Merge branch 'develop' into feat/services-evaluation

Author: ahmed12348

backend/permissions.yaml

@@ -187,3 +187,7 @@ groups:
     CountryProfiles:
       description: Generate country profiles report
       roles: [cce-super-admin, cce-admin]
+  Lookup:
+    Manage:
+      description: Manage lookup tables (nationalities, country phone codes)
+      roles: [cce-super-admin]

backend/src/CCE.Api.Common/Auth/AuthEndpoints.cs

@@ -29,7 +29,8 @@ public static IEndpointRouteBuilder MapAuthEndpoints(this IEndpointRouteBuilder
                 body.OrganizationName,
                 body.PhoneNumber,
                 body.Password,
-                body.ConfirmPassword), ct).ConfigureAwait(false);
+                body.ConfirmPassword,
+                body.CountryCodeId), ct).ConfigureAwait(false);
             return result.ToCreatedHttpResult();
         })
         .AllowAnonymous()

backend/src/CCE.Api.Common/Auth/DevAuthHandler.cs

@@ -71,7 +71,15 @@ public DevAuthHandler(
 
     protected override Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        var roles = ReadRoles();
+        // PRIORITY 1: If the request carries a real JWT (e.g. from /api/auth/login),
+        // authenticate as the real user and skip dev-mode entirely.
+        var realJwtResult = TryAuthenticateRealJwt();
+        if (realJwtResult is not null)
+            return Task.FromResult(realJwtResult);
+
+        // PRIORITY 2: Dev-mode auth — cookie or dev-prefixed bearer header.
+        // Only reached when no valid real JWT is present.
+        var roles = ReadDevRoles();
         if (roles is null || roles.Count == 0)
         {
             return Task.FromResult(AuthenticateResult.NoResult());
@@ -101,38 +109,29 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         return Task.FromResult(AuthenticateResult.Success(ticket));
     }
 
-    private List<string>? ReadRoles()
+    /// <summary>
+    /// Attempts to validate the Authorization header as a real JWT issued by
+    /// <c>/api/auth/login</c>. Returns <c>null</c> when no header is present,
+    /// the token is invalid, or it is a dev-mode token.
+    /// </summary>
+    private AuthenticateResult? TryAuthenticateRealJwt()
     {
-        // Prefer cookie (browser path); fall back to bearer header (curl / Postman).
-        if (Request.Cookies.TryGetValue(DevCookieName, out var cookieValue) && !string.IsNullOrEmpty(cookieValue))
-        {
-            return new List<string> { cookieValue.Trim() };
-        }
+        if (!Request.Headers.TryGetValue("Authorization", out var auth))
+            return null;
 
-        if (Request.Headers.TryGetValue("Authorization", out var auth))
-        {
-            var raw = auth.ToString();
+        var raw = auth.ToString();
 
-            const string devPrefix = "Bearer dev:";
-            if (raw.StartsWith(devPrefix, StringComparison.OrdinalIgnoreCase))
-            {
-                return new List<string> { raw.Substring(devPrefix.Length).Trim() };
-            }
+        // Skip dev-prefixed tokens — they are handled by the dev-mode path.
+        const string devPrefix = "Bearer dev:";
+        if (raw.StartsWith(devPrefix, StringComparison.OrdinalIgnoreCase))
+            return null;
 
-            // Fallback: try to decode as a real JWT (e.g. issued by /api/auth/login)
-            const string bearerPrefix = "Bearer ";
-            if (raw.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
-            {
-                var token = raw.Substring(bearerPrefix.Length).Trim();
-                return TryReadRolesFromJwt(token);
-            }
-        }
+        const string bearerPrefix = "Bearer ";
+        if (!raw.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
+            return null;
 
-        return null;
-    }
+        var token = raw.Substring(bearerPrefix.Length).Trim();
 
-    private List<string>? TryReadRolesFromJwt(string token)
-    {
         var opts = _localAuthOptions.Value;
         var profiles = new[] { opts.External, opts.Internal };
         var handler = new JwtSecurityTokenHandler { MapInboundClaims = false };
@@ -155,7 +154,7 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
                 ClockSkew = TimeSpan.FromMinutes(2),
             };
 
-            ClaimsPrincipal? principal;
+            ClaimsPrincipal principal;
             try
             {
                 principal = handler.ValidateToken(token, parameters, out _);
@@ -166,12 +165,61 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
                 continue;
             }
 
-            var roles = principal.FindAll("roles").Select(c => c.Value).ToList();
-            if (roles.Count > 0)
-                return roles;
+            // Extract claims directly from the validated JWT — do NOT remap to dev users.
+            var sub = principal.FindFirstValue("sub")
+                      ?? principal.FindFirstValue(ClaimTypes.NameIdentifier);
+            if (string.IsNullOrEmpty(sub))
+                continue;
+
+            var email = principal.FindFirstValue("email") ?? string.Empty;
+            var preferredUsername = principal.FindFirstValue("preferred_username") ?? email;
+            var name = principal.FindFirstValue("name")
+                       ?? principal.FindFirstValue(ClaimTypes.Name)
+                       ?? preferredUsername;
+
+            var claims = new List<Claim>
+            {
+                new("sub", sub),
+                new("oid", sub),
+                new("preferred_username", preferredUsername),
+                new("name", name),
+                new("email", email),
+            };
+            claims.AddRange(principal.FindAll("roles").Select(c => new Claim("roles", c.Value)));
+
+            var identity = new ClaimsIdentity(claims, SchemeName, "preferred_username", "roles");
+            var realPrincipal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(realPrincipal, SchemeName);
+            return AuthenticateResult.Success(ticket);
+        }
+
+        Logger.LogDebug("No valid real JWT found in DevAuthHandler; falling back to dev-mode auth");
+        return null;
+    }
+
+    /// <summary>
+    /// Reads dev-mode credentials from cookie or the <c>Bearer dev:&lt;role&gt;</c> header.
+    /// Returns <c>null</c> when neither is present.
+    /// </summary>
+    private List<string>? ReadDevRoles()
+    {
+        // Prefer bearer header (curl / Postman) over cookie.
+        if (Request.Headers.TryGetValue("Authorization", out var auth))
+        {
+            var raw = auth.ToString();
+            const string devPrefix = "Bearer dev:";
+            if (raw.StartsWith(devPrefix, StringComparison.OrdinalIgnoreCase))
+            {
+                return new List<string> { raw.Substring(devPrefix.Length).Trim() };
+            }
+        }
+
+        // Fall back to cookie (browser path).
+        if (Request.Cookies.TryGetValue(DevCookieName, out var cookieValue) && !string.IsNullOrEmpty(cookieValue))
+        {
+            return new List<string> { cookieValue.Trim() };
         }
 
-        Logger.LogWarning("JWT validation failed for all profiles in DevAuthHandler");
         return null;
     }
 }

backend/src/CCE.Api.Common/Localization/Resources.yaml

@@ -51,16 +51,8 @@ IDENTITY_USERNAME_EXISTS:
   en: "Username already taken"
 
 IDENTITY_INVALID_CREDENTIALS:
-  ar: "عذرًا، حدثت مشكلة أثناء تسجيل الدخول"
-  en: "Sorry, a problem occurred during login"
-
-IDENTITY_INVALID_TOKEN:
-  ar: "رمز الوصول غير صالح"
-  en: "Invalid access token"
-
-IDENTITY_ACCOUNT_DEACTIVATED:
-  ar: "عذرًا، حدثت مشكلة أثناء تسجيل الدخول"
-  en: "Sorry, a problem occurred during login"
+  ar: "البريد الإلكتروني أو كلمة المرور غير صحيحة"
+  en: "Invalid email or password"
 
 IDENTITY_NOT_AUTHENTICATED:
   ar: "المستخدم غير مصادق"
@@ -78,6 +70,14 @@ IDENTITY_STATE_REP_ASSIGNMENT_EXISTS:
   ar: "التعيين موجود بالفعل"
   en: "Assignment already exists"
 
+IDENTITY_INVALID_TOKEN:
+  ar: "رمز الوصول غير صالح"
+  en: "Invalid access token"
+
+IDENTITY_ACCOUNT_DEACTIVATED:
+  ar: "الحساب غير نشط"
+  en: "Account is deactivated"
+
 CONTENT_RESOURCE_NOT_FOUND:
   ar: "المورد غير موجود"
   en: "Resource not found"
@@ -201,12 +201,12 @@ USER_NOT_FOUND:
   en: "Sorry, user not found"
 
 EMAIL_EXISTS:
-  ar: "عذرًا، حدثت مشكلة أثناء إنشاء الحساب"
-  en: "Sorry, a problem occurred while creating the account"
+  ar: "البريد الإلكتروني مستخدم بالفعل"
+  en: "An account with this email already exists"
 
 INVALID_CREDENTIALS:
-  ar: "عذرًا، حدثت مشكلة أثناء تسجيل الدخول"
-  en: "Sorry, a problem occurred during login"
+  ar: "البريد الإلكتروني أو كلمة المرور غير صحيحة"
+  en: "Invalid email or password"
 
 NOT_AUTHENTICATED:
   ar: "المستخدم غير مصادق"

backend/src/CCE.Api.External/Endpoints/AssetEndpoints.cs

@@ -0,0 +1,76 @@
+using CCE.Api.Common.Auth;
+using CCE.Api.Common.Extensions;
+using CCE.Application.Common.Interfaces;
+using CCE.Application.Content.Commands.UploadAsset;
+using CCE.Application.Content.Queries.GetAssetById;
+using CCE.Infrastructure;
+using MediatR;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.Options;
+
+namespace CCE.Api.External.Endpoints;
+
+public static class AssetEndpoints
+{
+    public static IEndpointRouteBuilder MapAssetEndpoints(this IEndpointRouteBuilder app)
+    {
+        var assets = app.MapGroup("/api/assets").WithTags("Assets").RequireAuthorization();
+
+        assets.MapPost("", async (
+            IFormFile file,
+            ICurrentUserAccessor currentUser,
+            IMediator mediator,
+            IOptions<CceInfrastructureOptions> infraOpts,
+            CancellationToken ct) =>
+        {
+            if (currentUser.GetUserId() is null) return Results.Unauthorized();
+
+            if (file is null || file.Length == 0)
+                return Results.BadRequest(new { error = "Upload requires a non-empty file." });
+
+            var allowed = infraOpts.Value.AllowedAssetMimeTypes;
+            if (!allowed.Contains(file.ContentType, System.StringComparer.OrdinalIgnoreCase))
+                return Results.StatusCode(StatusCodes.Status415UnsupportedMediaType);
+
+            await using var stream = file.OpenReadStream();
+            var result = await mediator.Send(
+                new UploadAssetCommand(stream, file.FileName, file.ContentType, file.Length),
+                ct).ConfigureAwait(false);
+
+            return result.Success
+                ? Results.Created($"/api/assets/{result.Data!.Id}", result)
+                : result.ToHttpResult();
+        })
+        .WithName("UploadAsset")
+        .DisableAntiforgery()
+        .WithMetadata(new RequestSizeLimitMetadataImpl(20L * 1024L * 1024L));
+
+        assets.MapGet("{id:guid}", async (
+            System.Guid id,
+            ICurrentUserAccessor currentUser,
+            IMediator mediator,
+            CancellationToken ct) =>
+        {
+            var userId = currentUser.GetUserId() ?? System.Guid.Empty;
+            if (userId == System.Guid.Empty) return Results.Unauthorized();
+
+            var result = await mediator.Send(new GetAssetByIdQuery(id), ct).ConfigureAwait(false);
+
+            if (!result.Success || result.Data!.UploadedById != userId)
+                return Results.NotFound();
+
+            return result.ToHttpResult();
+        })
+        .WithName("GetAssetById");
+
+        return app;
+    }
+
+    private sealed class RequestSizeLimitMetadataImpl : Microsoft.AspNetCore.Http.Metadata.IRequestSizeLimitMetadata
+    {
+        public RequestSizeLimitMetadataImpl(long? max) { MaxRequestBodySize = max; }
+        public long? MaxRequestBodySize { get; }
+    }
+}

backend/src/CCE.Api.External/Endpoints/CountryCodesPublicEndpoints.cs

@@ -0,0 +1,39 @@
+using CCE.Application.Lookups.Queries.GetCountryCodeById;
+using CCE.Application.Lookups.Queries.ListCountryCodes;
+using MediatR;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+
+namespace CCE.Api.External.Endpoints;
+
+public static class CountryCodesPublicEndpoints
+{
+    public static IEndpointRouteBuilder MapCountryCodesPublicEndpoints(this IEndpointRouteBuilder app)
+    {
+        var group = app.MapGroup("/api/country-codes").WithTags("CountryCodes");
+
+        group.MapGet("", async (
+            string? search, bool? isActive,
+            IMediator mediator, CancellationToken ct) =>
+        {
+            var query = new ListCountryCodesQuery(Search: search, IsActive: isActive);
+            var result = await mediator.Send(query, ct).ConfigureAwait(false);
+            return Results.Ok(result);
+        })
+        .AllowAnonymous()
+        .WithName("ListPublicCountryCodes");
+
+        group.MapGet("/{id:guid}", async (
+            System.Guid id,
+            IMediator mediator, CancellationToken ct) =>
+        {
+            var result = await mediator.Send(new GetCountryCodeByIdQuery(id), ct).ConfigureAwait(false);
+            return result.Success ? Results.Ok(result) : Results.NotFound(result);
+        })
+        .AllowAnonymous()
+        .WithName("GetPublicCountryCodeById");
+
+        return app;
+    }
+}