src/api/SIGCM2.Infrastructure/DependencyInjection.cs

using System.Security.Cryptography;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using SIGCM2.Application.Abstractions;
using SIGCM2.Application.Abstractions.Persistence;
using SIGCM2.Application.Abstractions.Security;
using SIGCM2.Application.Audit;
using SIGCM2.Application.Auth;
using SIGCM2.Infrastructure.Http;
using SIGCM2.Infrastructure.Messaging;
using SIGCM2.Infrastructure.Persistence;
using SIGCM2.Infrastructure.Security;

namespace SIGCM2.Infrastructure;

public static class DependencyInjection
{
    public static IServiceCollection AddInfrastructure(
        this IServiceCollection services,
        IConfiguration configuration)
    {
        // Database
        var connectionString = configuration.GetConnectionString("SqlServer")
            ?? throw new InvalidOperationException("Missing ConnectionStrings:SqlServer");
        services.AddSingleton(new SqlConnectionFactory(connectionString));
        services.AddScoped<IUsuarioRepository, UsuarioRepository>();
        services.AddScoped<IRefreshTokenRepository, RefreshTokenRepository>();
        services.AddScoped<IRolRepository, RolRepository>();
        services.AddScoped<IPermisoRepository, PermisoRepository>();
        services.AddScoped<IRolPermisoRepository, RolPermisoRepository>();

        // JWT Options — bound lazily via IOptions so tests can override via ConfigureWebHost
        services.Configure<JwtOptions>(configuration.GetSection("Jwt"));
        // Also expose as JwtOptions directly for convenience (resolves via IOptions<JwtOptions>)
        services.AddSingleton<JwtOptions>(sp => sp.GetRequiredService<IOptions<JwtOptions>>().Value);

        // AuthOptions (Application layer) — populated from the same Jwt config section
        services.AddSingleton<AuthOptions>(sp =>
        {
            var opts = sp.GetRequiredService<JwtOptions>();
            return new AuthOptions
            {
                AccessTokenMinutes = opts.AccessTokenMinutes,
                RefreshTokenDays = opts.RefreshTokenDays,
            };
        });

        // RSA key pair — loaded lazily as singletons from the fully-resolved JwtOptions
        services.AddSingleton<RSA>(sp =>
        {
            var opts = sp.GetRequiredService<JwtOptions>();
            return RsaKeyLoader.LoadPrivateKey(opts);
        });

        services.AddSingleton<RsaSecurityKey>(sp =>
        {
            var opts = sp.GetRequiredService<JwtOptions>();
            return new RsaSecurityKey(RsaKeyLoader.LoadPublicKey(opts));
        });

        services.AddScoped<IJwtService>(sp =>
            new JwtService(sp.GetRequiredService<RSA>(), sp.GetRequiredService<JwtOptions>()));
        services.AddScoped<IPasswordHasher, BcryptPasswordHasher>();
        services.AddSingleton<IRefreshTokenGenerator, RefreshTokenGenerator>();
        services.AddHttpContextAccessor();
        services.AddScoped<IClientContext, ClientContext>();

        // UDT-010: Audit options (SanitizedKeys blacklist) — overridable via appsettings "Audit".
        services.Configure<AuditOptions>(configuration.GetSection(AuditOptions.SectionName));

        // Dispatcher
        services.AddScoped<IDispatcher, Dispatcher>();

        // JWT Bearer authentication
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer();

        // Post-configure JWT Bearer — wire RSA public key + validation params from resolved options.
        // MapInboundClaims=false: preserve JWT claim names as-is ("sub", "rol", etc.).
        // Without this, the middleware maps "sub" → ClaimTypes.NameIdentifier and breaks User.FindFirst("sub").
        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
            .PostConfigure<RsaSecurityKey, JwtOptions>((jwtBearerOpts, rsaKey, jwtOpts) =>
            {
                jwtBearerOpts.MapInboundClaims = false;
                jwtBearerOpts.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = rsaKey,
                    ValidateIssuer = true,
                    ValidIssuer = jwtOpts.Issuer,
                    ValidateAudience = true,
                    ValidAudience = jwtOpts.Audience,
                    ValidateLifetime = true,
                    ClockSkew = TimeSpan.Zero,
                    RoleClaimType = "rol",
                    NameClaimType = "name"
                };
            });

        return services;
    }
}
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`using System.Security.Cryptography;`
			`using Microsoft.AspNetCore.Authentication.JwtBearer;`
feat(infra): register RefreshTokenRepository, RefreshTokenGenerator, ClientContext and handlers in DI 2026-04-14 13:28:36 -03:00			`using Microsoft.AspNetCore.Http;`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`using Microsoft.Extensions.Configuration;`
			`using Microsoft.Extensions.DependencyInjection;`
			`using Microsoft.Extensions.Options;`
			`using Microsoft.IdentityModel.Tokens;`
			`using SIGCM2.Application.Abstractions;`
			`using SIGCM2.Application.Abstractions.Persistence;`
			`using SIGCM2.Application.Abstractions.Security;`
feat(infra): JsonSanitizer + AuditOptions binding (UDT-010 B3) Adds the metadata sanitization layer per #REQ-AUD-5: SIGCM2.Infrastructure/Audit/JsonSanitizer.cs (static class): - Sanitize(object?, IReadOnlyCollection<string>) -> string? - Serializes via System.Text.Json + JsonNode recursive traversal. - Strips blacklisted keys at every nesting level (objects + arrays). - Case-insensitive match (ToLowerInvariant on both sides). - Null input -> null output (never throws). - Output is always valid JSON (ISJSON=1 compatible — satisfies AuditEvent CHECK). SIGCM2.Application/Audit/AuditOptions.cs: - Documented the IConfiguration array-binding quirk: config is ADDITIVE (append at higher indices), not REPLACE. Intentional for security — defaults like 'password'/'token'/'cvv' must not be silently dropped. SIGCM2.Infrastructure/DependencyInjection.cs: - services.Configure<AuditOptions>(configuration.GetSection(AuditOptions.SectionName)) wired in AddInfrastructure(). Tests (Strict TDD, RED -> GREEN): - JsonSanitizerTests (10): null/empty-blacklist/flat/nested/arrays/case-insensitive/ primitives/round-trip-valid-json/string-as-value/default-keys-effective. - AuditOptionsBindingTests (2): defaults when section absent + additive override. One test needed adjustment during GREEN: 'AlreadySerializedJsonString' originally asserted against an encoding-specific literal; rewrote to use JsonDocument round-trip (validates behavior without coupling to encoder quirks). Suite: 348/348 Application.Tests + 130/130 Api.Tests = 478/478 passing. Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-AUD-5, design#D-5, tasks#B3} 2026-04-16 13:28:37 -03:00			`using SIGCM2.Application.Audit;`
feat(infra): register RefreshTokenRepository, RefreshTokenGenerator, ClientContext and handlers in DI 2026-04-14 13:28:36 -03:00			`using SIGCM2.Application.Auth;`
			`using SIGCM2.Infrastructure.Http;`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`using SIGCM2.Infrastructure.Messaging;`
			`using SIGCM2.Infrastructure.Persistence;`
			`using SIGCM2.Infrastructure.Security;`

			`namespace SIGCM2.Infrastructure;`

			`public static class DependencyInjection`
			`{`
			`public static IServiceCollection AddInfrastructure(`
			`this IServiceCollection services,`
			`IConfiguration configuration)`
			`{`
			`// Database`
			`var connectionString = configuration.GetConnectionString("SqlServer")`
			`?? throw new InvalidOperationException("Missing ConnectionStrings:SqlServer");`
			`services.AddSingleton(new SqlConnectionFactory(connectionString));`
			`services.AddScoped<IUsuarioRepository, UsuarioRepository>();`
feat(infra): register RefreshTokenRepository, RefreshTokenGenerator, ClientContext and handlers in DI 2026-04-14 13:28:36 -03:00			`services.AddScoped<IRefreshTokenRepository, RefreshTokenRepository>();`
feat(api): UDT-004 controller de roles + refactor validator UDT-003 a lookup dinamico - RolesController /api/v1/roles CRUD admin-only: GET list, GET {codigo}, POST, PUT, DELETE (soft-delete con guard 409) - ExceptionFilter: mapea RolNotFound (404), RolAlreadyExists (409), RolInUse (409) - DI: registra 5 handlers de Roles (Application) y IRolRepository/RolRepository (Infrastructure) - CreateUsuarioCommandValidator: reemplaza whitelist hardcoded por IRolRepository.ExistsActiveByCodigoAsync via MustAsync; constructor recibe (AuthOptions, IRolRepository) - Tests: 202 verdes (173 application + 29 api). Nuevas: RolesEndpointTests (13 integration), CreateUsuarioCommandValidatorTests reescrito con NSubstitute mock, CreateUsuario_WithInactiveRol_Returns400 en Api.Tests - Fix: ApiIntegration pasa de IClassFixture (N factories) a ICollectionFixture (1 factory shared) — evitaba ObjectDisposedException sobre RSABCrypt al compartir coleccion con multiples test classes - tests/tests.runsettings: MaxCpuCount=1 para evitar race entre assemblies sobre SIGCM2_Test 2026-04-15 12:50:24 -03:00			`services.AddScoped<IRolRepository, RolRepository>();`
feat(infra): BATCH 4 - Permiso/RolPermiso repos Dapper + tests integracion [UDT-005] 2026-04-15 15:39:25 -03:00			`services.AddScoped<IPermisoRepository, PermisoRepository>();`
			`services.AddScoped<IRolPermisoRepository, RolPermisoRepository>();`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00
			`// JWT Options — bound lazily via IOptions so tests can override via ConfigureWebHost`
			`services.Configure<JwtOptions>(configuration.GetSection("Jwt"));`
			`// Also expose as JwtOptions directly for convenience (resolves via IOptions<JwtOptions>)`
			`services.AddSingleton<JwtOptions>(sp => sp.GetRequiredService<IOptions<JwtOptions>>().Value);`

feat(infra): register RefreshTokenRepository, RefreshTokenGenerator, ClientContext and handlers in DI 2026-04-14 13:28:36 -03:00			`// AuthOptions (Application layer) — populated from the same Jwt config section`
			`services.AddSingleton<AuthOptions>(sp =>`
			`{`
			`var opts = sp.GetRequiredService<JwtOptions>();`
			`return new AuthOptions`
			`{`
			`AccessTokenMinutes = opts.AccessTokenMinutes,`
			`RefreshTokenDays = opts.RefreshTokenDays,`
			`};`
			`});`

feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`// RSA key pair — loaded lazily as singletons from the fully-resolved JwtOptions`
			`services.AddSingleton<RSA>(sp =>`
			`{`
			`var opts = sp.GetRequiredService<JwtOptions>();`
			`return RsaKeyLoader.LoadPrivateKey(opts);`
			`});`

			`services.AddSingleton<RsaSecurityKey>(sp =>`
			`{`
			`var opts = sp.GetRequiredService<JwtOptions>();`
			`return new RsaSecurityKey(RsaKeyLoader.LoadPublicKey(opts));`
			`});`

			`services.AddScoped<IJwtService>(sp =>`
			`new JwtService(sp.GetRequiredService<RSA>(), sp.GetRequiredService<JwtOptions>()));`
			`services.AddScoped<IPasswordHasher, BcryptPasswordHasher>();`
feat(infra): register RefreshTokenRepository, RefreshTokenGenerator, ClientContext and handlers in DI 2026-04-14 13:28:36 -03:00			`services.AddSingleton<IRefreshTokenGenerator, RefreshTokenGenerator>();`
			`services.AddHttpContextAccessor();`
			`services.AddScoped<IClientContext, ClientContext>();`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00
feat(infra): JsonSanitizer + AuditOptions binding (UDT-010 B3) Adds the metadata sanitization layer per #REQ-AUD-5: SIGCM2.Infrastructure/Audit/JsonSanitizer.cs (static class): - Sanitize(object?, IReadOnlyCollection<string>) -> string? - Serializes via System.Text.Json + JsonNode recursive traversal. - Strips blacklisted keys at every nesting level (objects + arrays). - Case-insensitive match (ToLowerInvariant on both sides). - Null input -> null output (never throws). - Output is always valid JSON (ISJSON=1 compatible — satisfies AuditEvent CHECK). SIGCM2.Application/Audit/AuditOptions.cs: - Documented the IConfiguration array-binding quirk: config is ADDITIVE (append at higher indices), not REPLACE. Intentional for security — defaults like 'password'/'token'/'cvv' must not be silently dropped. SIGCM2.Infrastructure/DependencyInjection.cs: - services.Configure<AuditOptions>(configuration.GetSection(AuditOptions.SectionName)) wired in AddInfrastructure(). Tests (Strict TDD, RED -> GREEN): - JsonSanitizerTests (10): null/empty-blacklist/flat/nested/arrays/case-insensitive/ primitives/round-trip-valid-json/string-as-value/default-keys-effective. - AuditOptionsBindingTests (2): defaults when section absent + additive override. One test needed adjustment during GREEN: 'AlreadySerializedJsonString' originally asserted against an encoding-specific literal; rewrote to use JsonDocument round-trip (validates behavior without coupling to encoder quirks). Suite: 348/348 Application.Tests + 130/130 Api.Tests = 478/478 passing. Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-AUD-5, design#D-5, tasks#B3} 2026-04-16 13:28:37 -03:00			`// UDT-010: Audit options (SanitizedKeys blacklist) — overridable via appsettings "Audit".`
			`services.Configure<AuditOptions>(configuration.GetSection(AuditOptions.SectionName));`

feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`// Dispatcher`
			`services.AddScoped<IDispatcher, Dispatcher>();`

			`// JWT Bearer authentication`
			`services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)`
			`.AddJwtBearer();`

fix(auth): preserve JWT claim names in bearer middleware JwtBearerOptions.MapInboundClaims defaulted to true, which mapped the 'sub' claim to ClaimTypes.NameIdentifier in HttpContext.User. Logout endpoint read User.FindFirst("sub") and got null, returning 401 for any authenticated caller. Fix: set MapInboundClaims=false and pin NameClaimType="name" so the JWT claims land in the principal with their original names, aligning with how JwtService.GetPrincipalFromExpiredToken (used by refresh) already consumes them. Unblocks Login_Refresh_Logout_FullFlow integration test (15/15 green). 2026-04-15 11:03:15 -03:00			`// Post-configure JWT Bearer — wire RSA public key + validation params from resolved options.`
			`// MapInboundClaims=false: preserve JWT claim names as-is ("sub", "rol", etc.).`
			`// Without this, the middleware maps "sub" → ClaimTypes.NameIdentifier and breaks User.FindFirst("sub").`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)`
			`.PostConfigure<RsaSecurityKey, JwtOptions>((jwtBearerOpts, rsaKey, jwtOpts) =>`
			`{`
fix(auth): preserve JWT claim names in bearer middleware JwtBearerOptions.MapInboundClaims defaulted to true, which mapped the 'sub' claim to ClaimTypes.NameIdentifier in HttpContext.User. Logout endpoint read User.FindFirst("sub") and got null, returning 401 for any authenticated caller. Fix: set MapInboundClaims=false and pin NameClaimType="name" so the JWT claims land in the principal with their original names, aligning with how JwtService.GetPrincipalFromExpiredToken (used by refresh) already consumes them. Unblocks Login_Refresh_Logout_FullFlow integration test (15/15 green). 2026-04-15 11:03:15 -03:00			`jwtBearerOpts.MapInboundClaims = false;`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`jwtBearerOpts.TokenValidationParameters = new TokenValidationParameters`
			`{`
			`ValidateIssuerSigningKey = true,`
			`IssuerSigningKey = rsaKey,`
			`ValidateIssuer = true,`
			`ValidIssuer = jwtOpts.Issuer,`
			`ValidateAudience = true,`
			`ValidAudience = jwtOpts.Audience,`
			`ValidateLifetime = true,`
feat(api): UDT-003 registro de usuarios — backend completo (Phases 1-6) - Domain: Usuario.ForCreation factory, UsernameAlreadyExistsException, IUsuarioRepository extendido - Application: CreateUsuarioCommand/Validator/Handler, UsuarioCreatedDto, AuthOptions password policy - Infrastructure: UsuarioRepository.ExistsByUsernameAsync + AddAsync (INSERT OUTPUT INSERTED.Id), RoleClaimType="rol" en TokenValidationParameters - Api: UsuariosController POST api/v1/users [Authorize(Roles="admin")], ExceptionFilter mapea UsernameAlreadyExistsException + SqlException 2627 → 409 - Tests (unit): 43 tests — 33 validator + 10 handler (107 total, green) - Tests (integration): 7 tests CreateUsuarioEndpoint — 401/403/400/201/409/race/e2e (green) - Fix: TestWebAppFactory.ConfigureTestServices reemplaza SqlConnectionFactory singleton con CS de test correcto 2026-04-15 10:47:48 -03:00			`ClockSkew = TimeSpan.Zero,`
fix(auth): preserve JWT claim names in bearer middleware JwtBearerOptions.MapInboundClaims defaulted to true, which mapped the 'sub' claim to ClaimTypes.NameIdentifier in HttpContext.User. Logout endpoint read User.FindFirst("sub") and got null, returning 401 for any authenticated caller. Fix: set MapInboundClaims=false and pin NameClaimType="name" so the JWT claims land in the principal with their original names, aligning with how JwtService.GetPrincipalFromExpiredToken (used by refresh) already consumes them. Unblocks Login_Refresh_Logout_FullFlow integration test (15/15 green). 2026-04-15 11:03:15 -03:00			`RoleClaimType = "rol",`
			`NameClaimType = "name"`
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`};`
			`});`

			`return services;`
			`}`
			`}`