Fix back-office runtime consolidation bugs

tjementum · tjementum · commit b60875c0d89f · 2026-04-28T16:41:49.000+02:00
diff --git a/application/AppGateway/appsettings.json b/application/AppGateway/appsettings.json
@@ -155,7 +155,10 @@
         },
         "Metadata": {
           "HostnameKey": "App"
-        }
+        },
+        "Transforms": [
+          { "RequestHeaderOriginalHost": true }
+        ]
       },
       "account-federation": {
         "ClusterId": "account-static",
diff --git a/application/account/Api/Endpoints/AuthenticationEndpoints.cs b/application/account/Api/Endpoints/AuthenticationEndpoints.cs
@@ -13,7 +13,9 @@ public sealed class AuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Authentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Authentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapPost("/logout", async Task<ApiResult> (IMediator mediator)
             => await mediator.Send(new LogoutCommand())
@@ -31,7 +33,9 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(new RevokeSessionCommand { Id = id })
         );
 
-        // Note: This endpoint must be called with the refresh token as Bearer token in the Authorization header
+        // Note: This endpoint must be called with the refresh token as Bearer token in the Authorization header.
+        // Internal-only endpoint (BlockInternalApiTransform rejects external callers); skips RequireHost so
+        // backend-to-backend callers using the cluster's localhost address still reach it.
         routes.MapPost("/internal-api/account/authentication/refresh-authentication-tokens", async Task<ApiResult> (IMediator mediator)
             => await mediator.Send(new RefreshAuthenticationTokensCommand())
         ).WithGroupName(OpenApiDocumentNames.Account).DisableAntiforgery();
diff --git a/application/account/Api/Endpoints/BillingEndpoints.cs b/application/account/Api/Endpoints/BillingEndpoints.cs
@@ -12,7 +12,9 @@ public sealed class BillingEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/payment-history", async Task<ApiResult<PaymentHistoryResponse>> ([AsParameters] GetPaymentHistoryQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Api/Endpoints/EmailAuthenticationEndpoints.cs b/application/account/Api/Endpoints/EmailAuthenticationEndpoints.cs
@@ -12,7 +12,9 @@ public sealed class EmailAuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapPost("/login/start", async Task<ApiResult<StartEmailLoginResponse>> (StartEmailLoginCommand command, IMediator mediator)
             => await mediator.Send(command)
diff --git a/application/account/Api/Endpoints/ExternalAuthenticationEndpoints.cs b/application/account/Api/Endpoints/ExternalAuthenticationEndpoints.cs
@@ -13,7 +13,9 @@ public sealed class ExternalAuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/{provider}/login/start", async Task<ApiResult<string>> (ExternalProviderType provider, [AsParameters] StartExternalLoginCommand command, IMediator mediator)
             => await mediator.Send(command with { ProviderType = provider })
diff --git a/application/account/Api/Endpoints/StripeWebhookEndpoints.cs b/application/account/Api/Endpoints/StripeWebhookEndpoints.cs
@@ -13,7 +13,9 @@ public sealed class StripeWebhookEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         // Two-phase webhook processing with pessimistic locking requires inline logic beyond 3-line convention
         group.MapPost("/", async Task<ApiResult> (HttpRequest request, IMediator mediator, ProcessPendingStripeEvents processPendingStripeEvents) =>
diff --git a/application/account/Api/Endpoints/SubscriptionEndpoints.cs b/application/account/Api/Endpoints/SubscriptionEndpoints.cs
@@ -12,7 +12,9 @@ public sealed class SubscriptionEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/pricing-catalog", async Task<ApiResult<PricingCatalogResponse>> ([AsParameters] GetPricingCatalogQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Api/Endpoints/TenantEndpoints.cs b/application/account/Api/Endpoints/TenantEndpoints.cs
@@ -13,7 +13,9 @@ public sealed class TenantEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Tenants").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Tenants").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/current", async Task<ApiResult<TenantResponse>> (IMediator mediator)
             => await mediator.Send(new GetCurrentTenantQuery())
@@ -35,6 +37,8 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(new RemoveTenantLogoCommand())
         );
 
+        // Internal-only endpoint (BlockInternalApiTransform rejects external callers); skips RequireHost so
+        // backend-to-backend callers using the cluster's localhost address still reach it.
         routes.MapDelete("/internal-api/account/tenants/{id}", async Task<ApiResult> (TenantId id, IMediator mediator)
             => await mediator.Send(new DeleteTenantCommand(id))
         ).WithGroupName(OpenApiDocumentNames.Account);
diff --git a/application/account/Api/Endpoints/UserEndpoints.cs b/application/account/Api/Endpoints/UserEndpoints.cs
@@ -13,7 +13,9 @@ public sealed class UserEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
+
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/", async Task<ApiResult<UsersResponse>> ([AsParameters] GetUsersQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Api/Program.cs b/application/account/Api/Program.cs
@@ -29,24 +29,44 @@
 var appHostname = app.Configuration["Hostnames:App"] ?? "app.unconfigured.invalid";
 var backOfficeHostname = app.Services.GetRequiredService<IOptions<BackOfficeHostOptions>>().Value.Host;
 
+// Per-host bundle URLs. The process-wide PUBLIC_URL/CDN_URL env vars are set by AppHost for the
+// user-facing host only, so the back-office host must inject its own to avoid embedding the account
+// SPA's bundle URLs into back-office HTML.
+var appPublicUrl = Environment.GetEnvironmentVariable(SinglePageAppConfiguration.PublicUrlKey);
+var appCdnUrl = Environment.GetEnvironmentVariable(SinglePageAppConfiguration.CdnUrlKey);
+var backOfficePublicUrl = appPublicUrl is null ? null : ReplaceHost(appPublicUrl, appHostname, backOfficeHostname);
+var backOfficeCdnUrl = backOfficePublicUrl;
+
 app
     .UseApiServices() // Add common configuration for all APIs like Swagger, HSTS, and DeveloperExceptionPage.
     .UseHostScopedSinglePageAppFallback(
         new HostScopedSinglePageApp(
             appHostname,
             "WebApp",
-            context => context.RequestServices.GetRequiredService<IExecutionContext>().UserInfo
+            context => context.RequestServices.GetRequiredService<IExecutionContext>().UserInfo,
+            appPublicUrl,
+            appCdnUrl
         ),
         new HostScopedSinglePageApp(
             backOfficeHostname,
             "BackOfficeWebApp",
-            BuildBackOfficeUserInfo
+            BuildBackOfficeUserInfo,
+            backOfficePublicUrl,
+            backOfficeCdnUrl,
+            BackOfficeIdentityDefaults.PolicyName
         )
     );
 
 await app.RunAsync();
 return;
 
+static string ReplaceHost(string url, string oldHost, string newHost)
+{
+    var uri = new Uri(url);
+    var builder = new UriBuilder(uri) { Host = uri.Host.Equals(oldHost, StringComparison.OrdinalIgnoreCase) ? newHost : uri.Host };
+    return builder.Uri.ToString().TrimEnd('/');
+}
+
 static UserInfo BuildBackOfficeUserInfo(HttpContext context)
 {
     var principal = context.User;
diff --git a/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs b/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs
@@ -2,23 +2,41 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using SharedKernel.OpenApi;
 using Xunit;
 
 namespace Account.Tests.ArchitectureTests;
 
 // Walks the actual registered endpoints in Account.Api and enforces:
-// - Every endpoint under /api/back-office/* must declare RequireHost.
+// - Every endpoint under /api/back-office/* must declare RequireHost on the back-office host.
+// - Every public endpoint under /api/account/* must declare RequireHost on the user-facing host.
+//   (/internal-api/* is only callable backend-to-backend, so it skips RequireHost; BlockInternalApiTransform in AppGateway rejects external callers.)
 // - Every endpoint under /api/account/* and /internal-api/account/* must declare WithGroupName("account").
 // - Every endpoint under /api/back-office/* must declare WithGroupName("back-office").
 public sealed class EndpointMetadataTests : IDisposable
 {
+    private const string AppHost = "app.test.localhost";
+    private const string BackOfficeHost = "back-office.test.localhost";
+
     private readonly WebApplicationFactory<Program> _webApplicationFactory;
 
     public EndpointMetadataTests()
     {
-        _webApplicationFactory = new WebApplicationFactory<Program>().WithWebHostBuilder(builder => builder.ConfigureLogging(logging => logging.AddFilter(_ => false)));
+        _webApplicationFactory = new WebApplicationFactory<Program>().WithWebHostBuilder(builder =>
+            {
+                builder.ConfigureLogging(logging => logging.AddFilter(_ => false));
+                builder.ConfigureAppConfiguration((_, configuration) =>
+                    configuration.AddInMemoryCollection(new Dictionary<string, string?>
+                        {
+                            ["Hostnames:App"] = AppHost,
+                            ["BackOffice:Host"] = BackOfficeHost
+                        }
+                    )
+                );
+            }
+        );
         // Force the host to start so the endpoint data source is populated.
         _ = _webApplicationFactory.Server;
     }
@@ -40,10 +58,28 @@ public void BackOfficeEndpoints_ShouldAllRequireHost()
 
         // Assert
         var endpointsMissingHost = backOfficeEndpoints
-            .Where(endpoint => endpoint.Metadata.GetMetadata<IHostMetadata>() is null)
+            .Where(endpoint => endpoint.Metadata.GetMetadata<IHostMetadata>() is null || !endpoint.Metadata.GetMetadata<IHostMetadata>()!.Hosts.Contains(BackOfficeHost))
+            .Select(endpoint => endpoint.RoutePattern.RawText)
+            .ToList();
+        endpointsMissingHost.Should().BeEmpty($"back-office endpoints must declare RequireHost('{BackOfficeHost}') so they cannot be reached via the user-facing host");
+    }
+
+    [Fact]
+    public void PublicAccountEndpoints_ShouldAllRequireHost()
+    {
+        // Arrange
+        var routeEndpoints = GetRouteEndpoints();
+        var publicAccountEndpoints = routeEndpoints
+            .Where(endpoint => endpoint.RoutePattern.RawText is { } pattern && pattern.StartsWith("/api/account", StringComparison.OrdinalIgnoreCase))
+            .ToList();
+        publicAccountEndpoints.Should().NotBeEmpty();
+
+        // Assert
+        var endpointsMissingHost = publicAccountEndpoints
+            .Where(endpoint => endpoint.Metadata.GetMetadata<IHostMetadata>() is null || !endpoint.Metadata.GetMetadata<IHostMetadata>()!.Hosts.Contains(AppHost))
             .Select(endpoint => endpoint.RoutePattern.RawText)
             .ToList();
-        endpointsMissingHost.Should().BeEmpty("back-office endpoints must declare RequireHost so they cannot be reached via the user-facing host");
+        endpointsMissingHost.Should().BeEmpty($"public account endpoints must declare RequireHost('{AppHost}') so they cannot be reached via the back-office host");
     }
 
     [Fact]
diff --git a/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs b/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs
@@ -55,7 +55,10 @@ protected BackOfficeEndpointBaseTest(string? configuredGroupId = null)
                     {
                         var backOfficeSettings = new Dictionary<string, string?>
                         {
-                            ["BackOffice:Host"] = BackOfficeHost
+                            ["BackOffice:Host"] = BackOfficeHost,
+                            // Account endpoints declare RequireHost(Hostnames:App). Tests that target the
+                            // user-facing host use app.test.localhost.
+                            ["Hostnames:App"] = "app.test.localhost"
                         };
                         if (configuredGroupId is not null)
                         {
diff --git a/application/account/Tests/EndpointBaseTest.cs b/application/account/Tests/EndpointBaseTest.cs
@@ -12,6 +12,7 @@
 using Microsoft.Data.Sqlite;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using NSubstitute;
 using SharedKernel.Authentication;
@@ -108,6 +109,18 @@ protected EndpointBaseTest()
                     }
                 );
 
+                builder.ConfigureAppConfiguration((_, configuration) =>
+                    {
+                        // Account endpoints declare RequireHost(Hostnames:App). The TestServer sends requests
+                        // to "localhost" by default, so configure the option to match.
+                        configuration.AddInMemoryCollection(new Dictionary<string, string?>
+                            {
+                                ["Hostnames:App"] = "localhost"
+                            }
+                        );
+                    }
+                );
+
                 builder.ConfigureTestServices(services =>
                     {
                         // Replace the default DbContext in the WebApplication to use an in-memory SQLite database
diff --git a/application/account/WebApp/tests/e2e/back-office-flows.spec.ts b/application/account/WebApp/tests/e2e/back-office-flows.spec.ts
@@ -25,6 +25,16 @@ test.describe("@smoke", () => {
     const page = await browserContext.newPage();
     createTestContext(page);
 
+    await step("Navigate to back-office root unauthenticated & verify redirect to mock easy auth login")(async () => {
+      const response = await page.request.get(`${BACK_OFFICE_BASE_URL}/`, {
+        headers: { Accept: "text/html" },
+        maxRedirects: 0
+      });
+
+      expect(response.status()).toBe(302);
+      expect(response.headers().location).toBe("/.auth/login/aad?post_login_redirect_uri=%2F");
+    })();
+
     await step("Navigate to authenticated back-office endpoint & verify redirect to mock easy auth login")(async () => {
       await page.goto("/api/back-office/me");
 
@@ -52,7 +62,9 @@ test.describe("@smoke", () => {
       expect(payload.groups).toContain("BackOfficeAdmins");
     })();
 
-    await step("Visit back-office root & verify the BackOfficeWebApp SPA shell is served")(async () => {
+    await step(
+      "Visit back-office root authenticated & verify SPA shell embeds back-office bundle URL and authenticated userInfo"
+    )(async () => {
       const response = await page.request.get(`${BACK_OFFICE_BASE_URL}/`, {
         headers: { Accept: "text/html" }
       });
@@ -61,6 +73,9 @@ test.describe("@smoke", () => {
       const body = await response.text();
       expect(body).toContain('id="back-office"');
       expect(body).toContain("<title>Back Office</title>");
+      expect(body).toContain("back-office.dev.localhost");
+      expect(body).not.toContain("/account/static/");
+      expect(body).toContain("&quot;isAuthenticated&quot;:true");
     })();
 
     await browserContext.close();
@@ -131,6 +146,17 @@ test.describe("@smoke", () => {
       expect(response.status()).toBe(401);
     })();
 
+    await step("GET /api/account/users/me on back-office host with account session & verify 404 from RequireHost")(
+      async () => {
+        const response = await accountAuthenticatedContext.get(`${BACK_OFFICE_BASE_URL}/api/account/users/me`, {
+          headers: { Accept: "application/json" },
+          maxRedirects: 0
+        });
+
+        expect(response.status()).toBe(404);
+      }
+    )();
+
     await accountAuthenticatedContext.dispose();
     await anonymousApiContext.dispose();
   });
diff --git a/application/shared-kernel/SharedKernel/SinglePageApp/HostScopedSinglePageApp.cs b/application/shared-kernel/SharedKernel/SinglePageApp/HostScopedSinglePageApp.cs
@@ -14,6 +14,9 @@ public sealed class HostScopedSinglePageApp(
     string host,
     string webAppProjectName,
     Func<HttpContext, UserInfo> userInfoFactory,
+    string? publicUrl = null,
+    string? cdnUrl = null,
+    string? authorizationPolicy = null,
     Dictionary<string, string>? environmentVariables = null
 )
 {
@@ -30,6 +33,27 @@ public sealed class HostScopedSinglePageApp(
     /// </summary>
     public Func<HttpContext, UserInfo> UserInfoFactory { get; } = userInfoFactory;
 
+    /// <summary>
+    ///     Per-host <c>PUBLIC_URL</c> override embedded into <c>StaticRuntimeEnvironment</c>. Required when a
+    ///     single process hosts multiple SPAs on different hostnames so each renders bundle URLs scoped to its
+    ///     own host. Falls back to the process-wide <c>PUBLIC_URL</c> environment variable when null.
+    /// </summary>
+    public string? PublicUrl { get; } = publicUrl;
+
+    /// <summary>
+    ///     Per-host <c>CDN_URL</c> override (paired with <see cref="PublicUrl" />). Falls back to the
+    ///     process-wide <c>CDN_URL</c> environment variable when null.
+    /// </summary>
+    public string? CdnUrl { get; } = cdnUrl;
+
+    /// <summary>
+    ///     Authorization policy applied to this host's <c>MapFallback</c>. Required for hosts whose SPA shell
+    ///     must authenticate the principal before <see cref="UserInfoFactory" /> runs (e.g. back-office).
+    ///     Null leaves the fallback anonymous, which is the correct setting for hosts whose API endpoints
+    ///     are gated separately and whose SPA shell should render unauthenticated.
+    /// </summary>
+    public string? AuthorizationPolicy { get; } = authorizationPolicy;
+
     /// <summary>Per-SPA runtime environment variables embedded into the HTML alongside <c>userInfo</c>.</summary>
     public Dictionary<string, string>? EnvironmentVariables { get; } = environmentVariables;
 }
diff --git a/application/shared-kernel/SharedKernel/SinglePageApp/SinglePageAppConfiguration.cs b/application/shared-kernel/SharedKernel/SinglePageApp/SinglePageAppConfiguration.cs
diff --git a/application/shared-kernel/SharedKernel/SinglePageApp/SinglePageAppFallbackExtensions.cs b/application/shared-kernel/SharedKernel/SinglePageApp/SinglePageAppFallbackExtensions.cs

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,9 @@ public sealed class BillingEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`16`	`+`
	`17`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`16`	`18`
`17`	`19`	`group.MapGet("/payment-history", async Task<ApiResult<PaymentHistoryResponse>> ([AsParameters] GetPaymentHistoryQuery query, IMediator mediator)`
`18`	`20`	`=> await mediator.Send(query)`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,9 @@ public sealed class EmailAuthenticationEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`16`	`+`
	`17`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`16`	`18`
`17`	`19`	`group.MapPost("/login/start", async Task<ApiResult<StartEmailLoginResponse>> (StartEmailLoginCommand command, IMediator mediator)`
`18`	`20`	`=> await mediator.Send(command)`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,9 @@ public sealed class ExternalAuthenticationEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`17`	`+`
	`18`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`17`	`19`
`18`	`20`	`group.MapGet("/{provider}/login/start", async Task<ApiResult<string>> (ExternalProviderType provider, [AsParameters] StartExternalLoginCommand command, IMediator mediator)`
`19`	`21`	`=> await mediator.Send(command with { ProviderType = provider })`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,9 @@ public sealed class StripeWebhookEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`17`	`+`
	`18`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`17`	`19`
`18`	`20`	`// Two-phase webhook processing with pessimistic locking requires inline logic beyond 3-line convention`
`19`	`21`	`group.MapPost("/", async Task<ApiResult> (HttpRequest request, IMediator mediator, ProcessPendingStripeEvents processPendingStripeEvents) =>`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,9 @@ public sealed class SubscriptionEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`16`	`+`
	`17`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`16`	`18`
`17`	`19`	`group.MapGet("/pricing-catalog", async Task<ApiResult<PricingCatalogResponse>> ([AsParameters] GetPricingCatalogQuery query, IMediator mediator)`
`18`	`20`	`=> await mediator.Send(query)`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,9 @@ public sealed class UserEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
	`17`	`+`
	`18`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
`17`	`19`
`18`	`20`	`group.MapGet("/", async Task<ApiResult<UsersResponse>> ([AsParameters] GetUsersQuery query, IMediator mediator)`
`19`	`21`	`=> await mediator.Send(query)`