feature(#22): this commit introduces secret rotation service integration to JWT token handling and tests

Author: https-richardy

Applications/Backend/Source/HttpsRichardy.Federation.Infrastructure/Security/JwtSecurityTokenService.cs

@@ -5,6 +5,7 @@ public sealed class JwtSecurityTokenService(
     ITokenCollection tokenCollection,
     IRealmProvider realmProvider,
     IGroupCollection groupCollection,
+    ISecretRotationService secretRotationService,
     IHostInformationProvider host
 ) : ISecurityTokenService
 {
@@ -223,7 +224,17 @@ private async Task<RsaSecurityKey> GetPrivateKeyAsync(CancellationToken cancella
         var secrets = await secretCollection.GetSecretsAsync(filters, cancellation);
         var secret = secrets
             .OrderByDescending(secret => secret.CreatedAt)
-            .First();
+            .FirstOrDefault();
+
+        if (secret is null)
+        {
+            await secretRotationService.EnsureSecretExistsAsync(realm, cancellation);
+
+            secrets = await secretCollection.GetSecretsAsync(filters, cancellation);
+            secret = secrets
+                .OrderByDescending(secret => secret.CreatedAt)
+                .FirstOrDefault() ?? throw new InvalidOperationException($"no signing key available for realm '{realm.Id}'.");
+        }
 
         var key = Common.Utilities.RsaHelper.CreateSecurityKeyFromPrivateKey(secret.PrivateKey);
 

Applications/Backend/Source/HttpsRichardy.Federation.Infrastructure/Security/SecretRotationService.cs

@@ -88,10 +88,11 @@ public async Task RotateSecretAsync(Realm realm, CancellationToken cancellation
             return;
         }
 
+        await CreateSecretAsync(realm, cancellation);
+
         current.ExpiresAt = now;
         current.GracePeriodEndsAt = now.Add(_gracePeriod);
 
         await secretCollection.UpdateAsync(current, cancellation: cancellation);
-        await CreateSecretAsync(realm, cancellation);
     }
 }

Applications/Backend/Tests/Integration/Security/AuthenticationServiceTests.cs

@@ -15,6 +15,7 @@ public sealed class AuthenticationServiceTests :
     private readonly Mock<IRealmProvider> _realmProvider = new();
     private readonly Mock<IHostInformationProvider> _hostProvider = new();
     private readonly Mock<ISecretCollection> _secretCollection = new();
+    private readonly Mock<ISecretRotationService> _secretRotationService = new();
     private readonly Mock<IGroupCollection> _groupCollection = new();
 
     public AuthenticationServiceTests(MongoDatabaseFixture mongoFixture)
@@ -56,6 +57,7 @@ public AuthenticationServiceTests(MongoDatabaseFixture mongoFixture)
             tokenCollection: tokenCollection,
             realmProvider: _realmProvider.Object,
             groupCollection: _groupCollection.Object,
+            secretRotationService: _secretRotationService.Object,
             host: _hostProvider.Object
         );
 

Applications/Backend/Tests/Integration/Security/JwtSecurityTokenServiceTests.cs

@@ -11,6 +11,7 @@ public sealed class JwtSecurityTokenServiceTests : IClassFixture<MongoDatabaseFi
 
     private readonly Mock<IRealmProvider> _realmProvider = new();
     private readonly Mock<ISecretCollection> _secretCollection = new();
+    private readonly Mock<ISecretRotationService> _secretRotationService = new();
     private readonly Mock<IHostInformationProvider> _hostProvider = new();
     private readonly Mock<IGroupCollection> _groupCollection = new();
 
@@ -50,6 +51,7 @@ public JwtSecurityTokenServiceTests(MongoDatabaseFixture fixture)
             realmProvider: _realmProvider.Object,
             secretCollection: _secretCollection.Object,
             groupCollection: _groupCollection.Object,
+            secretRotationService: _secretRotationService.Object,
             tokenCollection: _tokenCollection,
             host: _hostProvider.Object
         );