soroushdes/Teamup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M1: Identity & access — members, RBAC, JWT auth, invitations

Browse Source 
Adds the access foundation everything else enforces against.

SharedKernel (shared access contracts, no Identity dependency for consumers):
- ScopeRef/ScopeType, RoleType, Capability, AccessPolicy (role x capability matrix),
  ICurrentUser, IPermissionService (scope-chain evaluation).

Identity module:
- Member, Membership, Invitation entities; internal IdentityDbContext (schema
  "identity") + InitialIdentity migration; design-time factory.
- JWT auth (HS256) issuing membership claims; PasswordHasher<Member>; CurrentUser
  (claims -> ICurrentUser) and PermissionService implementations.
- Public IMemberDirectory contract for other modules to resolve member display info.
- Endpoints: POST /bootstrap (first owner), /auth/login, GET /me, POST /invitations,
  POST /invitations/accept. Owner-only actions enforced via IPermissionService.
- Web host wires UseAuthentication/UseAuthorization and string-enum JSON.

Verified: build green; ArchitectureTests 8/8 (Identity references only SharedKernel);
IntegrationTests 11/11 incl. a new end-to-end flow — bootstrap -> login -> /me ->
invite -> accept -> login as invitee, and a Member is 403'd from inviting.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-09 07:59:57 +03:30
parent 265861b89b
commit 61991bf6cd
29 changed files with 1333 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Hosts/TeamUp.Web/Program.cs
+8
View File
@@ -1,3 +1,4 @@
using System.Text.Json.Serialization;
using OpenTelemetry.Trace;
using Serilog;
using TeamUp.Bootstrap;
@@ -12,6 +13,10 @@ builder.Host.UseSerilog((context, services, configuration) => configuration
builder.Services.AddOpenApi();
// Bind/serialize enums as strings across the API (e.g. ScopeType "Organization", RoleType "Member").
builder.Services.ConfigureHttpJsonOptions(options =>
options.SerializerOptions.Converters.Add(new JsonStringEnumConverter()));
builder.Services.AddTeamUpObservability(
builder.Configuration,
serviceName: "teamup-web",
@@ -42,6 +47,9 @@ app.UseSerilogRequestLogging();
app.UseDefaultFiles();
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.MapHealthChecks("/health");
app.MapTeamUpModules();
src/Hosts/TeamUp.Web/appsettings.json
+6
View File
@@ -5,6 +5,12 @@
"Database": {
"ApplyMigrationsOnStartup": false
},
"Jwt": {
"Secret": "dev-only-teamup-jwt-signing-secret-change-in-production-0123456789",
"Issuer": "teamup",
"Audience": "teamup",
"ExpiryMinutes": 480
},
"OpenTelemetry": {
"OtlpEndpoint": ""
},
src/Hosts/TeamUp.Worker/appsettings.json
+6
View File
@@ -5,6 +5,12 @@
"Database": {
"ApplyMigrationsOnStartup": false
},
"Jwt": {
"Secret": "dev-only-teamup-jwt-signing-secret-change-in-production-0123456789",
"Issuer": "teamup",
"Audience": "teamup",
"ExpiryMinutes": 480
},
"OpenTelemetry": {
"OtlpEndpoint": ""
},
src/Modules/TeamUp.Modules.Identity/Access/CurrentUser.cs
+52
View File
@@ -0,0 +1,52 @@
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
using Microsoft.IdentityModel.JsonWebTokens;
using TeamUp.Modules.Identity.Auth;
using TeamUp.SharedKernel.Access;
namespace TeamUp.Modules.Identity.Access;
/// <summary>
/// Resolves <see cref="ICurrentUser"/> from the request's JWT claims. JWT bearer is configured with
/// MapInboundClaims=false, so claim names stay raw ("sub", "email", "membership"). In the worker
/// (no HttpContext) this reports unauthenticated.
/// </summary>
internal sealed class CurrentUser(IHttpContextAccessor accessor) : ICurrentUser
{
private ClaimsPrincipal? Principal => accessor.HttpContext?.User;
public bool IsAuthenticated => Principal?.Identity?.IsAuthenticated == true;
public Guid MemberId =>
Guid.TryParse(Principal?.FindFirstValue(JwtRegisteredClaimNames.Sub), out var id)
? id
: throw new InvalidOperationException("No authenticated member on the current request.");
public string Email => Principal?.FindFirstValue(JwtRegisteredClaimNames.Email) ?? string.Empty;
public IReadOnlyList<ScopedRole> Memberships
{
get
{
if (Principal is null)
{
return [];
}
var memberships = new List<ScopedRole>();
foreach (var claim in Principal.FindAll(JwtTokenService.MembershipClaim))
{
var parts = claim.Value.Split(':');
if (parts.Length == 3
&& Enum.TryParse<ScopeType>(parts[0], out var scopeType)
&& Guid.TryParse(parts[1], out var scopeId)
&& Enum.TryParse<RoleType>(parts[2], out var role))
{
memberships.Add(new ScopedRole(new ScopeRef(scopeType, scopeId), role));
}
}
return memberships;
}
}
}
src/Modules/TeamUp.Modules.Identity/Access/PermissionService.cs
+29
View File
@@ -0,0 +1,29 @@
using TeamUp.SharedKernel.Access;
namespace TeamUp.Modules.Identity.Access;
/// <summary>
/// Default <see cref="IPermissionService"/>: the current user has a capability if any of their
/// memberships sits on a scope in the supplied chain and that role permits the capability.
/// </summary>
internal sealed class PermissionService(ICurrentUser currentUser) : IPermissionService
{
public bool Has(Capability capability, params ScopeRef[] scopeChain)
{
if (!currentUser.IsAuthenticated || scopeChain.Length == 0)
{
return false;
}
foreach (var membership in currentUser.Memberships)
{
if (Array.IndexOf(scopeChain, membership.Scope) >= 0
&& AccessPolicy.Permits(membership.Role, capability))
{
return true;
}
}
return false;
}
}
src/Modules/TeamUp.Modules.Identity/Auth/JwtOptions.cs
+11
View File
@@ -0,0 +1,11 @@
namespace TeamUp.Modules.Identity.Auth;
internal sealed class JwtOptions
{
public const string SectionName = "Jwt";
public string Secret { get; set; } = string.Empty;
public string Issuer { get; set; } = "teamup";
public string Audience { get; set; } = "teamup";
public int ExpiryMinutes { get; set; } = 480;
}
src/Modules/TeamUp.Modules.Identity/Auth/JwtTokenService.cs
+47
View File
@@ -0,0 +1,47 @@
using System.Security.Claims;
using System.Text;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.JsonWebTokens;
using Microsoft.IdentityModel.Tokens;
using TeamUp.Modules.Identity.Domain;
namespace TeamUp.Modules.Identity.Auth;
/// <summary>Issues signed JWTs carrying the member id, email, and one claim per membership.</summary>
internal sealed class JwtTokenService(IOptions<JwtOptions> options, TimeProvider timeProvider)
{
public const string MembershipClaim = "membership";
private readonly JwtOptions _options = options.Value;
public string Issue(Member member, IReadOnlyList<Membership> memberships)
{
var now = timeProvider.GetUtcNow();
var claims = new List<Claim>
{
new(JwtRegisteredClaimNames.Sub, member.Id.ToString()),
new(JwtRegisteredClaimNames.Email, member.Email),
new("name", member.DisplayName),
};
foreach (var membership in memberships)
{
claims.Add(new Claim(MembershipClaim, $"{membership.ScopeType}:{membership.ScopeId}:{membership.Role}"));
}
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.Secret));
var descriptor = new SecurityTokenDescriptor
{
Issuer = _options.Issuer,
Audience = _options.Audience,
Subject = new ClaimsIdentity(claims),
IssuedAt = now.UtcDateTime,
NotBefore = now.UtcDateTime,
Expires = now.AddMinutes(_options.ExpiryMinutes).UtcDateTime,
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256),
};
return new JsonWebTokenHandler().CreateToken(descriptor);
}
}
src/Modules/TeamUp.Modules.Identity/Contracts/IMemberDirectory.cs
+17
View File
@@ -0,0 +1,17 @@
namespace TeamUp.Modules.Identity.Contracts;
/// <summary>Public, non-sensitive member info other modules may display (e.g. board assignees).</summary>
public sealed record MemberSummary(Guid Id, string Email, string DisplayName);
/// <summary>
/// The Identity module's public surface for resolving member display info by id. Other modules
/// depend on this interface — never on Identity's entities or DbContext.
/// </summary>
public interface IMemberDirectory
{
Task<MemberSummary?> FindByIdAsync(Guid memberId, CancellationToken cancellationToken = default);
Task<IReadOnlyDictionary<Guid, MemberSummary>> GetByIdsAsync(
IReadOnlyCollection<Guid> memberIds,
CancellationToken cancellationToken = default);
}
src/Modules/TeamUp.Modules.Identity/Domain/Invitation.cs
+55
View File
@@ -0,0 +1,55 @@
using TeamUp.SharedKernel.Access;
using TeamUp.SharedKernel.Domain;
namespace TeamUp.Modules.Identity.Domain;
internal enum InvitationStatus
{
Pending,
Accepted,
Revoked,
}
/// <summary>An invitation to join at a scope+role. Accepting it creates the member + membership.</summary>
internal sealed class Invitation : Entity
{
public string Email { get; private set; } = null!;
public ScopeType ScopeType { get; private set; }
public Guid ScopeId { get; private set; }
public RoleType Role { get; private set; }
public string Token { get; private set; } = null!;
public InvitationStatus Status { get; private set; }
public Guid InvitedByMemberId { get; private set; }
public DateTimeOffset CreatedAtUtc { get; private set; }
public DateTimeOffset? AcceptedAtUtc { get; private set; }
private Invitation()
{
}
public Invitation(
string email,
ScopeRef scope,
RoleType role,
string token,
Guid invitedByMemberId,
DateTimeOffset createdAtUtc)
{
Email = email;
ScopeType = scope.Type;
ScopeId = scope.Id;
Role = role;
Token = token;
InvitedByMemberId = invitedByMemberId;
Status = InvitationStatus.Pending;
CreatedAtUtc = createdAtUtc;
}
public ScopeRef Scope => new(ScopeType, ScopeId);
public void Accept(DateTimeOffset whenUtc)
{
Status = InvitationStatus.Accepted;
AcceptedAtUtc = whenUtc;
}
}
src/Modules/TeamUp.Modules.Identity/Domain/Member.cs
+43
View File
@@ -0,0 +1,43 @@
using TeamUp.SharedKernel.Domain;
namespace TeamUp.Modules.Identity.Domain;
internal enum MemberStatus
{
Invited,
Active,
Disabled,
}
/// <summary>An invited/active human in the system. Identity owns the credential; other modules
/// reference a member only by id (via the public member directory).</summary>
internal sealed class Member : Entity
{
public string Email { get; private set; } = null!;
public string DisplayName { get; private set; } = null!;
public string PasswordHash { get; private set; } = null!;
public MemberStatus Status { get; private set; }
public DateTimeOffset CreatedAtUtc { get; private set; }
private Member()
{
}
public Member(
string email,
string displayName,
string passwordHash,
DateTimeOffset createdAtUtc,
MemberStatus status = MemberStatus.Active)
{
Email = email;
DisplayName = displayName;
PasswordHash = passwordHash;
CreatedAtUtc = createdAtUtc;
Status = status;
}
public void SetPasswordHash(string passwordHash) => PasswordHash = passwordHash;
public void Activate() => Status = MemberStatus.Active;
}
src/Modules/TeamUp.Modules.Identity/Domain/Membership.cs
+29
View File
@@ -0,0 +1,29 @@
using TeamUp.SharedKernel.Access;
using TeamUp.SharedKernel.Domain;
namespace TeamUp.Modules.Identity.Domain;
/// <summary>A member's role at a scope. Additive — a member may hold several.</summary>
internal sealed class Membership : Entity
{
public Guid MemberId { get; private set; }
public ScopeType ScopeType { get; private set; }
public Guid ScopeId { get; private set; }
public RoleType Role { get; private set; }
public DateTimeOffset CreatedAtUtc { get; private set; }
private Membership()
{
}
public Membership(Guid memberId, ScopeRef scope, RoleType role, DateTimeOffset createdAtUtc)
{
MemberId = memberId;
ScopeType = scope.Type;
ScopeId = scope.Id;
Role = role;
CreatedAtUtc = createdAtUtc;
}
public ScopeRef Scope => new(ScopeType, ScopeId);
}
src/Modules/TeamUp.Modules.Identity/Endpoints/IdentityDtos.cs
+34
View File
@@ -0,0 +1,34 @@
using TeamUp.SharedKernel.Access;
namespace TeamUp.Modules.Identity.Endpoints;
internal sealed record BootstrapRequest(
string OrganizationName,
string OwnerEmail,
string OwnerDisplayName,
string OwnerPassword);
internal sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
internal sealed record LoginRequest(string Email, string Password);
internal sealed record AuthResponse(string Token, Guid MemberId);
internal sealed record MembershipDto(string ScopeType, Guid ScopeId, string Role);
internal sealed record MeResponse(
Guid MemberId,
string Email,
string DisplayName,
IReadOnlyList<MembershipDto> Memberships);
internal sealed record InviteRequest(
string Email,
ScopeType ScopeType,
Guid ScopeId,
RoleType Role,
Guid OrganizationId);
internal sealed record InviteResponse(Guid InvitationId, string Token);
internal sealed record AcceptInviteRequest(string Token, string DisplayName, string Password);
src/Modules/TeamUp.Modules.Identity/Endpoints/IdentityEndpoints.cs
+165
View File
@@ -0,0 +1,165 @@
using System.Security.Cryptography;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Routing;
using Microsoft.EntityFrameworkCore;
using TeamUp.Modules.Identity.Auth;
using TeamUp.Modules.Identity.Domain;
using TeamUp.Modules.Identity.Persistence;
using TeamUp.SharedKernel.Access;
using TeamUp.SharedKernel.Modularity;
namespace TeamUp.Modules.Identity.Endpoints;
internal static class IdentityEndpoints
{
public static void Map(IEndpointRouteBuilder endpoints)
{
var group = endpoints.MapGroup("/api/identity").WithTags("Identity");
group.MapGet("/ping", () => TypedResults.Ok(new ModulePing("identity")));
group.MapPost("/bootstrap", Bootstrap).AllowAnonymous();
group.MapPost("/auth/login", Login).AllowAnonymous();
group.MapGet("/me", Me).RequireAuthorization();
group.MapPost("/invitations", CreateInvitation).RequireAuthorization();
group.MapPost("/invitations/accept", AcceptInvitation).AllowAnonymous();
}
private static async Task<IResult> Bootstrap(
BootstrapRequest request,
IdentityDbContext db,
IPasswordHasher<Member> hasher,
JwtTokenService tokens,
TimeProvider clock,
CancellationToken ct)
{
if (string.IsNullOrWhiteSpace(request.OwnerEmail) || string.IsNullOrWhiteSpace(request.OwnerPassword))
{
return Results.BadRequest("Owner email and password are required.");
}
if (await db.Members.AnyAsync(ct))
{
return Results.Conflict("The system is already bootstrapped.");
}
var now = clock.GetUtcNow();
var organizationId = Guid.CreateVersion7();
var owner = new Member(request.OwnerEmail.Trim(), request.OwnerDisplayName.Trim(), string.Empty, now);
owner.SetPasswordHash(hasher.HashPassword(owner, request.OwnerPassword));
var membership = new Membership(owner.Id, ScopeRef.Org(organizationId), RoleType.Owner, now);
db.Members.Add(owner);
db.Memberships.Add(membership);
await db.SaveChangesAsync(ct);
var token = tokens.Issue(owner, [membership]);
return Results.Ok(new BootstrapResponse(token, owner.Id, organizationId));
}
private static async Task<IResult> Login(
LoginRequest request,
IdentityDbContext db,
IPasswordHasher<Member> hasher,
JwtTokenService tokens,
CancellationToken ct)
{
var member = await db.Members.FirstOrDefaultAsync(m => m.Email == request.Email, ct);
if (member is null || member.Status == MemberStatus.Disabled)
{
return Results.Unauthorized();
}
var result = hasher.VerifyHashedPassword(member, member.PasswordHash, request.Password);
if (result == PasswordVerificationResult.Failed)
{
return Results.Unauthorized();
}
var memberships = await db.Memberships.Where(m => m.MemberId == member.Id).ToListAsync(ct);
return Results.Ok(new AuthResponse(tokens.Issue(member, memberships), member.Id));
}
private static async Task<IResult> Me(ICurrentUser currentUser, IdentityDbContext db, CancellationToken ct)
{
var member = await db.Members.FirstOrDefaultAsync(m => m.Id == currentUser.MemberId, ct);
if (member is null)
{
return Results.NotFound();
}
var memberships = currentUser.Memberships
.Select(m => new MembershipDto(m.Scope.Type.ToString(), m.Scope.Id, m.Role.ToString()))
.ToList();
return Results.Ok(new MeResponse(member.Id, member.Email, member.DisplayName, memberships));
}
private static async Task<IResult> CreateInvitation(
InviteRequest request,
ICurrentUser currentUser,
IPermissionService permissions,
IdentityDbContext db,
TimeProvider clock,
CancellationToken ct)
{
var targetScope = new ScopeRef(request.ScopeType, request.ScopeId);
var orgScope = ScopeRef.Org(request.OrganizationId);
var chain = targetScope == orgScope
? new[] { targetScope }
: new[] { targetScope, orgScope };
if (!permissions.Has(Capability.InvitePeople, chain))
{
return Results.Forbid();
}
if (string.IsNullOrWhiteSpace(request.Email))
{
return Results.BadRequest("Email is required.");
}
var token = Convert.ToHexString(RandomNumberGenerator.GetBytes(32));
var invitation = new Invitation(
request.Email.Trim(), targetScope, request.Role, token, currentUser.MemberId, clock.GetUtcNow());
db.Invitations.Add(invitation);
await db.SaveChangesAsync(ct);
return Results.Ok(new InviteResponse(invitation.Id, token));
}
private static async Task<IResult> AcceptInvitation(
AcceptInviteRequest request,
IdentityDbContext db,
IPasswordHasher<Member> hasher,
JwtTokenService tokens,
TimeProvider clock,
CancellationToken ct)
{
var invitation = await db.Invitations.FirstOrDefaultAsync(i => i.Token == request.Token, ct);
if (invitation is null || invitation.Status != InvitationStatus.Pending)
{
return Results.BadRequest("Invitation not found or already used.");
}
if (string.IsNullOrWhiteSpace(request.Password) || string.IsNullOrWhiteSpace(request.DisplayName))
{
return Results.BadRequest("Display name and password are required.");
}
var now = clock.GetUtcNow();
var member = new Member(invitation.Email, request.DisplayName.Trim(), string.Empty, now);
member.SetPasswordHash(hasher.HashPassword(member, request.Password));
var membership = new Membership(member.Id, invitation.Scope, invitation.Role, now);
invitation.Accept(now);
db.Members.Add(member);
db.Memberships.Add(membership);
await db.SaveChangesAsync(ct);
return Results.Ok(new AuthResponse(tokens.Issue(member, [membership]), member.Id));
}
}
src/Modules/TeamUp.Modules.Identity/IdentityModule.cs
+49 -11
View File
@@ -1,27 +1,65 @@
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using System.Text;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Routing;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.IdentityModel.Tokens;
using TeamUp.Modules.Identity.Access;
using TeamUp.Modules.Identity.Auth;
using TeamUp.Modules.Identity.Contracts;
using TeamUp.Modules.Identity.Domain;
using TeamUp.Modules.Identity.Endpoints;
using TeamUp.Modules.Identity.Persistence;
using TeamUp.SharedKernel.Access;
using TeamUp.SharedKernel.Modularity;
using TeamUp.SharedKernel.Persistence;
namespace TeamUp.Modules.Identity;
/// <summary>Identity &amp; access: members, memberships, roles, permission enforcement (M1).</summary>
/// <summary>Identity &amp; access: members, memberships, invitations, JWT auth, permission enforcement (M1).</summary>
public sealed class IdentityModule : IModule
{
public string Name => "identity";
public void Register(IServiceCollection services, IConfiguration configuration)
{
// Skeleton: no services yet. M1 introduces this module's (internal) DbContext,
// FluentValidation validators, and domain services here.
var connectionString = configuration.GetConnectionString("Postgres")
?? throw new InvalidOperationException("Missing connection string 'ConnectionStrings:Postgres'.");
services.AddDbContext<IdentityDbContext>(options => options.UseNpgsql(connectionString));
services.AddScoped<IModuleDbContext>(sp => sp.GetRequiredService<IdentityDbContext>());
services.TryAddSingleton(TimeProvider.System);
services.AddHttpContextAccessor();
services.AddScoped<ICurrentUser, CurrentUser>();
services.AddScoped<IPermissionService, PermissionService>();
services.AddScoped<IMemberDirectory, MemberDirectory>();
services.AddScoped<JwtTokenService>();
services.AddSingleton<IPasswordHasher<Member>, PasswordHasher<Member>>();
services.Configure<JwtOptions>(configuration.GetSection(JwtOptions.SectionName));
var jwt = configuration.GetSection(JwtOptions.SectionName).Get<JwtOptions>() ?? new JwtOptions();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.MapInboundClaims = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = jwt.Issuer,
ValidateAudience = true,
ValidAudience = jwt.Audience,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwt.Secret)),
ValidateLifetime = true,
};
});
services.AddAuthorization();
}
public void MapEndpoints(IEndpointRouteBuilder endpoints)
{
endpoints.MapGroup($"/api/{Name}")
.WithTags("Identity")
.MapGet("/ping", () => TypedResults.Ok(new ModulePing(Name)));
}
public void MapEndpoints(IEndpointRouteBuilder endpoints) => IdentityEndpoints.Map(endpoints);
}
src/Modules/TeamUp.Modules.Identity/Persistence/IdentityDbContext.cs
+54
View File
@@ -0,0 +1,54 @@
using Microsoft.EntityFrameworkCore;
using TeamUp.Modules.Identity.Domain;
using TeamUp.SharedKernel.Persistence;
namespace TeamUp.Modules.Identity.Persistence;
internal sealed class IdentityDbContext(DbContextOptions<IdentityDbContext> options)
: DbContext(options), IModuleDbContext
{
public DbSet<Member> Members => Set<Member>();
public DbSet<Membership> Memberships => Set<Membership>();
public DbSet<Invitation> Invitations => Set<Invitation>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
modelBuilder.HasDefaultSchema("identity");
modelBuilder.Entity<Member>(member =>
{
member.ToTable("members");
member.HasKey(m => m.Id);
member.Property(m => m.Email).HasMaxLength(256).IsRequired();
member.HasIndex(m => m.Email).IsUnique();
member.Property(m => m.DisplayName).HasMaxLength(128).IsRequired();
member.Property(m => m.PasswordHash).HasMaxLength(512).IsRequired();
member.Property(m => m.Status).HasConversion<string>().HasMaxLength(32);
});
modelBuilder.Entity<Membership>(membership =>
{
membership.ToTable("memberships");
membership.HasKey(m => m.Id);
membership.Property(m => m.ScopeType).HasConversion<string>().HasMaxLength(32);
membership.Property(m => m.Role).HasConversion<string>().HasMaxLength(32);
membership.Ignore(m => m.Scope);
membership.HasIndex(m => m.MemberId);
membership.HasIndex(m => new { m.MemberId, m.ScopeType, m.ScopeId, m.Role }).IsUnique();
});
modelBuilder.Entity<Invitation>(invitation =>
{
invitation.ToTable("invitations");
invitation.HasKey(i => i.Id);
invitation.Property(i => i.Email).HasMaxLength(256).IsRequired();
invitation.Property(i => i.Token).HasMaxLength(128).IsRequired();
invitation.HasIndex(i => i.Token).IsUnique();
invitation.HasIndex(i => i.Email);
invitation.Property(i => i.ScopeType).HasConversion<string>().HasMaxLength(32);
invitation.Property(i => i.Role).HasConversion<string>().HasMaxLength(32);
invitation.Property(i => i.Status).HasConversion<string>().HasMaxLength(32);
invitation.Ignore(i => i.Scope);
});
}
}
src/Modules/TeamUp.Modules.Identity/Persistence/IdentityDbContextFactory.cs
+21
View File
@@ -0,0 +1,21 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Design;
namespace TeamUp.Modules.Identity.Persistence;
/// <summary>Design-time factory so `dotnet ef` can build the internal context without a host.</summary>
internal sealed class IdentityDbContextFactory : IDesignTimeDbContextFactory<IdentityDbContext>
{
public IdentityDbContext CreateDbContext(string[] args)
{
var connectionString =
Environment.GetEnvironmentVariable("ConnectionStrings__Postgres")
?? "Host=localhost;Port=5432;Database=teamup;Username=teamup;Password=teamup";
var options = new DbContextOptionsBuilder<IdentityDbContext>()
.UseNpgsql(connectionString)
.Options;
return new IdentityDbContext(options);
}
}
src/Modules/TeamUp.Modules.Identity/Persistence/MemberDirectory.cs
+24
View File
@@ -0,0 +1,24 @@
using Microsoft.EntityFrameworkCore;
using TeamUp.Modules.Identity.Contracts;
namespace TeamUp.Modules.Identity.Persistence;
internal sealed class MemberDirectory(IdentityDbContext db) : IMemberDirectory
{
public async Task<MemberSummary?> FindByIdAsync(Guid memberId, CancellationToken cancellationToken = default) =>
await db.Members
.Where(m => m.Id == memberId)
.Select(m => new MemberSummary(m.Id, m.Email, m.DisplayName))
.FirstOrDefaultAsync(cancellationToken);
public async Task<IReadOnlyDictionary<Guid, MemberSummary>> GetByIdsAsync(
IReadOnlyCollection<Guid> memberIds,
CancellationToken cancellationToken = default)
{
var ids = memberIds.ToHashSet();
return await db.Members
.Where(m => ids.Contains(m.Id))
.Select(m => new MemberSummary(m.Id, m.Email, m.DisplayName))
.ToDictionaryAsync(m => m.Id, cancellationToken);
}
}
src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/20260609042521_InitialIdentity.Designer.cs
Generated
+156
View File
@@ -0,0 +1,156 @@
// <auto-generated />
using System;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Migrations;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using TeamUp.Modules.Identity.Persistence;
#nullable disable
namespace TeamUp.Modules.Identity.Persistence.Migrations
{
[DbContext(typeof(IdentityDbContext))]
[Migration("20260609042521_InitialIdentity")]
partial class InitialIdentity
{
/// <inheritdoc />
protected override void BuildTargetModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasDefaultSchema("identity")
.HasAnnotation("ProductVersion", "10.0.8")
.HasAnnotation("Relational:MaxIdentifierLength", 63);
NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Invitation", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset?>("AcceptedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(256)
.HasColumnType("character varying(256)");
b.Property<Guid>("InvitedByMemberId")
.HasColumnType("uuid");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<Guid>("ScopeId")
.HasColumnType("uuid");
b.Property<string>("ScopeType")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<string>("Token")
.IsRequired()
.HasMaxLength(128)
.HasColumnType("character varying(128)");
b.HasKey("Id");
b.HasIndex("Email");
b.HasIndex("Token")
.IsUnique();
b.ToTable("invitations", "identity");
});
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Member", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<string>("DisplayName")
.IsRequired()
.HasMaxLength(128)
.HasColumnType("character varying(128)");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(256)
.HasColumnType("character varying(256)");
b.Property<string>("PasswordHash")
.IsRequired()
.HasMaxLength(512)
.HasColumnType("character varying(512)");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.HasKey("Id");
b.HasIndex("Email")
.IsUnique();
b.ToTable("members", "identity");
});
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Membership", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("MemberId")
.HasColumnType("uuid");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<Guid>("ScopeId")
.HasColumnType("uuid");
b.Property<string>("ScopeType")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.HasKey("Id");
b.HasIndex("MemberId");
b.HasIndex("MemberId", "ScopeType", "ScopeId", "Role")
.IsUnique();
b.ToTable("memberships", "identity");
});
#pragma warning restore 612, 618
}
}
}
src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/20260609042521_InitialIdentity.cs
+122
View File
@@ -0,0 +1,122 @@
using System;
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace TeamUp.Modules.Identity.Persistence.Migrations
{
/// <inheritdoc />
public partial class InitialIdentity : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.EnsureSchema(
name: "identity");
migrationBuilder.CreateTable(
name: "invitations",
schema: "identity",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
ScopeType = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
ScopeId = table.Column<Guid>(type: "uuid", nullable: false),
Role = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
Token = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
Status = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
InvitedByMemberId = table.Column<Guid>(type: "uuid", nullable: false),
CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
AcceptedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true)
},
constraints: table =>
{
table.PrimaryKey("PK_invitations", x => x.Id);
});
migrationBuilder.CreateTable(
name: "members",
schema: "identity",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
DisplayName = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
PasswordHash = table.Column<string>(type: "character varying(512)", maxLength: 512, nullable: false),
Status = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_members", x => x.Id);
});
migrationBuilder.CreateTable(
name: "memberships",
schema: "identity",
columns: table => new
{
Id = table.Column<Guid>(type: "uuid", nullable: false),
MemberId = table.Column<Guid>(type: "uuid", nullable: false),
ScopeType = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
ScopeId = table.Column<Guid>(type: "uuid", nullable: false),
Role = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
CreatedAtUtc = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false)
},
constraints: table =>
{
table.PrimaryKey("PK_memberships", x => x.Id);
});
migrationBuilder.CreateIndex(
name: "IX_invitations_Email",
schema: "identity",
table: "invitations",
column: "Email");
migrationBuilder.CreateIndex(
name: "IX_invitations_Token",
schema: "identity",
table: "invitations",
column: "Token",
unique: true);
migrationBuilder.CreateIndex(
name: "IX_members_Email",
schema: "identity",
table: "members",
column: "Email",
unique: true);
migrationBuilder.CreateIndex(
name: "IX_memberships_MemberId",
schema: "identity",
table: "memberships",
column: "MemberId");
migrationBuilder.CreateIndex(
name: "IX_memberships_MemberId_ScopeType_ScopeId_Role",
schema: "identity",
table: "memberships",
columns: new[] { "MemberId", "ScopeType", "ScopeId", "Role" },
unique: true);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropTable(
name: "invitations",
schema: "identity");
migrationBuilder.DropTable(
name: "members",
schema: "identity");
migrationBuilder.DropTable(
name: "memberships",
schema: "identity");
}
}
}
src/Modules/TeamUp.Modules.Identity/Persistence/Migrations/IdentityDbContextModelSnapshot.cs
+153
View File
@@ -0,0 +1,153 @@
// <auto-generated />
using System;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
using TeamUp.Modules.Identity.Persistence;
#nullable disable
namespace TeamUp.Modules.Identity.Persistence.Migrations
{
[DbContext(typeof(IdentityDbContext))]
partial class IdentityDbContextModelSnapshot : ModelSnapshot
{
protected override void BuildModel(ModelBuilder modelBuilder)
{
#pragma warning disable 612, 618
modelBuilder
.HasDefaultSchema("identity")
.HasAnnotation("ProductVersion", "10.0.8")
.HasAnnotation("Relational:MaxIdentifierLength", 63);
NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Invitation", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset?>("AcceptedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(256)
.HasColumnType("character varying(256)");
b.Property<Guid>("InvitedByMemberId")
.HasColumnType("uuid");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<Guid>("ScopeId")
.HasColumnType("uuid");
b.Property<string>("ScopeType")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<string>("Token")
.IsRequired()
.HasMaxLength(128)
.HasColumnType("character varying(128)");
b.HasKey("Id");
b.HasIndex("Email");
b.HasIndex("Token")
.IsUnique();
b.ToTable("invitations", "identity");
});
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Member", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<string>("DisplayName")
.IsRequired()
.HasMaxLength(128)
.HasColumnType("character varying(128)");
b.Property<string>("Email")
.IsRequired()
.HasMaxLength(256)
.HasColumnType("character varying(256)");
b.Property<string>("PasswordHash")
.IsRequired()
.HasMaxLength(512)
.HasColumnType("character varying(512)");
b.Property<string>("Status")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.HasKey("Id");
b.HasIndex("Email")
.IsUnique();
b.ToTable("members", "identity");
});
modelBuilder.Entity("TeamUp.Modules.Identity.Domain.Membership", b =>
{
b.Property<Guid>("Id")
.ValueGeneratedOnAdd()
.HasColumnType("uuid");
b.Property<DateTimeOffset>("CreatedAtUtc")
.HasColumnType("timestamp with time zone");
b.Property<Guid>("MemberId")
.HasColumnType("uuid");
b.Property<string>("Role")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.Property<Guid>("ScopeId")
.HasColumnType("uuid");
b.Property<string>("ScopeType")
.IsRequired()
.HasMaxLength(32)
.HasColumnType("character varying(32)");
b.HasKey("Id");
b.HasIndex("MemberId");
b.HasIndex("MemberId", "ScopeType", "ScopeId", "Role")
.IsUnique();
b.ToTable("memberships", "identity");
});
#pragma warning restore 612, 618
}
}
}
src/Modules/TeamUp.Modules.Identity/TeamUp.Modules.Identity.csproj
+13 -3
View File
@@ -1,10 +1,20 @@
<Project Sdk="Microsoft.NET.Sdk">
<!-- A self-contained module. References SharedKernel ONLY (ASP.NET flows transitively for the
IModule seam). M1 adds this module's EF/Npgsql/FluentValidation/Mapperly packages when it
gains an (internal) DbContext and validators. It must never reference another module. -->
<!-- Identity & access: members, memberships, invitations, JWT auth, permission enforcement.
References SharedKernel only; never another module. -->
<ItemGroup>
<ProjectReference Include="..\..\Shared\TeamUp.SharedKernel\TeamUp.SharedKernel.csproj" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.EntityFrameworkCore" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" PrivateAssets="all" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" />
<PackageReference Include="FluentValidation" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
<PackageReference Include="Microsoft.Extensions.Identity.Core" />
<PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
<PackageReference Include="Microsoft.IdentityModel.Tokens" />
</ItemGroup>
</Project>
src/Shared/TeamUp.SharedKernel/Access/AccessPolicy.cs
+26
View File
@@ -0,0 +1,26 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>
/// The role × capability matrix (docs/PRODUCT.md "Access / RBAC"). Pure policy — no scope logic
/// here; scope coverage is applied by <see cref="IPermissionService"/>. Owner is org-wide and can
/// do everything; TeamOwner is scoped to its own team; Member works tasks; Viewer reads only.
/// </summary>
public static class AccessPolicy
{
public static bool Permits(RoleType role, Capability capability) => role switch
{
RoleType.Owner => true,
RoleType.TeamOwner => capability is
Capability.InvitePeople
or Capability.CreateProductsAndTeams
or Capability.ConfigureAgents
or Capability.SetAutonomy
or Capability.ApproveHeldActions
or Capability.WorkTasks
or Capability.ViewBoard
or Capability.ViewAuditLog,
RoleType.Member => capability is Capability.WorkTasks or Capability.ViewBoard,
RoleType.Viewer => capability is Capability.ViewBoard,
_ => false,
};
}
src/Shared/TeamUp.SharedKernel/Access/Capability.cs
+19
View File
@@ -0,0 +1,19 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>
/// A permission-checked action, evaluated against a scope. Mirrors the capability rows of the
/// access matrix in docs/PRODUCT.md ("Access / RBAC").
/// </summary>
public enum Capability
{
ManageBilling,
ManageApiKeys,
InvitePeople,
CreateProductsAndTeams,
ConfigureAgents,
SetAutonomy,
ApproveHeldActions,
WorkTasks,
ViewBoard,
ViewAuditLog,
}
src/Shared/TeamUp.SharedKernel/Access/ICurrentUser.cs
+20
View File
@@ -0,0 +1,20 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>A role held at a scope.</summary>
public readonly record struct ScopedRole(ScopeRef Scope, RoleType Role);
/// <summary>
/// The authenticated principal for the current request — or unauthenticated. Resolved from the
/// JWT by the Identity module; available to every module via DI.
/// </summary>
public interface ICurrentUser
{
bool IsAuthenticated { get; }
/// <summary>The member id. Throws if not authenticated — guard with <see cref="IsAuthenticated"/>.</summary>
Guid MemberId { get; }
string Email { get; }
IReadOnlyList<ScopedRole> Memberships { get; }
}
src/Shared/TeamUp.SharedKernel/Access/IPermissionService.cs
+12
View File
@@ -0,0 +1,12 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>
/// Evaluates whether the current user may perform a capability at a scope. The caller passes the
/// scope chain from most-specific to broadest (e.g. a team, then its org); a covering role at any
/// link grants the capability. This keeps Identity free of OrgBoard's scope hierarchy — the module
/// performing the action supplies the chain it already knows.
/// </summary>
public interface IPermissionService
{
bool Has(Capability capability, params ScopeRef[] scopeChain);
}
src/Shared/TeamUp.SharedKernel/Access/RoleType.cs
+10
View File
@@ -0,0 +1,10 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>A role granted to a member at a scope. Memberships are additive.</summary>
public enum RoleType
{
Owner,
TeamOwner,
Member,
Viewer,
}
src/Shared/TeamUp.SharedKernel/Access/Scope.cs
+18
View File
@@ -0,0 +1,18 @@
namespace TeamUp.SharedKernel.Access;
/// <summary>The kind of scope a role is granted at. V1 uses Organization and Team.</summary>
public enum ScopeType
{
Organization,
Division,
Product,
Team,
}
/// <summary>A reference to the scope a role applies to (additive across memberships).</summary>
public readonly record struct ScopeRef(ScopeType Type, Guid Id)
{
public static ScopeRef Org(Guid id) => new(ScopeType.Organization, id);
public static ScopeRef Team(Guid id) => new(ScopeType.Team, id);
}