95dd48018a
10.3.36 fixes JWT refresh for idle sessions and registers EditModalSaveContextHolder via AddBlazorBlocksWeb() — making the manual stopgap in DeepDrftManager/Program.cs redundant. BlazorBlocks direct refs (10.3.30) resolved without conflict; left unchanged.
135 lines
6.1 KiB
C#
135 lines
6.1 KiB
C#
using DeepDrftManager.Components;
|
|
using DeepDrftManager.Services;
|
|
using Microsoft.AspNetCore.HttpOverrides;
|
|
using MudBlazor.Services;
|
|
using NetBlocks.Utilities.Environment;
|
|
|
|
var builder = WebApplication.CreateBuilder(args);
|
|
|
|
// Required credential files — must exist before the app will start.
|
|
// Production secrets stay gitignored; the *.example.json templates at the project root show the shape.
|
|
// - environment/api.json: { "Api": { "ContentApiUrl": "...", "ContentApiKey": "..." } }
|
|
// The Manager hosts only web-side auth (AuthBlocksWeb), which talks to the AuthBlocks API on
|
|
// DeepDrftAPI. It holds no JWT signing secret, email creds, admin creds, or Auth connection string —
|
|
// those moved to DeepDrftAPI's environment/authblocks.json + environment/connections.json.
|
|
// Content API key — consumed by CmsTrackService for the upload proxy and the vault-delete client.
|
|
var apiPath = CredentialTools.ResolvePathOrThrow("api", "environment/api.json");
|
|
builder.Configuration.AddJsonFile(apiPath, optional: false, reloadOnChange: false);
|
|
|
|
// MudBlazor.
|
|
builder.Services.AddMudServices();
|
|
|
|
// CMS track operations (read + mutate). Every track read and write goes over HTTP to the
|
|
// DeepDrftAPI API via the named clients below — the Manager holds no in-process data layer.
|
|
builder.Services.AddScoped<ICmsTrackService, CmsTrackService>();
|
|
|
|
// CMS release operations (medium-filtered browse + Session/Mix media ops) over HTTP to the
|
|
// DeepDrftAPI api/release family. Same no-in-process-data-layer posture as ICmsTrackService.
|
|
builder.Services.AddScoped<ICmsReleaseService, CmsReleaseService>();
|
|
|
|
// AuthBlocksWeb: server-side cascading auth state plus the JWT client services used by the
|
|
// /account/login + /account/logout Razor pages that ship in the AuthBlocksWeb RCL.
|
|
// The auth API lives on DeepDrftAPI, so pass its URL — not Manager's own Kestrel URL.
|
|
var contentApiUrl = builder.Configuration["Api:ContentApiUrl"]
|
|
?? throw new InvalidOperationException("Api:ContentApiUrl is required");
|
|
AuthBlocksWeb.Startup.ConfigureAuthServices(builder.Services, contentApiUrl);
|
|
|
|
// Named HttpClient for unauthenticated Content API calls (CmsTrackService proxying WAV data
|
|
// to DeepDrftAPI's POST api/track/upload). API key added per-request by the service.
|
|
builder.Services.AddHttpClient("DeepDrft.Content", client =>
|
|
{
|
|
client.BaseAddress = new Uri(contentApiUrl);
|
|
});
|
|
|
|
// Named HttpClient for ApiKey-protected Content API calls (CmsTrackService's non-upload operations:
|
|
// delete, paged list, metadata read/write, waveform jobs, releases, genres).
|
|
// Timeout left at the default 100s — these are short request/response pairs and an infinite timeout
|
|
// would hang an InteractiveServer circuit forever on a dead connection.
|
|
var contentApiKey = builder.Configuration["Api:ContentApiKey"]
|
|
?? throw new InvalidOperationException("Api:ContentApiKey is required");
|
|
builder.Services.AddHttpClient("DeepDrft.Content.Cms", client =>
|
|
{
|
|
client.BaseAddress = new Uri(contentApiUrl);
|
|
client.DefaultRequestHeaders.Add("ApiKey", contentApiKey);
|
|
});
|
|
|
|
// Dedicated upload client — inherits the API key but removes the whole-request timeout.
|
|
// Large WAV uploads (several hundred MB) outrun the 100s default. The upload path enforces an
|
|
// idle/heartbeat deadline instead (body-streaming phase via ProgressStreamContent) plus a separate
|
|
// response-wait budget (CmsTrackService), so the client itself must not impose a total cap.
|
|
builder.Services.AddHttpClient("DeepDrft.Content.Cms.Upload", client =>
|
|
{
|
|
client.BaseAddress = new Uri(contentApiUrl);
|
|
client.DefaultRequestHeaders.Add("ApiKey", contentApiKey);
|
|
client.Timeout = Timeout.InfiniteTimeSpan;
|
|
});
|
|
|
|
// Reverse-proxy support (nginx in production).
|
|
builder.Services.Configure<ForwardedHeadersOptions>(options =>
|
|
{
|
|
options.ForwardedHeaders =
|
|
ForwardedHeaders.XForwardedFor |
|
|
ForwardedHeaders.XForwardedProto |
|
|
ForwardedHeaders.XForwardedHost;
|
|
options.KnownNetworks.Clear();
|
|
options.KnownProxies.Clear();
|
|
});
|
|
|
|
// MVC controllers — required for the ImageProxyController that forwards browser image requests
|
|
// to DeepDrftAPI so rendered URLs resolve against the Manager's own origin, not the internal
|
|
// API address.
|
|
builder.Services.AddControllers();
|
|
|
|
// InteractiveServer only — no WASM render mode on the CMS host.
|
|
builder.Services.AddRazorComponents()
|
|
.AddInteractiveServerComponents();
|
|
|
|
// SignalR tuning for InteractiveServer circuits. Long-running CMS operations (upload progress,
|
|
// large table loads) benefit from tighter keepalive and detailed errors in dev.
|
|
builder.Services.AddSignalR(options =>
|
|
{
|
|
if (builder.Environment.IsDevelopment())
|
|
{
|
|
options.EnableDetailedErrors = true;
|
|
options.KeepAliveInterval = TimeSpan.FromSeconds(10);
|
|
options.ClientTimeoutInterval = TimeSpan.FromSeconds(30);
|
|
}
|
|
});
|
|
|
|
var app = builder.Build();
|
|
|
|
app.UseForwardedHeaders();
|
|
|
|
if (!app.Environment.IsDevelopment())
|
|
{
|
|
app.UseExceptionHandler("/Error", createScopeForErrors: true);
|
|
app.UseHsts();
|
|
|
|
var disableHttpsRedirection = app.Configuration.GetValue<bool>("ForwardedHeaders:DisableHttpsRedirection");
|
|
if (!disableHttpsRedirection)
|
|
{
|
|
app.UseHttpsRedirection();
|
|
}
|
|
}
|
|
|
|
app.UseAuthentication();
|
|
app.UseAntiforgery();
|
|
app.UseAuthorization();
|
|
|
|
app.MapStaticAssets();
|
|
app.MapControllers();
|
|
|
|
// The AuthBlocks API surface (/api/auth/*, /api/users/*, etc.) now lives on DeepDrftAPI; this host
|
|
// only renders the AuthBlocksWeb Razor pages (/account/login, /account/logout), which call that API.
|
|
// Blazor page authorization is owned by AuthorizeRouteView in Routes.razor, not ASP.NET Core
|
|
// endpoint authorization. AuthBlocks tokens live in browser localStorage (read via JS interop by
|
|
// JwtAuthenticationStateProvider), so the JWT never reaches the server on a navigation request.
|
|
// Without AllowAnonymous here, the cookie/JwtBearer challenge for an unauthenticated nav returns 401
|
|
// before the Blazor router runs, short-circuiting the NotAuthorized -> RedirectToLogin path.
|
|
app.MapRazorComponents<App>()
|
|
.AddInteractiveServerRenderMode()
|
|
.AddAdditionalAssemblies(typeof(AuthBlocksWeb._Imports).Assembly)
|
|
.AllowAnonymous();
|
|
|
|
app.Run();
|