todo: fix google and local login problems

Author: Khumeren

Rgt.Space.API/Endpoints/Auth/Login/Endpoint.cs

@@ -0,0 +1,66 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using LoginCommand = Rgt.Space.Infrastructure.Commands.Auth.Login;
+
+namespace Rgt.Space.API.Endpoints.Auth.Login;
+
+public class LoginRequest
+{
+    public string Email { get; set; } = default!;
+    public string Password { get; set; } = default!;
+}
+
+public class LoginResponse
+{
+    public string AccessToken { get; set; } = default!;
+    public string RefreshToken { get; set; } = default!;
+    public DateTime ExpiresAt { get; set; }
+    public string UserId { get; set; } = default!;
+    public string DisplayName { get; set; } = default!;
+    public string Email { get; set; } = default!;
+}
+
+public sealed class Endpoint(IMediator mediator) : Endpoint<LoginRequest, LoginResponse>
+{
+    public override void Configure()
+    {
+        Post("/api/v1/auth/login");
+        AllowAnonymous(); // Login doesn't require authentication
+        Summary(s =>
+        {
+            s.Summary = "Local login with email and password";
+            s.Description = "Authenticates a user with email/password and returns JWT tokens";
+            s.Response<LoginResponse>(200, "Login successful");
+            s.Response(400, "Validation failure");
+            s.Response(401, "Invalid credentials");
+            s.Response(403, "Account disabled or local login not enabled");
+        });
+        Tags("Authentication");
+    }
+
+    public override async Task HandleAsync(LoginRequest req, CancellationToken ct)
+    {
+        var command = new LoginCommand.Command(req.Email, req.Password);
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        var response = new LoginResponse
+        {
+            AccessToken = result.Value.AccessToken,
+            RefreshToken = result.Value.RefreshToken,
+            ExpiresAt = result.Value.ExpiresAt,
+            UserId = result.Value.UserId.ToString(),
+            DisplayName = result.Value.DisplayName,
+            Email = result.Value.Email
+        };
+
+        await HttpContext.Response.SendAsync(response, 200, cancellation: ct);
+    }
+}

Rgt.Space.API/ProblemDetails/ProblemDetailsFactory.cs

@@ -7,7 +7,6 @@ namespace Rgt.Space.API.ProblemDetails
     /// <summary>
     /// Factory for creating RFC 7807 ProblemDetails responses enriched with:
     /// - Correlation ID (for request tracing)
-    /// - Tenant ID (for multi-tenant context)
     /// - Error code (for client-side handling)
     /// - Trace ID (for distributed tracing)
     /// </summary>

Rgt.Space.API/Program.cs

@@ -83,139 +83,209 @@
         });
     });
 
-    // Add Authentication with JWT Bearer (RSA-SHA256 via OIDC Discovery)
-    builder.Services.AddAuthentication(Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme)
-        .AddJwtBearer(options =>
+    // Add Authentication with DUAL JWT Bearer support:
+    // 1. SSO Broker tokens (RSA-SHA256 via OIDC Discovery)
+    // 2. Local Login tokens (HMAC-SHA256 symmetric)
+    builder.Services.AddAuthentication(options =>
+        {
+            options.DefaultAuthenticateScheme = "MultiScheme";
+            options.DefaultChallengeScheme = "MultiScheme";
+        })
+        .AddJwtBearer("SsoBearer", options =>
         {
             var authConfig = builder.Configuration.GetSection("Auth");
 
-            // Disable claim type mapping to keep claims as-is (e.g. "sub" -> "sub")
+            // Disable claim type mapping to keep claims as-is
             options.MapInboundClaims = false;
 
             // Point to SSO Broker for OIDC Discovery
             options.Authority = authConfig["Authority"];
             options.Audience = authConfig["Audience"];
 
-            // Enable HTTPS metadata discovery (set to false ONLY for localhost dev with self-signed certs)
+            // Enable HTTPS metadata discovery (set to false ONLY for localhost dev)
             options.RequireHttpsMetadata = false; // TODO: Set to true in production
 
             // Token validation parameters
             options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
             {
                 ValidateIssuer = true,
                 ValidIssuer = authConfig["Authority"],
-
                 ValidateAudience = true,
                 ValidAudience = authConfig["Audience"],
-
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
             };
 
-            // DEV ONLY: DIAGNOSTIC - Hardcode the key to bypass Discovery issues
+            // DEV ONLY: Hardcode RSA key to bypass Discovery issues
             if (builder.Environment.IsDevelopment())
             {
                 try 
                 {
                     var rsa = System.Security.Cryptography.RSA.Create();
                     rsa.ImportParameters(new System.Security.Cryptography.RSAParameters
                     {
-                        // Values from https://localhost:7012/.well-known/jwks.json
                         Modulus = Microsoft.IdentityModel.Tokens.Base64UrlEncoder.DecodeBytes("rNH-ckvzkKRcqAKmb8CDdABZ-4_fUgI-vjSRoDfz-kCDtFdxTD69XvqUGP4NRyPXiSwI3ODh1_iBv-eg1RCBB8iA8eNLHuD5VbeMq4J5_ktCUjAUBQ783cs9R_7RKyLRrlW-Cq0EiZ-Z0I5vyWE9yzCN7Mf1MU2cn4GnAxMsJFlMwNEstbupqZWIgZXqLxrHcXcUpS-zpPkJULI4tDsUTjXMih8hU2ikrb_EltNYi0tcIBV6TfoBEc3OGiz8ao4mZ8UiKLBMwUi00qvQRtGl3xm0idh3sF2sGunIkTlRFtsBzjNpTqcAotyRXTNuQOTExX_dRL8C74eHUwd2J9quQQ"),
                         Exponent = Microsoft.IdentityModel.Tokens.Base64UrlEncoder.DecodeBytes("AQAB")
                     });
 
                     var key = new Microsoft.IdentityModel.Tokens.RsaSecurityKey(rsa) { KeyId = "rsa-2025-11-27" };
 
-                    // FORCE THE KEY and DISABLE DISCOVERY
                     options.TokenValidationParameters.IssuerSigningKey = key;
                     options.Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration
                     {
                         Issuer = authConfig["Authority"],
                     };
                     options.Configuration.SigningKeys.Add(key);
 
-                    Log.Warning("DEV MODE: Using Hardcoded RSA Key for Token Validation to bypass OIDC Discovery.");
+                    Log.Warning("DEV MODE: SsoBearer using Hardcoded RSA Key.");
                 }
                 catch (Exception ex)
                 {
-                    Log.Error(ex, "Failed to configure hardcoded key.");
+                    Log.Error(ex, "Failed to configure SSO hardcoded key.");
                 }
             }
-            else 
-            {
-                // Production or other envs: Use standard discovery
-                // (The previous explicit config manager code was removed for this test, 
-                // but in prod we would just rely on default behavior)
-            }
 
-            // JIT User Provisioning: Sync user from SSO on every token validation
+            // JIT User Provisioning for SSO tokens
             options.Events = new Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerEvents
             {
                 OnTokenValidated = async context =>
                 {
-                    // DEBUG: Log all claims to see what we are actually getting
                     var claims = context.Principal?.Claims.Select(c => $"{c.Type}: {c.Value}").ToList();
                     var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
                     logger.LogInformation("SSO Token Validated. Claims: {Claims}", string.Join(", ", claims ?? new List<string>()));
 
-                    // Extract claims from the validated token
-                    // Try standard short names first, then fallback to SOAP/XML names if needed
                     var subject = context.Principal?.FindFirst("sub")?.Value 
                                   ?? context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
-                                  
                     var email = context.Principal?.FindFirst("email")?.Value 
                                 ?? context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.Email)?.Value;
-                                
                     var name = context.Principal?.FindFirst("name")?.Value 
-                               ?? context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value 
-                               ?? email;
-                               
+                               ?? context.Principal?.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? email;
                     var issuer = context.Principal?.FindFirst("iss")?.Value;
 
                     if (string.IsNullOrEmpty(subject) || string.IsNullOrEmpty(email))
                     {
-                        logger.LogError("Token is missing required claims. Sub: {Sub}, Email: {Email}", subject, email);
+                        logger.LogError("SSO Token missing required claims. Sub: {Sub}, Email: {Email}", subject, email);
                         context.Fail("Token is missing required claims (sub, email)");
                         return;
                     }
 
-                    // Determine provider from issuer (e.g., "https://localhost:7012" -> "sso_broker")
                     var provider = issuer?.Contains("localhost") == true ? "sso_broker" : "azuread";
 
                     try
                     {
-                        // Resolve Identity Sync Service and sync the user
                         var syncService = context.HttpContext.RequestServices
                             .GetRequiredService<Rgt.Space.Core.Abstractions.Identity.IIdentitySyncService>();
-
-                        // Sync user and get Local ID
                         var localUserId = await syncService.SyncOrGetUserAsync(provider, subject, email, name!, context.HttpContext.RequestAborted);
 
-                        // Attach Local ID to Principal
                         var claimsIdentity = context.Principal?.Identity as System.Security.Claims.ClaimsIdentity;
                         claimsIdentity?.AddClaim(new System.Security.Claims.Claim("x-local-user-id", localUserId.ToString()));
                     }
                     catch (Exception ex)
                     {
-                        // Log the error but don't fail authentication (user might already exist)
                         logger.LogError(ex, "Failed to sync user from SSO. Subject: {Subject}, Email: {Email}", subject, email);
-
-                        // Don't fail auth - user might already be provisioned
-                        // context.Fail() would reject valid tokens which is worse than missing a sync
                     }
                 },
+                OnAuthenticationFailed = context =>
+                {
+                    var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
+                    logger.LogDebug("SSO Authentication failed: {Exception}", context.Exception.Message);
+                    return Task.CompletedTask;
+                }
+            };
+        })
+        .AddJwtBearer("LocalBearer", options =>
+        {
+            var localAuthConfig = builder.Configuration.GetSection("LocalAuth");
+
+            // Disable claim type mapping
+            options.MapInboundClaims = false;
 
+            // Local token validation parameters (HMAC-SHA256)
+            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+            {
+                ValidateIssuer = true,
+                ValidIssuer = localAuthConfig["Issuer"] ?? "rgt-space-portal",
+                
+                ValidateAudience = true,
+                ValidAudience = localAuthConfig["Audience"] ?? "rgt-space-portal-api",
+                
+                ValidateLifetime = true,
+                ClockSkew = TimeSpan.FromMinutes(5),
+                
+                ValidateIssuerSigningKey = true,
+                IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(
+                    System.Text.Encoding.UTF8.GetBytes(
+                        localAuthConfig["SigningKey"] ?? "YourSuperSecretLocalSigningKey_ChangeThisInProduction_MustBe32CharactersLong!")),
+            };
+
+            options.Events = new Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerEvents
+            {
+                OnTokenValidated = context =>
+                {
+                    var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
+                    var claims = context.Principal?.Claims.Select(c => $"{c.Type}: {c.Value}").ToList();
+                    logger.LogInformation("Local Token Validated. Claims: {Claims}", string.Join(", ", claims ?? new List<string>()));
+                    
+                    // For local tokens, the "sub" claim IS the local user ID
+                    var userId = context.Principal?.FindFirst("sub")?.Value;
+                    if (!string.IsNullOrEmpty(userId))
+                    {
+                        var claimsIdentity = context.Principal?.Identity as System.Security.Claims.ClaimsIdentity;
+                        claimsIdentity?.AddClaim(new System.Security.Claims.Claim("x-local-user-id", userId));
+                    }
+                    
+                    return Task.CompletedTask;
+                },
                 OnAuthenticationFailed = context =>
                 {
-                    var logger = context.HttpContext.RequestServices
-                        .GetRequiredService<ILogger<Program>>();
-                    logger.LogWarning("JWT Authentication failed: {Exception}", context.Exception.Message);
+                    var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<Program>>();
+                    logger.LogDebug("Local Authentication failed: {Exception}", context.Exception.Message);
                     return Task.CompletedTask;
                 }
             };
+        })
+        .AddPolicyScheme("MultiScheme", "SSO or Local", options =>
+        {
+            // Smart scheme selection: Try SSO first, then Local
+            options.ForwardDefaultSelector = context =>
+            {
+                // Check if there's a Bearer token
+                var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
+                if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+                {
+                    return "LocalBearer"; // Default to local if no token
+                }
+
+                // Extract the token
+                var token = authHeader.Substring("Bearer ".Length).Trim();
+                
+                try
+                {
+                    // Peek at the token header to determine type
+                    var handler = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler();
+                    if (handler.CanReadToken(token))
+                    {
+                        var jwt = handler.ReadJwtToken(token);
+                        
+                        // If token has "kid" header, it's from SSO (RSA)
+                        // If issuer is "rgt-space-portal", it's local
+                        var issuer = jwt.Issuer;
+                        if (issuer == "rgt-space-portal")
+                        {
+                            return "LocalBearer";
+                        }
+                    }
+                }
+                catch
+                {
+                    // If we can't parse it, try SSO first
+                }
+
+                return "SsoBearer";
+            };
         });
 
+
     builder.Services.AddAuthorization();
 
     // Add API versioning

Rgt.Space.API/appsettings.json

@@ -10,6 +10,13 @@
     "Authority": "https://localhost:7012",
     "Audience": "rgt-space-portal-api"
   },
+  "LocalAuth": {
+    "Issuer": "rgt-space-portal",
+    "Audience": "rgt-space-portal-api",
+    "SigningKey": "YourSuperSecretLocalSigningKey_ChangeThisInProduction_MustBe32CharactersLong!",
+    "AccessTokenExpiryMinutes": 60,
+    "RefreshTokenExpiryDays": 7
+  },
   "CacheSettings": {
     "TenantConnectionStringTTL": 600,
     "InstanceName": "MicroservicesBase:"

Rgt.Space.Core/Abstractions/Identity/IUserReadDac.cs

@@ -11,4 +11,11 @@ public interface IUserReadDac
     Task<IReadOnlyList<UserReadModel>> GetAllAsync(CancellationToken ct);
     Task<IReadOnlyList<UserReadModel>> SearchAsync(string searchTerm, CancellationToken ct);
     Task<IReadOnlyList<UserPermissionReadModel>> GetPermissionsAsync(Guid userId, CancellationToken ct);
+    
+    /// <summary>
+    /// Retrieves user credentials for login verification.
+    /// Only returns active, non-deleted users with local login enabled.
+    /// </summary>
+    Task<UserCredentialsReadModel?> GetCredentialsByEmailAsync(string email, CancellationToken ct);
 }
+

Rgt.Space.Core/Domain/Contracts/Dashboard/DashboardStatsResponse.cs

@@ -31,13 +31,15 @@ public AssignmentDistribution(string positionCode, int count)
 
 public sealed record VacantPosition
 {
+    public Guid ProjectId { get; init; }
     public string ProjectName { get; init; } = string.Empty;
     public string MissingPosition { get; init; } = string.Empty;
 
     public VacantPosition() { }
 
-    public VacantPosition(string projectName, string missingPosition)
+    public VacantPosition(Guid projectId, string projectName, string missingPosition)
     {
+        ProjectId = projectId;
         ProjectName = projectName;
         MissingPosition = missingPosition;
     }

Rgt.Space.Core/Errors/ErrorCatalog.cs

@@ -57,6 +57,12 @@ public static class ErrorCatalog
         public const string ROLE_HAS_USERS = "ROLE_HAS_USERS";
         public const string ROLE_IS_SYSTEM = "ROLE_IS_SYSTEM";
 
+        // ===== Authentication Errors =====
+        public const string INVALID_CREDENTIALS = "INVALID_CREDENTIALS";
+        public const string ACCOUNT_DISABLED = "ACCOUNT_DISABLED";
+        public const string LOCAL_LOGIN_DISABLED = "LOCAL_LOGIN_DISABLED";
+        public const string PASSWORD_EXPIRED = "PASSWORD_EXPIRED";
+        
         /// <summary>
         /// Determines if an error code represents a validation error.
         /// Validation errors return 400 Bad Request.
@@ -155,6 +161,12 @@ public static int GetStatusCode(string errorCode)
                 ROLE_CODE_EXISTS => 409,
                 ROLE_HAS_USERS => 409,
                 ROLE_IS_SYSTEM => 403,
+                
+                // Authentication
+                INVALID_CREDENTIALS => 401,
+                ACCOUNT_DISABLED => 403,
+                LOCAL_LOGIN_DISABLED => 403,
+                PASSWORD_EXPIRED => 403,
 
                 // 500 Internal Server Error (default)
                 _ => 500