Remove RequireHost from account API endpoints so back-office host serves them post-split

tjementum · tjementum · commit d275e3263aec · 2026-04-29T18:25:05.000+02:00
diff --git a/application/account/Api/Endpoints/AuthenticationEndpoints.cs b/application/account/Api/Endpoints/AuthenticationEndpoints.cs
@@ -13,9 +13,7 @@ public sealed class AuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Authentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Authentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapPost("/logout", async Task<ApiResult> (IMediator mediator)
             => await mediator.Send(new LogoutCommand())
@@ -34,8 +32,8 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
         );
 
         // Note: This endpoint must be called with the refresh token as Bearer token in the Authorization header.
-        // Internal-only endpoint (BlockInternalApiTransform rejects external callers); skips RequireHost so
-        // backend-to-backend callers using the cluster's localhost address still reach it.
+        // Internal-only endpoint reachable backend-to-backend via the cluster's localhost address.
+        // BlockInternalApiTransform in AppGateway rejects external callers.
         routes.MapPost("/internal-api/account/authentication/refresh-authentication-tokens", async Task<ApiResult> (IMediator mediator)
             => await mediator.Send(new RefreshAuthenticationTokensCommand())
         ).WithGroupName(OpenApiDocumentNames.Account).DisableAntiforgery();
diff --git a/application/account/Api/Endpoints/BillingEndpoints.cs b/application/account/Api/Endpoints/BillingEndpoints.cs
@@ -12,9 +12,7 @@ public sealed class BillingEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/payment-history", async Task<ApiResult<PaymentHistoryResponse>> ([AsParameters] GetPaymentHistoryQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Api/Endpoints/EmailAuthenticationEndpoints.cs b/application/account/Api/Endpoints/EmailAuthenticationEndpoints.cs
@@ -12,9 +12,7 @@ public sealed class EmailAuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapPost("/login/start", async Task<ApiResult<StartEmailLoginResponse>> (StartEmailLoginCommand command, IMediator mediator)
             => await mediator.Send(command)
diff --git a/application/account/Api/Endpoints/ExternalAuthenticationEndpoints.cs b/application/account/Api/Endpoints/ExternalAuthenticationEndpoints.cs
@@ -13,9 +13,7 @@ public sealed class ExternalAuthenticationEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/{provider}/login/start", async Task<ApiResult<string>> (ExternalProviderType provider, [AsParameters] StartExternalLoginCommand command, IMediator mediator)
             => await mediator.Send(command with { ProviderType = provider })
diff --git a/application/account/Api/Endpoints/StripeWebhookEndpoints.cs b/application/account/Api/Endpoints/StripeWebhookEndpoints.cs
@@ -13,9 +13,7 @@ public sealed class StripeWebhookEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         // Two-phase webhook processing with pessimistic locking requires inline logic beyond 3-line convention
         group.MapPost("/", async Task<ApiResult> (HttpRequest request, IMediator mediator, ProcessPendingStripeEvents processPendingStripeEvents) =>
diff --git a/application/account/Api/Endpoints/SubscriptionEndpoints.cs b/application/account/Api/Endpoints/SubscriptionEndpoints.cs
@@ -12,9 +12,7 @@ public sealed class SubscriptionEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/pricing-catalog", async Task<ApiResult<PricingCatalogResponse>> ([AsParameters] GetPricingCatalogQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Api/Endpoints/TenantEndpoints.cs b/application/account/Api/Endpoints/TenantEndpoints.cs
@@ -13,9 +13,7 @@ public sealed class TenantEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Tenants").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Tenants").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/current", async Task<ApiResult<TenantResponse>> (IMediator mediator)
             => await mediator.Send(new GetCurrentTenantQuery())
@@ -37,8 +35,8 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(new RemoveTenantLogoCommand())
         );
 
-        // Internal-only endpoint (BlockInternalApiTransform rejects external callers); skips RequireHost so
-        // backend-to-backend callers using the cluster's localhost address still reach it.
+        // Internal-only endpoint reachable backend-to-backend via the cluster's localhost address.
+        // BlockInternalApiTransform in AppGateway rejects external callers.
         routes.MapDelete("/internal-api/account/tenants/{id}", async Task<ApiResult> (TenantId id, IMediator mediator)
             => await mediator.Send(new DeleteTenantCommand(id))
         ).WithGroupName(OpenApiDocumentNames.Account);
diff --git a/application/account/Api/Endpoints/UserEndpoints.cs b/application/account/Api/Endpoints/UserEndpoints.cs
@@ -13,9 +13,7 @@ public sealed class UserEndpoints : IEndpoints
 
     public void MapEndpoints(IEndpointRouteBuilder routes)
     {
-        var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;
-
-        var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();
+        var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
 
         group.MapGet("/", async Task<ApiResult<UsersResponse>> ([AsParameters] GetUsersQuery query, IMediator mediator)
             => await mediator.Send(query)
diff --git a/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs b/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs
@@ -11,8 +11,11 @@ namespace Account.Tests.ArchitectureTests;
 
 // Walks the actual registered endpoints in Account.Api and enforces:
 // - Every endpoint under /api/back-office/* must declare RequireHost on the back-office host.
-// - Every public endpoint under /api/account/* must declare RequireHost on the user-facing host.
-//   (/internal-api/* is only callable backend-to-backend, so it skips RequireHost; BlockInternalApiTransform in AppGateway rejects external callers.)
+//   Account-api hosts both the user-facing and back-office SPAs in one process; back-office endpoints
+//   stay host-scoped so they cannot be reached via the user-facing host.
+// - Public /api/account/* endpoints intentionally do NOT declare RequireHost. Internal-only ACA apps
+//   sit behind AppGateway and ACA's internal ingress; the host header from upstream proxies cannot
+//   be trusted as a security boundary, and AppGateway is the public trust boundary.
 // - Every endpoint under /api/account/* and /internal-api/account/* must declare WithGroupName("account").
 // - Every endpoint under /api/back-office/* must declare WithGroupName("back-office").
 public sealed class EndpointMetadataTests : IDisposable
@@ -65,7 +68,7 @@ public void BackOfficeEndpoints_ShouldAllRequireHost()
     }
 
     [Fact]
-    public void PublicAccountEndpoints_ShouldAllRequireHost()
+    public void PublicAccountEndpoints_ShouldNotDeclareRequireHost()
     {
         // Arrange
         var routeEndpoints = GetRouteEndpoints();
@@ -75,11 +78,11 @@ public void PublicAccountEndpoints_ShouldAllRequireHost()
         publicAccountEndpoints.Should().NotBeEmpty();
 
         // Assert
-        var endpointsMissingHost = publicAccountEndpoints
-            .Where(endpoint => endpoint.Metadata.GetMetadata<IHostMetadata>() is null || !endpoint.Metadata.GetMetadata<IHostMetadata>()!.Hosts.Contains(AppHost))
+        var endpointsWithHost = publicAccountEndpoints
+            .Where(endpoint => endpoint.Metadata.GetMetadata<IHostMetadata>() is not null)
             .Select(endpoint => endpoint.RoutePattern.RawText)
             .ToList();
-        endpointsMissingHost.Should().BeEmpty($"public account endpoints must declare RequireHost('{AppHost}') so they cannot be reached via the back-office host");
+        endpointsWithHost.Should().BeEmpty("public account endpoints must NOT declare RequireHost. AppGateway and ACA internal ingress are the trust boundaries; X-Forwarded-Host from upstream proxies is not a reliable security signal.");
     }
 
     [Fact]
diff --git a/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs b/application/account/Tests/BackOffice/BackOfficeEndpointBaseTest.cs
@@ -62,8 +62,8 @@ protected BackOfficeEndpointBaseTest()
                             // configuring it here lets BackOfficeAdminAuthorizationHandler and GetMe.IsAdmin
                             // resolve admin status the same way they do in dev.
                             ["BackOffice:AdminsGroupId"] = MockEasyAuthIdentities.MockAdminsGroupId,
-                            // Account endpoints declare RequireHost(Hostnames:App). Tests that target the
-                            // user-facing host use app.test.localhost.
+                            // The user-facing SPA shell is scoped to Hostnames:App via UseHostScopedSinglePageAppFallback.
+                            // Tests that target the user-facing host use app.test.localhost.
                             ["Hostnames:App"] = "app.test.localhost"
                         };
 
diff --git a/application/account/Tests/EndpointBaseTest.cs b/application/account/Tests/EndpointBaseTest.cs
@@ -111,8 +111,9 @@ protected EndpointBaseTest()
 
                 builder.ConfigureAppConfiguration((_, configuration) =>
                     {
-                        // Account endpoints declare RequireHost(Hostnames:App). The TestServer sends requests
-                        // to "localhost" by default, so configure the option to match.
+                        // Account-api hosts both the user-facing and back-office SPAs scoped via RequireHost
+                        // on each MapFallback. The TestServer sends requests to "localhost" by default, so
+                        // configure Hostnames:App to match for the user-facing SPA shell.
                         configuration.AddInMemoryCollection(new Dictionary<string, string?>
                             {
                                 ["Hostnames:App"] = "localhost"
diff --git a/application/shared-kernel/SharedKernel/Configuration/ApiDependencyConfiguration.cs b/application/shared-kernel/SharedKernel/Configuration/ApiDependencyConfiguration.cs
@@ -139,7 +139,7 @@ public WebApplication UseApiServices()
 
             app
                 .UseForwardedHeaders()
-                .UseRouting() // Explicit so it runs AFTER UseForwardedHeaders. Without this, ASP.NET Core inserts UseRouting at the start of the pipeline and endpoint matching (RequireHost) sees the unrewritten Host header forwarded by YARP (the destination address), not the public host promoted from X-Forwarded-Host.
+                .UseRouting() // Explicit so it runs AFTER UseForwardedHeaders. Without this, ASP.NET Core inserts UseRouting at the start of the pipeline and the SPA-host fallback (UseHostScopedSinglePageAppFallback's RequireHost) sees the unrewritten Host header forwarded by YARP (the destination address), not the public host promoted from X-Forwarded-Host.
                 .UseMockEasyAuthInDevelopment() // Dev-only: serve /.auth/login/aad and inject X-MS-CLIENT-PRINCIPAL-* headers from a dev cookie. Must run before authentication.
                 .UseAuthentication() // Must be above TelemetryContextMiddleware to ensure authentication happens first
                 .UseAuthorization()
@@ -286,11 +286,13 @@ public IServiceCollection AddHttpForwardHeaders()
             // This is required when running behind a reverse proxy like YARP or Azure Container Apps
             return services.Configure<ForwardedHeadersOptions>(options =>
                 {
-                    // X-Forwarded-For for client-IP logging; X-Forwarded-Proto for scheme awareness;
-                    // X-Forwarded-Host is no longer load-bearing for RequireHost matching because
-                    // AppGateway's RequestHeaderOriginalHost transform preserves the public Host at
-                    // the YARP layer; X-Forwarded-Host stays enabled as a defense-in-depth fallback
-                    // that the trust list below gates so untrusted callers cannot rewrite Request.Host.
+                    // X-Forwarded-For surfaces client IPs in logs; X-Forwarded-Proto sets the request
+                    // scheme so generated URLs use https. X-Forwarded-Host remains enabled because the
+                    // SPA-host fallback (UseHostScopedSinglePageAppFallback) RequireHost's against
+                    // Request.Host to pick the right SPA bundle; that one needs the public host to be
+                    // promoted on dev where AppGateway forwards across hostnames. API endpoints no
+                    // longer rely on X-Forwarded-Host -- AppGateway and ACA's internal ingress are the
+                    // trust boundary, so endpoints that previously declared RequireHost have dropped it.
                     options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
                     options.ForwardLimit = 1;
                     // Honor forwarded headers only from trusted proxies. Loopback covers the Aspire

Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,7 @@ public sealed class BillingEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`16`		`-`
`17`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Billing").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`18`	`16`
`19`	`17`	`group.MapGet("/payment-history", async Task<ApiResult<PaymentHistoryResponse>> ([AsParameters] GetPaymentHistoryQuery query, IMediator mediator)`
`20`	`18`	`=> await mediator.Send(query)`
Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,7 @@ public sealed class EmailAuthenticationEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`16`		`-`
`17`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("EmailAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`18`	`16`
`19`	`17`	`group.MapPost("/login/start", async Task<ApiResult<StartEmailLoginResponse>> (StartEmailLoginCommand command, IMediator mediator)`
`20`	`18`	`=> await mediator.Send(command)`
Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,7 @@ public sealed class ExternalAuthenticationEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`17`		`-`
`18`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("ExternalAuthentication").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`19`	`17`
`20`	`18`	`group.MapGet("/{provider}/login/start", async Task<ApiResult<string>> (ExternalProviderType provider, [AsParameters] StartExternalLoginCommand command, IMediator mediator)`
`21`	`19`	`=> await mediator.Send(command with { ProviderType = provider })`
Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,7 @@ public sealed class StripeWebhookEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`17`		`-`
`18`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("StripeWebhook").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`19`	`17`
`20`	`18`	`// Two-phase webhook processing with pessimistic locking requires inline logic beyond 3-line convention`
`21`	`19`	`group.MapPost("/", async Task<ApiResult> (HttpRequest request, IMediator mediator, ProcessPendingStripeEvents processPendingStripeEvents) =>`
Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,7 @@ public sealed class SubscriptionEndpoints : IEndpoints`
`12`	`12`
`13`	`13`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`14`	`14`	`{`
`15`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`16`		`-`
`17`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`15`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Subscriptions").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`18`	`16`
`19`	`17`	`group.MapGet("/pricing-catalog", async Task<ApiResult<PricingCatalogResponse>> ([AsParameters] GetPricingCatalogQuery query, IMediator mediator)`
`20`	`18`	`=> await mediator.Send(query)`
Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,7 @@ public sealed class UserEndpoints : IEndpoints`
`13`	`13`
`14`	`14`	`public void MapEndpoints(IEndpointRouteBuilder routes)`
`15`	`15`	`{`
`16`		`- var appHost = routes.ServiceProvider.GetRequiredService<IConfiguration>()["Hostnames:App"]!;`
`17`		`-`
`18`		`- var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireHost(appHost).RequireAuthorization().ProducesValidationProblem();`
	`16`	`+ var group = routes.MapGroup(RoutesPrefix).WithTags("Users").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();`
`19`	`17`
`20`	`18`	`group.MapGet("/", async Task<ApiResult<UsersResponse>> ([AsParameters] GetUsersQuery query, IMediator mediator)`
`21`	`19`	`=> await mediator.Send(query)`