M1: Identity & access — members, RBAC, JWT auth, invitations · 61991bf6cd - Teamup

M1: Identity & access — members, RBAC, JWT auth, invitations

Adds the access foundation everything else enforces against.

SharedKernel (shared access contracts, no Identity dependency for consumers):
- ScopeRef/ScopeType, RoleType, Capability, AccessPolicy (role x capability matrix),
  ICurrentUser, IPermissionService (scope-chain evaluation).

Identity module:
- Member, Membership, Invitation entities; internal IdentityDbContext (schema
  "identity") + InitialIdentity migration; design-time factory.
- JWT auth (HS256) issuing membership claims; PasswordHasher<Member>; CurrentUser
  (claims -> ICurrentUser) and PermissionService implementations.
- Public IMemberDirectory contract for other modules to resolve member display info.
- Endpoints: POST /bootstrap (first owner), /auth/login, GET /me, POST /invitations,
  POST /invitations/accept. Owner-only actions enforced via IPermissionService.
- Web host wires UseAuthentication/UseAuthorization and string-enum JSON.

Verified: build green; ArchitectureTests 8/8 (Identity references only SharedKernel);
IntegrationTests 11/11 incl. a new end-to-end flow — bootstrap -> login -> /me ->
invite -> accept -> login as invitee, and a Member is 403'd from inviting.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

This commit is contained in:

soroush.asadi

2026-06-09 07:59:57 +03:30

parent 265861b89b

commit 61991bf6cd

29 changed files with 1333 additions and 14 deletions

									
										src/Hosts/TeamUp.Worker/appsettings.json
									
		+6
		
												View File
												
				@@ -5,6 +5,12 @@

				  "Database": {

				    "ApplyMigrationsOnStartup": false

				  },

				  "Jwt": {

				    "Secret": "dev-only-teamup-jwt-signing-secret-change-in-production-0123456789",

				    "Issuer": "teamup",

				    "Audience": "teamup",

				    "ExpiryMinutes": 480

				  },

				  "OpenTelemetry": {

				    "OtlpEndpoint": ""

				  },