src/Meezi.API/Services/JwtTokenService.cs

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using Meezi.Core.Authorization;
using Meezi.Core.Constants;
using Meezi.Core.Entities;
using Meezi.Core.Enums;
using ConsumerAccount = Meezi.Core.Entities.ConsumerAccount;
using Microsoft.IdentityModel.Tokens;

namespace Meezi.API.Services;

public class JwtTokenService : IJwtTokenService
{
    private readonly IConfiguration _configuration;

    public JwtTokenService(IConfiguration configuration)
    {
        _configuration = configuration;
    }

    public string CreateAccessToken(Employee employee, Cafe cafe) =>
        CreateAccessToken(employee, cafe, employee.Role, employee.BranchId);

    public string CreateAccessToken(
        Employee employee,
        Cafe cafe,
        EmployeeRole effectiveRole,
        string? activeBranchId,
        IEnumerable<Permission>? customPermissions = null)
    {
        var key = _configuration["Jwt:Key"] ?? throw new InvalidOperationException("Jwt:Key is not configured.");
        var issuer = _configuration["Jwt:Issuer"] ?? "meezi";
        var audience = _configuration["Jwt:Audience"] ?? "meezi";
        var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);

        var claims = new List<Claim>
        {
            new(JwtRegisteredClaimNames.Sub, employee.Id),
            new(MeeziClaimTypes.CafeId, cafe.Id),
            new(MeeziClaimTypes.Role, effectiveRole.ToString()),
            new(MeeziClaimTypes.PlanTier, cafe.PlanTier.ToString()),
            new(MeeziClaimTypes.Language, cafe.PreferredLanguage),
            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
        };

        if (!string.IsNullOrEmpty(activeBranchId))
            claims.Add(new Claim(MeeziClaimTypes.BranchId, activeBranchId));

        if (customPermissions != null)
        {
            var encoded = string.Join(",", customPermissions.Select(p => p.ToString()));
            if (!string.IsNullOrEmpty(encoded))
                claims.Add(new Claim(MeeziClaimTypes.CustomPermissions, encoded));
        }

        var credentials = new SigningCredentials(
            new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),
            SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer,
            audience,
            claims,
            expires: DateTime.UtcNow.AddDays(expiryDays),
            signingCredentials: credentials);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

    public string CreateConsumerAccessToken(ConsumerAccount account, string language = "fa")
    {
        var key = _configuration["Jwt:Key"] ?? throw new InvalidOperationException("Jwt:Key is not configured.");
        var issuer = _configuration["Jwt:Issuer"] ?? "meezi";
        var audience = _configuration["Jwt:Audience"] ?? "meezi";
        var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);

        var claims = new List<Claim>
        {
            new(JwtRegisteredClaimNames.Sub, account.Id),
            new(MeeziClaimTypes.Role, MeeziRoles.Customer),
            new(MeeziClaimTypes.Actor, MeeziActorKinds.Consumer),
            new(MeeziClaimTypes.Phone, account.Phone),
            new(MeeziClaimTypes.Language, language),
            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
        };

        var credentials = new SigningCredentials(
            new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),
            SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer,
            audience,
            claims,
            expires: DateTime.UtcNow.AddDays(expiryDays),
            signingCredentials: credentials);

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

    public string CreateRefreshToken() => Guid.NewGuid().ToString("N") + Guid.NewGuid().ToString("N");

    public DateTime GetAccessTokenExpiry()
    {
        var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);
        return DateTime.UtcNow.AddDays(expiryDays);
    }
}
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using System.IdentityModel.Tokens.Jwt;`
			`using System.Security.Claims;`
			`using System.Text;`
feat: custom roles with per-permission matrix for café owners 2026-06-21 03:12:43 +03:30			`using Meezi.Core.Authorization;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using Meezi.Core.Constants;`
			`using Meezi.Core.Entities;`
first commit 2026-05-31 11:06:24 +03:30			`using Meezi.Core.Enums;`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`using ConsumerAccount = Meezi.Core.Entities.ConsumerAccount;`
			`using Microsoft.IdentityModel.Tokens;`

			`namespace Meezi.API.Services;`

			`public class JwtTokenService : IJwtTokenService`
			`{`
			`private readonly IConfiguration _configuration;`

			`public JwtTokenService(IConfiguration configuration)`
			`{`
			`_configuration = configuration;`
			`}`

first commit 2026-05-31 11:06:24 +03:30			`public string CreateAccessToken(Employee employee, Cafe cafe) =>`
			`CreateAccessToken(employee, cafe, employee.Role, employee.BranchId);`

feat: custom roles with per-permission matrix for café owners 2026-06-21 03:12:43 +03:30			`public string CreateAccessToken(`
			`Employee employee,`
			`Cafe cafe,`
			`EmployeeRole effectiveRole,`
			`string? activeBranchId,`
			`IEnumerable<Permission>? customPermissions = null)`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`{`
			`var key = _configuration["Jwt:Key"] ?? throw new InvalidOperationException("Jwt:Key is not configured.");`
			`var issuer = _configuration["Jwt:Issuer"] ?? "meezi";`
			`var audience = _configuration["Jwt:Audience"] ?? "meezi";`
			`var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);`

			`var claims = new List<Claim>`
			`{`
			`new(JwtRegisteredClaimNames.Sub, employee.Id),`
			`new(MeeziClaimTypes.CafeId, cafe.Id),`
first commit 2026-05-31 11:06:24 +03:30			`new(MeeziClaimTypes.Role, effectiveRole.ToString()),`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`new(MeeziClaimTypes.PlanTier, cafe.PlanTier.ToString()),`
			`new(MeeziClaimTypes.Language, cafe.PreferredLanguage),`
			`new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))`
			`};`

first commit 2026-05-31 11:06:24 +03:30			`if (!string.IsNullOrEmpty(activeBranchId))`
			`claims.Add(new Claim(MeeziClaimTypes.BranchId, activeBranchId));`
feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30
feat: custom roles with per-permission matrix for café owners 2026-06-21 03:12:43 +03:30			`if (customPermissions != null)`
			`{`
			`var encoded = string.Join(",", customPermissions.Select(p => p.ToString()));`
			`if (!string.IsNullOrEmpty(encoded))`
			`claims.Add(new Claim(MeeziClaimTypes.CustomPermissions, encoded));`
			`}`

feat(api): .NET 10 multi-tenant REST API 2026-05-27 21:33:48 +03:30			`var credentials = new SigningCredentials(`
			`new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),`
			`SecurityAlgorithms.HmacSha256);`

			`var token = new JwtSecurityToken(`
			`issuer,`
			`audience,`
			`claims,`
			`expires: DateTime.UtcNow.AddDays(expiryDays),`
			`signingCredentials: credentials);`

			`return new JwtSecurityTokenHandler().WriteToken(token);`
			`}`

			`public string CreateConsumerAccessToken(ConsumerAccount account, string language = "fa")`
			`{`
			`var key = _configuration["Jwt:Key"] ?? throw new InvalidOperationException("Jwt:Key is not configured.");`
			`var issuer = _configuration["Jwt:Issuer"] ?? "meezi";`
			`var audience = _configuration["Jwt:Audience"] ?? "meezi";`
			`var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);`

			`var claims = new List<Claim>`
			`{`
			`new(JwtRegisteredClaimNames.Sub, account.Id),`
			`new(MeeziClaimTypes.Role, MeeziRoles.Customer),`
			`new(MeeziClaimTypes.Actor, MeeziActorKinds.Consumer),`
			`new(MeeziClaimTypes.Phone, account.Phone),`
			`new(MeeziClaimTypes.Language, language),`
			`new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))`
			`};`

			`var credentials = new SigningCredentials(`
			`new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),`
			`SecurityAlgorithms.HmacSha256);`

			`var token = new JwtSecurityToken(`
			`issuer,`
			`audience,`
			`claims,`
			`expires: DateTime.UtcNow.AddDays(expiryDays),`
			`signingCredentials: credentials);`

			`return new JwtSecurityTokenHandler().WriteToken(token);`
			`}`

			`public string CreateRefreshToken() => Guid.NewGuid().ToString("N") + Guid.NewGuid().ToString("N");`

			`public DateTime GetAccessTokenExpiry()`
			`{`
			`var expiryDays = _configuration.GetValue("Jwt:AccessTokenExpiryDays", 7);`
			`return DateTime.UtcNow.AddDays(expiryDays);`
			`}`
			`}`