Add Bewit endpoint authorization filter; implement route handler and group builder methods, enhance README with usage examples, and introduce unit tests for validation scenarios

glucaci · Copilot · glucaci · commit d7038233e9dc · 2026-05-04T21:23:16.000+02:00
Co-authored-by: Copilot &lt;copilot@github.com&gt;
diff --git a/README.md b/README.md
@@ -307,12 +307,26 @@ app.UseBewitTokenExtraction();
 dotnet add package Bewit.Http
 ```
 
-Protect minimal API or middleware-based endpoints:
+### Minimal API — Endpoint Filter (recommended)
+
+Apply authorization to individual routes or route groups:
 ```csharp
-app.UseBewitEndpointAuthorization<MyPayload>();
+app.MapGet("/files/{id}", (string id) => ...)
+    .AddBewitAuthorization<MyPayload>();
+
+// or protect a group of endpoints:
+app.MapGroup("/api/files")
+    .AddBewitAuthorization<MyPayload>();
 ```
 
-The middleware validates the token from the configured header or query parameter and makes the payload available via `GetBewitPayload<T>()`.
+The filter validates the token from the configured header, query parameter, or pre-extracted `HttpContext.Items` entry, and makes the payload available via `GetBewitPayload<T>()`.
+
+### Middleware (global)
+
+Protect all endpoints via middleware:
+```csharp
+app.UseBewitEndpointAuthorization<MyPayload>();
+```
 
 ## Token Extraction
 
diff --git a/src/Extensions.Http/BewitEndpointExtensions.cs b/src/Extensions.Http/BewitEndpointExtensions.cs
@@ -1,5 +1,7 @@
 using Bewit.Http;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
 
 namespace Microsoft.Extensions.DependencyInjection;
 
@@ -11,4 +13,18 @@ public static IApplicationBuilder UseBewitEndpointAuthorization<T>(
     {
         return app.UseMiddleware<BewitEndpointMiddleware<T>>();
     }
+
+    public static RouteHandlerBuilder AddBewitAuthorization<T>(this RouteHandlerBuilder builder)
+        where T : notnull
+    {
+        return builder.AddEndpointFilter<BewitEndpointFilter<T>>();
+    }
+
+    public static RouteGroupBuilder AddBewitAuthorization<T>(this RouteGroupBuilder builder)
+        where T : notnull
+    {
+        builder.AddEndpointFilter<BewitEndpointFilter<T>>();
+
+        return builder;
+    }
 }
diff --git a/src/Extensions.Http/BewitEndpointFilter.cs b/src/Extensions.Http/BewitEndpointFilter.cs
@@ -0,0 +1,68 @@
+using Bewit.Exceptions;
+using Bewit.Validation;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace Bewit.Http;
+
+public sealed class BewitEndpointFilter<T> : IEndpointFilter
+    where T : notnull
+{
+    public async ValueTask<object?> InvokeAsync(
+        EndpointFilterInvocationContext context,
+        EndpointFilterDelegate next)
+    {
+        var httpContext = context.HttpContext;
+        var options = httpContext.RequestServices
+            .GetRequiredService<IOptions<BewitTokenExtractionOptions>>();
+
+        BewitTokenExtractionOptions config = options.Value;
+
+        string? tokenString = null;
+
+        if (httpContext.Items.TryGetValue(config.ContextKey, out var tokenObj))
+        {
+            tokenString = tokenObj as string;
+        }
+
+        if (string.IsNullOrWhiteSpace(tokenString)
+            && httpContext.Request.Headers.TryGetValue(
+                config.HeaderName, out var headerValues)
+            && headerValues.Count > 0)
+        {
+            tokenString = headerValues[0];
+        }
+
+        if (string.IsNullOrWhiteSpace(tokenString))
+        {
+            tokenString = httpContext.Request.Query[config.QueryParamName];
+        }
+
+        if (string.IsNullOrWhiteSpace(tokenString))
+        {
+            return Results.Unauthorized();
+        }
+
+        try
+        {
+            var validator = httpContext.RequestServices
+                .GetRequiredService<IBewitTokenValidator<T>>();
+
+            var payload = await validator.ValidateBewitTokenAsync(
+                new BewitToken<T>(tokenString),
+                httpContext.RequestAborted);
+
+            var httpContextAccessor = httpContext.RequestServices
+                .GetRequiredService<IHttpContextAccessor>();
+
+            httpContextAccessor.SetBewitPayload(payload);
+        }
+        catch (BewitException)
+        {
+            return Results.Forbid();
+        }
+
+        return await next(context);
+    }
+}
diff --git a/test/Extensions.Http.Tests/BewitEndpointFilterTests.cs b/test/Extensions.Http.Tests/BewitEndpointFilterTests.cs
@@ -0,0 +1,242 @@
+using Bewit.Exceptions;
+using Bewit.Validation;
+using FluentAssertions;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Moq;
+using Xunit;
+
+namespace Bewit.Extensions.Http.Tests;
+
+public class BewitEndpointFilterTests
+{
+    private static IOptions<BewitTokenExtractionOptions> CreateOptions(
+        Action<BewitTokenExtractionOptions>? configure = null)
+    {
+        var options = new BewitTokenExtractionOptions();
+        configure?.Invoke(options);
+
+        return Options.Create(options);
+    }
+
+    private static (DefaultHttpContext Context, ServiceProvider Services) CreateContext(
+        IBewitTokenValidator<string>? validator = null,
+        string? headerName = null,
+        string? headerValue = null,
+        string? queryString = null,
+        Action<BewitTokenExtractionOptions>? configureOptions = null)
+    {
+        var serviceCollection = new ServiceCollection()
+            .AddHttpContextAccessor()
+            .AddSingleton(CreateOptions(configureOptions));
+
+        if (validator is not null)
+        {
+            serviceCollection.AddSingleton(validator);
+        }
+
+        var services = serviceCollection.BuildServiceProvider();
+        var context = new DefaultHttpContext { RequestServices = services };
+
+        if (headerName is not null && headerValue is not null)
+        {
+            context.Request.Headers[headerName] = headerValue;
+        }
+
+        if (queryString is not null)
+        {
+            context.Request.QueryString = new QueryString(queryString);
+        }
+
+        var httpContextAccessor = services.GetRequiredService<IHttpContextAccessor>();
+        httpContextAccessor.HttpContext = context;
+
+        return (context, services);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithNoToken_ShouldReturnUnauthorized()
+    {
+        var (context, _) = CreateContext();
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+
+        var result = await filter.InvokeAsync(
+            invocationContext, _ => ValueTask.FromResult<object?>(Results.Ok()));
+
+        result.Should().BeOfType<UnauthorizedHttpResult>();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithHeaderToken_ShouldValidateAndCallNext()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("payload-value");
+
+        var (context, _) = CreateContext(
+            validator: validatorMock.Object,
+            headerName: "bewitToken",
+            headerValue: "valid-token");
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+        var nextCalled = false;
+
+        var result = await filter.InvokeAsync(
+            invocationContext,
+            _ =>
+            {
+                nextCalled = true;
+
+                return ValueTask.FromResult<object?>(Results.Ok());
+            });
+
+        nextCalled.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithQueryToken_ShouldValidateAndCallNext()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("payload-value");
+
+        var (context, _) = CreateContext(
+            validator: validatorMock.Object,
+            queryString: "?bewit=valid-token");
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+        var nextCalled = false;
+
+        var result = await filter.InvokeAsync(
+            invocationContext,
+            _ =>
+            {
+                nextCalled = true;
+
+                return ValueTask.FromResult<object?>(Results.Ok());
+            });
+
+        nextCalled.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithPreExtractedToken_ShouldValidateAndCallNext()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("payload-value");
+
+        var (context, _) = CreateContext(validator: validatorMock.Object);
+        context.Items["bewitToken"] = "pre-extracted-token";
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+        var nextCalled = false;
+
+        var result = await filter.InvokeAsync(
+            invocationContext,
+            _ =>
+            {
+                nextCalled = true;
+
+                return ValueTask.FromResult<object?>(Results.Ok());
+            });
+
+        nextCalled.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithInvalidToken_ShouldReturnForbid()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ThrowsAsync(new BewitNotFoundException());
+
+        var (context, _) = CreateContext(
+            validator: validatorMock.Object,
+            queryString: "?bewit=invalid-token");
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+
+        var result = await filter.InvokeAsync(
+            invocationContext, _ => ValueTask.FromResult<object?>(Results.Ok()));
+
+        result.Should().BeOfType<ForbidHttpResult>();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithCustomQueryParam_ShouldReadFromCustomParam()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("payload-value");
+
+        var (context, _) = CreateContext(
+            validator: validatorMock.Object,
+            queryString: "?token=custom-token",
+            configureOptions: o => o.QueryParamName = "token");
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+        var nextCalled = false;
+
+        var result = await filter.InvokeAsync(
+            invocationContext,
+            _ =>
+            {
+                nextCalled = true;
+
+                return ValueTask.FromResult<object?>(Results.Ok());
+            });
+
+        nextCalled.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WithValidToken_ShouldSetPayloadOnAccessor()
+    {
+        var validatorMock = new Mock<IBewitTokenValidator<string>>();
+
+        validatorMock
+            .Setup(v => v.ValidateBewitTokenAsync(
+                It.IsAny<BewitToken<string>>(), It.IsAny<CancellationToken>()))
+            .ReturnsAsync("expected-payload");
+
+        var (context, services) = CreateContext(
+            validator: validatorMock.Object,
+            headerName: "bewitToken",
+            headerValue: "valid-token");
+
+        var filter = new Bewit.Http.BewitEndpointFilter<string>();
+        var invocationContext = new DefaultEndpointFilterInvocationContext(context);
+
+        await filter.InvokeAsync(
+            invocationContext, _ => ValueTask.FromResult<object?>(Results.Ok()));
+
+        var accessor = services.GetRequiredService<IHttpContextAccessor>();
+        var payload = accessor.GetBewitPayload<string>();
+        payload.Should().Be("expected-payload");
+    }
+}
