Refactor Bewit token extraction; unify extraction options, update middleware integration, and enhance configuration support in appsettings.json

glucaci · Copilot · glucaci · commit 009f162def99 · 2026-05-04T18:13:24.000+02:00
Co-authored-by: Copilot &lt;copilot@github.com&gt;
diff --git a/README.md b/README.md
@@ -298,9 +298,64 @@ public static async Task<NominationDto> AssignNomineeAsync(
 ### Setup
 
 ```csharp
-app.UseBewitTokenHeaderExtraction();
+app.UseBewitTokenExtraction();
 ```
 
+## HTTP Endpoint Integration
+
+```bash
+dotnet add package Bewit.Http
+```
+
+Protect minimal API or middleware-based endpoints:
+```csharp
+app.UseBewitEndpointAuthorization<MyPayload>();
+```
+
+The middleware validates the token from the configured header or query parameter and makes the payload available via `GetBewitPayload<T>()`.
+
+## Token Extraction
+
+All extensions (HotChocolate, Http, Mvc) read the bewit token from the same configurable sources: an HTTP **header** and/or a **query parameter**. Header takes precedence when both are present.
+
+Defaults match the v6.x behavior:
+- Header: `bewitToken`
+- Query parameter: `bewit`
+
+### Code configuration
+```csharp
+services.AddBewit(bewit =>
+{
+    bewit.ConfigureTokenExtraction(o =>
+    {
+        o.HeaderName = "X-Custom-Token";
+        o.QueryParamName = "token";
+    });
+
+    bewit.AddPayload<string>();
+});
+```
+
+### appsettings.json
+```json
+{
+  "Bewit:TokenExtraction": {
+    "HeaderName": "X-Custom-Token",
+    "QueryParamName": "token"
+  }
+}
+```
+
+```csharp
+services.AddBewit(bewit =>
+{
+    bewit.BindTokenExtractionConfiguration("Bewit:TokenExtraction");
+    bewit.AddPayload<string>();
+});
+```
+
+Both can be combined — `BindTokenExtractionConfiguration` loads from appsettings first, then `ConfigureTokenExtraction` overrides specific values (standard .NET options layering).
+
 ## MVC Integration
 
 ```bash
@@ -325,9 +380,9 @@ public IActionResult Download(string id) { ... }
 | `Bewit.Extensions.Mvc` | MVC filters and parameter binding |
 | `Bewit.Http` | Minimal API endpoint authorization |
 
-## Migration from v1.x
+## Migration
 
-See [Migration Guide](docs/migration-guide.md).
+See [Migration Guide v7](docs/migration-guide-v7.md).
 
 ## Community
 
diff --git a/docs/migration-guide-v7.md b/docs/migration-guide-v7.md
@@ -16,6 +16,8 @@
 | MongoDB Driver | 2.x | 3.0+ |
 | HttpContextAccessor | Manual `services.AddHttpContextAccessor()` | Auto-registered by `AddBewit()` |
 | Startup validation | None | `ServerControlled` without nonce repo fails at startup |
+| Token extraction | Hardcoded header/query per extension | Unified `BewitTokenExtractionOptions` with header + query fallback |
+| HotChocolate setup | `UseBewitTokenHeaderExtraction()` | `UseBewitTokenExtraction()` |
 
 ## DI Registration Migration
 
@@ -245,3 +247,55 @@ services.AddBewit(bewit =>
 | `PayloadBuilder.UseSlidingWindow(TimeSpan)` | `ConfigureOptions(o => o.SlidingWindow = ...)` |
 | `PayloadBuilder.WithTokenDuration(TimeSpan)` | `ConfigureOptions(o => o.TokenDuration = ...)` |
 | `UseMongoPersistence(config, ...)` | `UseMongoDb(...)` on `BewitBuilder` or `PayloadBuilder<T>` |
+| `BewitTokenConstants` | `BewitTokenExtractionOptions` (configurable via options pattern) |
+| `UseBewitTokenHeaderExtraction()` | `UseBewitTokenExtraction()` |
+
+## Token Extraction Migration
+
+In v6.x, the HotChocolate extension used a hardcoded `bewitToken` header and the Http extension used a hardcoded `bewit` query parameter. These were not configurable.
+
+In v7.0, all extensions (HotChocolate, Http, Mvc) use `BewitTokenExtractionOptions` — a shared, configurable options class that follows the standard .NET options pattern.
+
+### Before (v6.x)
+```csharp
+// HotChocolate — header only, hardcoded name
+app.UseBewitTokenHeaderExtraction();
+
+// Http — query param only, hardcoded name
+app.UseBewitEndpointAuthorization<T>();
+
+// Mvc — query param only, hardcoded name
+[BewitUrlAuthorization]
+```
+
+### After (v7.0)
+```csharp
+// HotChocolate — reads header first, then query param
+app.UseBewitTokenExtraction();
+
+// Http — reads header first, then query param
+app.UseBewitEndpointAuthorization<T>();
+
+// Mvc — reads header first, then query param
+[BewitUrlAuthorization]
+```
+
+All three now check **header first, then fall back to query parameter**. Default names are unchanged (`bewitToken` header, `bewit` query param), so existing consumers work without config changes.
+
+### Custom token extraction
+```csharp
+services.AddBewit(bewit =>
+{
+    bewit.ConfigureTokenExtraction(o =>
+    {
+        o.HeaderName = "X-Custom-Token";
+        o.QueryParamName = "token";
+    });
+    // or from appsettings.json:
+    bewit.BindTokenExtractionConfiguration("Bewit:TokenExtraction");
+
+    bewit.AddPayload<string>();
+});
+```
+
+`BewitTokenExtractionOptions` supports full .NET options layering: `Bind` → `Configure` → `PostConfigure`, with `ValidateDataAnnotations` and `ValidateOnStart`.
diff --git a/src/Core/BewitBuilder.cs b/src/Core/BewitBuilder.cs
@@ -14,6 +14,8 @@ public sealed class BewitBuilder
 
     internal Action<BewitTokenExtractionOptions>? TokenExtractionAction { get; private set; }
 
+    internal string? TokenExtractionConfigSection { get; private set; }
+
     internal List<Action<IServiceCollection>> PayloadRegistrations { get; } = [];
 
     internal BewitBuilder(IServiceCollection services)
@@ -65,4 +67,11 @@ public BewitBuilder ConfigureTokenExtraction(
 
         return this;
     }
+
+    public BewitBuilder BindTokenExtractionConfiguration(string sectionPath)
+    {
+        TokenExtractionConfigSection = sectionPath;
+
+        return this;
+    }
 }
diff --git a/src/Core/BewitServiceCollectionExtensions.cs b/src/Core/BewitServiceCollectionExtensions.cs
@@ -15,17 +15,24 @@ public static IServiceCollection AddBewit(
         services.TryAddSingleton<IVariablesProvider, VariablesProvider>();
         services.AddHttpContextAccessor();
 
-        if (builder.TokenExtractionAction is not null)
+        var optionsBuilder = services
+            .AddOptions<BewitTokenExtractionOptions>();
+
+        if (builder.TokenExtractionConfigSection is not null)
         {
-            services.Configure(builder.TokenExtractionAction);
+            optionsBuilder.BindConfiguration(
+                builder.TokenExtractionConfigSection);
         }
-        else
+
+        if (builder.TokenExtractionAction is not null)
         {
-            services.TryAddSingleton(
-                Microsoft.Extensions.Options.Options.Create(
-                    new BewitTokenExtractionOptions()));
+            optionsBuilder.Configure(builder.TokenExtractionAction);
         }
 
+        optionsBuilder
+            .ValidateDataAnnotations()
+            .ValidateOnStart();
+
         foreach (Action<IServiceCollection> registration in builder.PayloadRegistrations)
         {
             registration(services);
diff --git a/src/Core/BewitTokenExtractionOptions.cs b/src/Core/BewitTokenExtractionOptions.cs
@@ -1,10 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
 namespace Bewit;
 
 public sealed class BewitTokenExtractionOptions
 {
+    [Required]
     public string HeaderName { get; set; } = "bewitToken";
 
+    [Required]
     public string QueryParamName { get; set; } = "bewit";
 
-    internal string ContextKey { get; set; } = "bewitToken";
+    internal string ContextKey => HeaderName;
 }
diff --git a/src/Extensions.HotChocolate/BewitHotChocolateServiceCollectionExtensions.cs b/src/Extensions.HotChocolate/BewitHotChocolateServiceCollectionExtensions.cs
@@ -10,11 +10,4 @@ public static IApplicationBuilder UseBewitTokenExtraction(
     {
         return app.UseMiddleware<BewitTokenExtractionMiddleware>();
     }
-
-    [Obsolete("Use UseBewitTokenExtraction instead.")]
-    public static IApplicationBuilder UseBewitTokenHeaderExtraction(
-        this IApplicationBuilder app)
-    {
-        return app.UseBewitTokenExtraction();
-    }
 }
diff --git a/src/Extensions.HotChocolate/BewitTokenConstants.cs b/src/Extensions.HotChocolate/BewitTokenConstants.cs
diff --git a/test/Extensions.HotChocolate.Tests/BewitTokenExtractionMiddlewareTests.cs b/test/Extensions.HotChocolate.Tests/BewitTokenExtractionMiddlewareTests.cs
@@ -113,7 +113,7 @@ public async Task InvokeAsync_WithCustomHeaderName_ShouldReadFromCustomHeader()
 
         await middleware.InvokeAsync(context);
 
-        context.Items["bewitToken"].Should().Be("custom-header-token");
+        context.Items["X-My-Token"].Should().Be("custom-header-token");
     }
 
     [Fact]

Original file line number	Diff line number	Diff line change
`@@ -15,17 +15,24 @@ public static IServiceCollection AddBewit(`
`15`	`15`	`services.TryAddSingleton<IVariablesProvider, VariablesProvider>();`
`16`	`16`	`services.AddHttpContextAccessor();`
`17`	`17`
`18`		`- if (builder.TokenExtractionAction is not null)`
	`18`	`+ var optionsBuilder = services`
	`19`	`+ .AddOptions<BewitTokenExtractionOptions>();`
	`20`	`+`
	`21`	`+ if (builder.TokenExtractionConfigSection is not null)`
`19`	`22`	`{`
`20`		`- services.Configure(builder.TokenExtractionAction);`
	`23`	`+ optionsBuilder.BindConfiguration(`
	`24`	`+ builder.TokenExtractionConfigSection);`
`21`	`25`	`}`
`22`		`- else`
	`26`	`+`
	`27`	`+ if (builder.TokenExtractionAction is not null)`
`23`	`28`	`{`
`24`		`- services.TryAddSingleton(`
`25`		`- Microsoft.Extensions.Options.Options.Create(`
`26`		`- new BewitTokenExtractionOptions()));`
	`29`	`+ optionsBuilder.Configure(builder.TokenExtractionAction);`
`27`	`30`	`}`
`28`	`31`
	`32`	`+ optionsBuilder`
	`33`	`+ .ValidateDataAnnotations()`
	`34`	`+ .ValidateOnStart();`
	`35`	`+`
`29`	`36`	`foreach (Action<IServiceCollection> registration in builder.PayloadRegistrations)`
`30`	`37`	`{`
`31`	`38`	`registration(services);`
Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,14 @@`
	`1`	`+using System.ComponentModel.DataAnnotations;`
	`2`	`+`
`1`	`3`	`namespace Bewit;`
`2`	`4`
`3`	`5`	`public sealed class BewitTokenExtractionOptions`
`4`	`6`	`{`
	`7`	`+ [Required]`
`5`	`8`	`public string HeaderName { get; set; } = "bewitToken";`
`6`	`9`
	`10`	`+ [Required]`
`7`	`11`	`public string QueryParamName { get; set; } = "bewit";`
`8`	`12`
`9`		`- internal string ContextKey { get; set; } = "bewitToken";`
	`13`	`+ internal string ContextKey => HeaderName;`
`10`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,11 +10,4 @@ public static IApplicationBuilder UseBewitTokenExtraction(`
`10`	`10`	`{`
`11`	`11`	`return app.UseMiddleware<BewitTokenExtractionMiddleware>();`
`12`	`12`	`}`
`13`		`-`
`14`		`- [Obsolete("Use UseBewitTokenExtraction instead.")]`
`15`		`- public static IApplicationBuilder UseBewitTokenHeaderExtraction(`
`16`		`- this IApplicationBuilder app)`
`17`		`- {`
`18`		`- return app.UseBewitTokenExtraction();`
`19`		`- }`
`20`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ public async Task InvokeAsync_WithCustomHeaderName_ShouldReadFromCustomHeader()`
`113`	`113`
`114`	`114`	`await middleware.InvokeAsync(context);`
`115`	`115`
`116`		`- context.Items["bewitToken"].Should().Be("custom-header-token");`
	`116`	`+ context.Items["X-My-Token"].Should().Be("custom-header-token");`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`[Fact]`