properties in IdmtAuditLog, IdmtUser, RevokedToken, and TenantAccess models to DateTimeOffset for better time zone handling.
- Updated database context to store DateTimeOffset as UTC ticks for compatibility across providers.
- Modified token revocation service to accept DateTimeOffset for issuedAt parameter.
- Introduced IdmtEmailSenderStartupCheck to warn about unconfigured email sender at startup.
- Enhanced unit tests to cover new locked-out scenarios and updated date handling.

* refactor(errors): Clean up error definitions and formatting in IdmtErrors class

* refactor(auth): Update authorization policies to require SysUserPolicy for tenant access operations

* refactor(ci): Update solution file references from .sln to .slnx in CI workflows

---------

Author: idotta

.github/workflows/ci.yml

@@ -20,19 +20,19 @@ jobs:
         dotnet-version: 9.0.x
 
     - name: Restore dependencies
-      run: dotnet restore src/Idmt.sln
+      run: dotnet restore src/Idmt.slnx
 
     - name: Format check
-      run: dotnet format src/Idmt.sln --verify-no-changes --verbosity diagnostic
+      run: dotnet format src/Idmt.slnx --verify-no-changes --verbosity diagnostic
 
     - name: Build
-      run: dotnet build src/Idmt.sln --no-restore --configuration Release /p:TreatWarningsAsErrors=true
+      run: dotnet build src/Idmt.slnx --no-restore --configuration Release /p:TreatWarningsAsErrors=true
 
     - name: Run analyzers
-      run: dotnet build src/Idmt.sln --no-restore --configuration Release /p:RunAnalyzers=true /p:EnforceCodeStyleInBuild=true
+      run: dotnet build src/Idmt.slnx --no-restore --configuration Release /p:RunAnalyzers=true /p:EnforceCodeStyleInBuild=true
 
     - name: Test
-      run: dotnet test src/Idmt.sln --no-build --configuration Release --verbosity normal
+      run: dotnet test src/Idmt.slnx --no-build --configuration Release --verbosity normal
 
     - name: Pack
       run: dotnet pack src/Idmt.Plugin/Idmt.Plugin.csproj --no-build --configuration Release --output .

.github/workflows/publish.yml

@@ -16,13 +16,13 @@ jobs:
           dotnet-version: 9.0.x
 
       - name: Restore dependencies
-        run: dotnet restore src/Idmt.sln
+        run: dotnet restore src/Idmt.slnx
 
       - name: Build
-        run: dotnet build src/Idmt.sln --no-restore --configuration Release
+        run: dotnet build src/Idmt.slnx --no-restore --configuration Release
 
       - name: Test
-        run: dotnet test src/Idmt.sln --no-build --configuration Release
+        run: dotnet test src/Idmt.slnx --no-build --configuration Release
 
       - name: Set Version
         id: get_version

.gitignore

@@ -58,3 +58,5 @@ nunit-*.xml
 *.db
 *.db-shm
 *.db-wal
+
+.claude/settings.local.json

src/Idmt.Plugin/Configuration/IdmtEndpointNames.cs

@@ -0,0 +1,8 @@
+namespace Idmt.Plugin.Configuration;
+
+internal static class IdmtEndpointNames
+{
+    public const string ConfirmEmail = "ConfirmEmail";
+    public const string ConfirmEmailDirect = "ConfirmEmail-direct";
+    public const string PasswordReset = "ResetPassword";
+}

src/Idmt.Plugin/Configuration/IdmtOptions.cs

@@ -24,7 +24,7 @@ public class IdmtOptions
     /// <summary>
     /// Identity configuration options
     /// </summary>
-    public AuthOptions Identity { get; set; } = new();
+    public IdmtAuthOptions Identity { get; set; } = new();
 
     /// <summary>
     /// Multi-tenant configuration options
@@ -35,15 +35,45 @@ public class IdmtOptions
     /// Database configuration options
     /// </summary>
     public DatabaseOptions Database { get; set; } = new();
+
+    /// <summary>
+    /// Rate limiting configuration options for auth endpoints
+    /// </summary>
+    public RateLimitingOptions RateLimiting { get; set; } = new();
+
+}
+
+/// <summary>
+/// Controls how email confirmation links behave.
+/// </summary>
+public enum EmailConfirmationMode
+{
+    /// <summary>
+    /// Email link points to GET /auth/confirm-email on the server, which confirms
+    /// the email directly (like Microsoft's reference implementation).
+    /// No client-side form needed for email confirmation.
+    /// </summary>
+    ServerConfirm,
+
+    /// <summary>
+    /// Email link points to ClientUrl/ConfirmEmailFormPath on the client app.
+    /// The client reads the token from the URL and calls POST /auth/confirm-email.
+    /// Default for SPA/mobile apps.
+    /// </summary>
+    ClientForm
 }
 
 /// <summary>
 /// Application configuration options
 /// </summary>
 public class ApplicationOptions
 {
-    public const string PasswordResetEndpointName = "ResetPassword";
-    public const string ConfirmEmailEndpointName = "ConfirmEmail";
+    /// <summary>
+    /// URI prefix applied to all IDMT endpoint groups (/auth, /manage, /admin, /health).
+    /// Defaults to "/api/v1". Set to "" to restore the legacy unprefixed behavior.
+    /// Examples: "/api/v1", "/v2", "/api/v2", ""
+    /// </summary>
+    public string ApiPrefix { get; set; } = "/api/v1";
 
     /// <summary>
     /// Base URL of the client application, if any (e.g. "https://myapp.com")
@@ -57,12 +87,19 @@ public class ApplicationOptions
 
     public string ResetPasswordFormPath { get; set; } = "/reset-password";
     public string ConfirmEmailFormPath { get; set; } = "/confirm-email";
+
+    /// <summary>
+    /// Controls how email confirmation links are generated.
+    /// ServerConfirm: link hits GET /auth/confirm-email which confirms directly.
+    /// ClientForm: link points to ClientUrl/ConfirmEmailFormPath for SPA handling.
+    /// </summary>
+    public EmailConfirmationMode EmailConfirmationMode { get; set; } = EmailConfirmationMode.ClientForm;
 }
 
 /// <summary>
 /// ASP.NET Core Identity configuration
 /// </summary>
-public class AuthOptions
+public class IdmtAuthOptions
 {
     public const string CookieOrBearerScheme = "CookieOrBearer";
 
@@ -75,7 +112,7 @@ public class AuthOptions
     /// <summary>
     /// Password requirements
     /// </summary>
-    public PasswordOptions Password { get; set; } = new();
+    public IdmtPasswordOptions Password { get; set; } = new();
 
     /// <summary>
     /// User requirements
@@ -90,7 +127,7 @@ public class AuthOptions
     /// <summary>
     /// Cookie configuration options
     /// </summary>
-    public CookieOptions Cookie { get; set; } = new();
+    public IdmtCookieOptions Cookie { get; set; } = new();
 
     /// <summary>
     /// Bearer token configuration options
@@ -106,13 +143,13 @@ public class AuthOptions
 /// <summary>
 /// Password configuration options
 /// </summary>
-public class PasswordOptions
+public class IdmtPasswordOptions
 {
     public bool RequireDigit { get; set; } = true;
     public bool RequireLowercase { get; set; } = true;
     public bool RequireUppercase { get; set; } = true;
     public bool RequireNonAlphanumeric { get; set; } = false;
-    public int RequiredLength { get; set; } = 6;
+    public int RequiredLength { get; set; } = 8;
     public int RequiredUniqueChars { get; set; } = 1;
 }
 
@@ -130,19 +167,34 @@ public class UserOptions
 /// </summary>
 public class SignInOptions
 {
-    public bool RequireConfirmedEmail { get; set; } = false;
+    public bool RequireConfirmedEmail { get; set; } = true;
     public bool RequireConfirmedPhoneNumber { get; set; } = false;
 }
 
 /// <summary>
 /// Cookie configuration options
 /// </summary>
-public class CookieOptions
+public class IdmtCookieOptions
 {
     public string Name { get; set; } = ".Idmt.Application";
     public bool HttpOnly { get; set; } = true;
-    public Microsoft.AspNetCore.Http.CookieSecurePolicy SecurePolicy { get; set; } = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
-    public Microsoft.AspNetCore.Http.SameSiteMode SameSite { get; set; } = Microsoft.AspNetCore.Http.SameSiteMode.Lax;
+    public Microsoft.AspNetCore.Http.CookieSecurePolicy SecurePolicy { get; set; } = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
+
+    /// <summary>
+    /// Controls the SameSite attribute of the authentication cookie.
+    /// Defaults to <see cref="Microsoft.AspNetCore.Http.SameSiteMode.Strict"/>, which means the
+    /// browser will never send the cookie on cross-site requests (neither top-level navigations
+    /// nor sub-resource loads). This is the strongest available CSRF protection at the cookie
+    /// layer and removes the need for anti-forgery tokens on state-mutating endpoints that rely
+    /// solely on cookie authentication.
+    ///
+    /// Change to <see cref="Microsoft.AspNetCore.Http.SameSiteMode.Lax"/> only if your
+    /// application requires cookie preservation on top-level cross-site GET navigations (e.g.
+    /// OAuth / OIDC redirect flows), and compensate with explicit anti-forgery validation on
+    /// every state-mutating endpoint.
+    /// </summary>
+    public Microsoft.AspNetCore.Http.SameSiteMode SameSite { get; set; } = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
+
     public TimeSpan ExpireTimeSpan { get; set; } = TimeSpan.FromDays(14);
     public bool SlidingExpiration { get; set; } = true;
     public bool IsRedirectEnabled { get; set; } = false;
@@ -191,7 +243,7 @@ public class MultiTenantOptions
     /// </summary>
     public const string DefaultTenantIdentifier = "system-tenant";
 
-    public string DefaultTenantDisplayName { get; set; } = "System Tenant";
+    public string DefaultTenantName { get; set; } = "System Tenant";
 
     /// <summary>
     /// Tenant resolution strategy (header, subdomain, etc.)
@@ -204,18 +256,65 @@ public class MultiTenantOptions
     public Dictionary<string, string> StrategyOptions { get; set; } = [];
 }
 
+/// <summary>
+/// Controls how the IDMT database schema is initialized on startup.
+/// </summary>
+public enum DatabaseInitializationMode
+{
+    /// <summary>
+    /// Use EF Core Migrations. Consumers must create and apply migrations themselves.
+    /// Recommended for production. Default.
+    /// </summary>
+    Migrate,
+
+    /// <summary>
+    /// Use EnsureCreated for quick setup. Not compatible with migrations.
+    /// Suitable for development, testing, and prototyping only.
+    /// </summary>
+    EnsureCreated,
+
+    /// <summary>
+    /// Skip automatic database initialization. Consumer manages the database schema externally.
+    /// </summary>
+    None
+}
+
 /// <summary>
 /// Database configuration options
 /// </summary>
 public class DatabaseOptions
 {
     /// <summary>
-    /// Connection string template with placeholder for tenant's properties
+    /// Controls how the database schema is initialized on startup.
+    /// <see cref="DatabaseInitializationMode.Migrate"/> runs EF Core migrations and is the
+    /// default for production use. <see cref="DatabaseInitializationMode.EnsureCreated"/> is
+    /// suitable for development, testing, and prototyping where migrations are not used.
+    /// <see cref="DatabaseInitializationMode.None"/> skips initialization entirely and leaves
+    /// schema management to the consumer.
+    /// </summary>
+    public DatabaseInitializationMode DatabaseInitialization { get; set; } = DatabaseInitializationMode.Migrate;
+}
+
+/// <summary>
+/// Rate limiting configuration for IDMT auth endpoints.
+/// When enabled, a fixed-window limiter named "idmt-auth" is registered and applied
+/// to all authentication endpoints (login, token, forgot-password, etc.) to protect
+/// against brute-force and email-flooding attacks.
+/// </summary>
+public class RateLimitingOptions
+{
+    /// <summary>
+    /// Enable built-in rate limiting for auth endpoints. Default: true.
+    /// </summary>
+    public bool Enabled { get; set; } = true;
+
+    /// <summary>
+    /// Maximum number of requests allowed per window for auth endpoints. Default: 10.
     /// </summary>
-    public string ConnectionStringTemplate { get; set; } = string.Empty;
+    public int PermitLimit { get; set; } = 10;
 
     /// <summary>
-    /// Auto-migrate database on startup
+    /// Duration of the sliding window in seconds. Default: 60.
     /// </summary>
-    public bool AutoMigrate { get; set; } = false;
+    public int WindowInSeconds { get; set; } = 60;
 }

src/Idmt.Plugin/Configuration/IdmtOptionsValidator.cs

@@ -0,0 +1,95 @@
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Configuration;
+
+/// <summary>
+/// Validates <see cref="IdmtOptions"/> at application startup so that
+/// misconfigured options are reported immediately rather than causing
+/// unexpected failures at runtime.
+/// </summary>
+public sealed class IdmtOptionsValidator : IValidateOptions<IdmtOptions>
+{
+    /// <inheritdoc />
+    public ValidateOptionsResult Validate(string? name, IdmtOptions options)
+    {
+        var failures = new List<string>();
+
+        ValidateApplicationOptions(options.Application, failures);
+        ValidateMultiTenantOptions(options.MultiTenant, failures);
+
+        return failures.Count > 0
+            ? ValidateOptionsResult.Fail(failures)
+            : ValidateOptionsResult.Success;
+    }
+
+    private static void ValidateApplicationOptions(ApplicationOptions application, List<string> failures)
+    {
+        // Rule 1: ApiPrefix must not be null or empty.
+        // An empty string is the documented opt-out for legacy unprefixed behavior,
+        // but null indicates the property was explicitly cleared and is misconfigured.
+        if (application.ApiPrefix is null)
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ApiPrefix)} must not be null. " +
+                "Use an empty string \"\" to disable the prefix or provide a value such as \"/api/v1\".");
+        }
+
+        // Rule 2: When EmailConfirmationMode is ClientForm, ClientUrl is required.
+        if (application.EmailConfirmationMode == EmailConfirmationMode.ClientForm &&
+            string.IsNullOrWhiteSpace(application.ClientUrl))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ClientUrl)} must not be null or empty " +
+                $"when {nameof(ApplicationOptions.EmailConfirmationMode)} is {nameof(EmailConfirmationMode.ClientForm)}.");
+        }
+
+        // Rule 3: When ClientUrl is set, the client-side form paths must also be configured.
+        if (!string.IsNullOrWhiteSpace(application.ClientUrl))
+        {
+            if (string.IsNullOrWhiteSpace(application.ConfirmEmailFormPath))
+            {
+                failures.Add(
+                    $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ConfirmEmailFormPath)} must not be null or empty " +
+                    $"when {nameof(ApplicationOptions.ClientUrl)} is set.");
+            }
+
+            if (string.IsNullOrWhiteSpace(application.ResetPasswordFormPath))
+            {
+                failures.Add(
+                    $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ResetPasswordFormPath)} must not be null or empty " +
+                    $"when {nameof(ApplicationOptions.ClientUrl)} is set.");
+            }
+        }
+    }
+
+    private static void ValidateMultiTenantOptions(MultiTenantOptions multiTenant, List<string> failures)
+    {
+        // Rule 4: The constant DefaultTenantIdentifier is a compile-time value and cannot be
+        // null or empty. Validate it defensively so that any future refactor to an instance
+        // property is caught immediately.
+        if (string.IsNullOrWhiteSpace(MultiTenantOptions.DefaultTenantIdentifier))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.DefaultTenantIdentifier)} must not be null or empty.");
+        }
+
+        // Rule 5: DefaultTenantName is configurable and must not be null or empty.
+        if (string.IsNullOrWhiteSpace(multiTenant.DefaultTenantName))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.DefaultTenantName)} must not be null or empty.");
+        }
+
+        // Rule 6: At least one tenant resolution strategy must be configured.
+        // The Strategies array controls which strategies (header, claim, route, basepath) are
+        // active. An empty array means no tenant can ever be resolved, which is always a
+        // misconfiguration. StrategyOptions holds per-strategy overrides and may be empty.
+        if (multiTenant.Strategies.Length == 0)
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.Strategies)} must contain at least one entry. " +
+                $"Supported values: {IdmtMultiTenantStrategy.Header}, {IdmtMultiTenantStrategy.Claim}, " +
+                $"{IdmtMultiTenantStrategy.Route}, {IdmtMultiTenantStrategy.BasePath}.");
+        }
+    }
+}

src/Idmt.Plugin/Constants/AuditAction.cs

@@ -0,0 +1,8 @@
+namespace Idmt.Plugin.Constants;
+
+public enum AuditAction
+{
+    Created,
+    Modified,
+    Deleted
+}

src/Idmt.Plugin/Constants/IdmtClaimTypes.cs

@@ -0,0 +1,6 @@
+namespace Idmt.Plugin.Constants;
+
+public static class IdmtClaimTypes
+{
+    public const string IsActive = "is_active";
+}