Добавил получение guid пользователя по фио через токен

SfeduSchedule/Auth/ApiKeyAuthenticationDefaults.cs

@@ -0,0 +1,7 @@
+namespace SfeduSchedule.Auth;
+
+public static class ApiKeyAuthenticationDefaults
+{
+    public const string Scheme = "ApiKey";
+    public const string HeaderName = "X-Api-Key";
+}

SfeduSchedule/Auth/ApiKeyAuthenticationHandler.cs

@@ -0,0 +1,72 @@
+using System.Security.Claims;
+using System.Text;
+using System.Text.Encodings.Web;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
+
+namespace SfeduSchedule.Auth;
+
+public class ApiKeyAuthenticationHandler(
+    IOptionsMonitor<AuthenticationSchemeOptions> options,
+    ILoggerFactory logger,
+    UrlEncoder encoder,
+    IConfiguration configuration)
+    : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
+{
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        // Ожидаем ключ из ENV
+        var expectedKey = configuration["API_KEY"];
+        if (string.IsNullOrEmpty(expectedKey))
+            return Task.FromResult(AuthenticateResult.Fail("API key is not configured."));
+
+        // Ищем ключ в заголовке X-Api-Key (и опционально в query ?api_key=)
+        string? providedKey = null;
+
+        if (Request.Headers.TryGetValue(ApiKeyAuthenticationDefaults.HeaderName, out var values))
+            providedKey = values.FirstOrDefault();
+
+        if (string.IsNullOrEmpty(providedKey) &&
+            Request.Query.TryGetValue("api_key", out var qv))
+            providedKey = qv.FirstOrDefault();
+
+        if (string.IsNullOrEmpty(providedKey))
+            // Нет ключа — позволь другим схемам (если есть) продолжить; при [Authorize] будет 401
+            return Task.FromResult(AuthenticateResult.NoResult());
+
+        if (!ConstantTimeEquals(providedKey!, expectedKey))
+            return Task.FromResult(AuthenticateResult.Fail("Invalid API key."));
+
+        var claims = new[]
+        {
+            new Claim(ClaimTypes.NameIdentifier, "api-key"),
+            new Claim(ClaimTypes.Name, "api-key-user"),
+        };
+
+        var identity = new ClaimsIdentity(claims, ApiKeyAuthenticationDefaults.Scheme);
+        var principal = new ClaimsPrincipal(identity);
+        var ticket = new AuthenticationTicket(principal, ApiKeyAuthenticationDefaults.Scheme);
+
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+
+    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        Response.Headers["WWW-Authenticate"] =
+            $"{ApiKeyAuthenticationDefaults.Scheme} realm=\"api\", header=\"{ApiKeyAuthenticationDefaults.HeaderName}\"";
+        Response.StatusCode = 401;
+        return Task.CompletedTask;
+    }
+
+    private static bool ConstantTimeEquals(string a, string b)
+    {
+        var aBytes = Encoding.UTF8.GetBytes(a);
+        var bBytes = Encoding.UTF8.GetBytes(b);
+
+        if (aBytes.Length != bBytes.Length)
+            return false;
+
+        return CryptographicOperations.FixedTimeEquals(aBytes, bBytes);
+    }
+}

SfeduSchedule/Auth/SwaggerAuthorizeOperationFilter.cs

@@ -0,0 +1,33 @@
+using Microsoft.OpenApi.Models;
+using Swashbuckle.AspNetCore.SwaggerGen;
+using Microsoft.AspNetCore.Authorization;
+
+namespace SfeduSchedule.Auth
+{
+    public class SwaggerAuthorizeOperationFilter : IOperationFilter
+    {
+        public void Apply(OpenApiOperation operation, OperationFilterContext context)
+        {
+            var hasAuthorize = context.MethodInfo.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any() ||
+                               context.MethodInfo.DeclaringType?.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any() == true;
+            if (hasAuthorize)
+            {
+                operation.Security ??= new List<OpenApiSecurityRequirement>();
+                operation.Security.Add(new OpenApiSecurityRequirement
+                {
+                    {
+                        new OpenApiSecurityScheme
+                        {
+                            Reference = new OpenApiReference
+                            {
+                                Type = ReferenceType.SecurityScheme,
+                                Id = ApiKeyAuthenticationDefaults.Scheme
+                            }
+                        },
+                        new List<string>()
+                    }
+                });
+            }
+        }
+    }
+}

SfeduSchedule/Controllers/ScheduleController.cs

@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.RateLimiting;
 using SfeduSchedule.Services;
@@ -41,5 +42,25 @@ namespace SfeduSchedule.Controllers
             var schedule = await modeusService.GetScheduleAsync(request);
             return Ok(schedule);
         }
+
+        /// <summary>
+        /// Получить GUID пользователя по полному имени. (требуется авторизация)
+        /// </summary>
+        /// <param name="fullname">Полное имя пользователя.</param>
+        /// <returns>GUID пользователя.</returns>
+        /// <response code="200">Возвращает GUID пользователя</response>
+        /// <response code="404">Пользователь не найден</response>
+        /// <response code="401">Неавторизованный</response>
+        [HttpGet]
+        [Authorize(AuthenticationSchemes = "ApiKey")]
+        [Route("GetGuid")]
+        public async Task<IActionResult> GetGuid(string fullname)
+        {
+            var guid = await modeusService.GetGuidAsync(fullname);
+            if (string.IsNullOrEmpty(guid))
+                return NotFound();
+
+            return Ok(guid);
+        }
     }
 }

SfeduSchedule/Controllers/SfeduController.cs

@@ -6,7 +6,7 @@ namespace SfeduSchedule.Controllers
 {
     [ApiController]
     [Route("api/[controller]")]
-    [Authorize]
+    [Authorize(AuthenticationSchemes = "OpenIdConnect")]
     public class SfeduController : ControllerBase
     {
         private readonly ModeusService _modeusService;
@@ -20,7 +20,8 @@ namespace SfeduSchedule.Controllers
         /// <returns>Строка GUID пользователя или редирект на указанный URI.</returns>
         /// <response code="200">Возвращает GUID пользователя</response>
         /// <response code="302">Редирект на указанный URI</response>
-        /// <response code="500">Ошибка при получении имени пользователя или GUID</response>
+        /// <response code="404">Пользователь не найден</response>
+        /// <response code="401">Неавторизованный</response>
         [HttpGet]
         [Route("guid")]
         public async Task<IActionResult> Get([FromQuery] string? redirectUri)
@@ -31,7 +32,7 @@ namespace SfeduSchedule.Controllers
 
             var guid = await _modeusService.GetGuidAsync(name);
             if (string.IsNullOrEmpty(guid))
-                return StatusCode(StatusCodes.Status500InternalServerError);
+                return NotFound();
 
             if (!string.IsNullOrEmpty(redirectUri))
             {

SfeduSchedule/PluginLoader.cs

@@ -2,6 +2,8 @@ using System.Reflection;
 using System.Runtime.Loader;
 using SfeduSchedule.Plugin.Abstractions;
 
+namespace SfeduSchedule;
+
 public sealed record LoadedPlugin(IPlugin Instance, Assembly Assembly, PluginLoadContext Context);
 
 public static class PluginLoader
@@ -48,7 +50,7 @@ public sealed class PluginLoadContext : AssemblyLoadContext
     }
 
     // Разрешаем управляемые зависимости плагина из его папки.
-    // Возвращаем null, чтобы отдать решение в Default ALC для общих сборок (например, Plugin.Abstractions).
+    // Возвращаем null, чтобы отдать решение в Default ALC для общих сборок (например, SfeduSchedule.Plugin.Abstractions).
     protected override Assembly? Load(AssemblyName assemblyName)
     {
         var path = _resolver.ResolveAssemblyToPath(assemblyName);

SfeduSchedule/Program.cs

@@ -1,4 +1,6 @@
 using System.Threading.RateLimiting;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Identity.Web;
 using Quartz;
 using SfeduSchedule;
@@ -7,6 +9,7 @@ using SfeduSchedule.Services;
 using X.Extensions.Logging.Telegram.Extensions;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.AspNetCore.Mvc.ApplicationParts;
+using SfeduSchedule.Auth;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -50,6 +53,12 @@ if (!string.IsNullOrEmpty(tgChatId) && !string.IsNullOrEmpty(tgToken))
 var mvcBuilder = builder.Services.AddControllers();
 builder.Services.AddHttpClient<ModeusService>();
 
+builder.Services.AddAuthentication()
+    .AddScheme<AuthenticationSchemeOptions, ApiKeyAuthenticationHandler>(
+        ApiKeyAuthenticationDefaults.Scheme, _ => { });
+
+builder.Services.AddAuthorization();
+
 builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration);
 
 // Загружаем плагины (изолированно), даём им зарегистрировать DI и подключаем контроллеры
@@ -63,7 +72,6 @@ foreach (var p in loaded)
     mvcBuilder.PartManager.ApplicationParts.Add(new AssemblyPart(p.Assembly));
 }
 
-
 var jobKey = new JobKey("UpdateJWTJob");
 
 if (string.IsNullOrEmpty(preinstalledJwtToken))
@@ -88,6 +96,17 @@ builder.Services.AddSwaggerGen(options =>
     var xmlFile = $"{System.Reflection.Assembly.GetExecutingAssembly().GetName().Name}.xml";
     var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
     options.IncludeXmlComments(xmlPath);
+
+    // Добавляем только схему авторизации по ApiKey
+    options.AddSecurityDefinition(ApiKeyAuthenticationDefaults.Scheme, new Microsoft.OpenApi.Models.OpenApiSecurityScheme
+    {
+        Description = $"Api Key needed to access the endpoints. {ApiKeyAuthenticationDefaults.HeaderName}: Your_API_Key",
+        Name = ApiKeyAuthenticationDefaults.HeaderName,
+        In = Microsoft.OpenApi.Models.ParameterLocation.Header,
+        Type = Microsoft.OpenApi.Models.SecuritySchemeType.ApiKey,
+        Scheme = ApiKeyAuthenticationDefaults.Scheme
+    });
+    options.OperationFilter<SwaggerAuthorizeOperationFilter>();
 });
 
 builder.Services.AddRateLimiter(options =>
@@ -169,14 +188,10 @@ if (string.IsNullOrEmpty(preinstalledJwtToken))
         await scheduler.TriggerJob(jobKey);
 }
 
-
-if (app.Environment.IsDevelopment())
-{
-    app.MapOpenApi();
-}
-
 app.UseSwagger();
 app.UseSwaggerUI();
+
+app.UseAuthentication();
 app.UseAuthorization();
 
 app.UseStaticFiles();

SfeduSchedule/SfeduSchedule.csproj

@@ -10,7 +10,6 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.8"/>
         <PackageReference Include="Microsoft.Identity.Web" Version="3.14.0" />
         <PackageReference Include="Microsoft.Playwright" Version="1.55.0" />
         <PackageReference Include="Quartz.AspNetCore" Version="3.15.0" />

docker-compose-prod.yml

@@ -15,6 +15,7 @@ services:
             - MS_PASSWORD=${MS_PASSWORD}
             - TG_CHAT_ID=${TG_CHAT_ID}
             - TG_TOKEN=${TG_TOKEN}
+            - API_KEY=${API_KEY}
             # - TOKEN=${TOKEN}
         volumes:
             - data:/app/data

docker-compose-test.yml

@@ -15,6 +15,7 @@ services:
             - MS_PASSWORD=${MS_PASSWORD}
             - TG_CHAT_ID=${TG_CHAT_ID}
             - TG_TOKEN=${TG_TOKEN}
+            - API_KEY=${API_KEY}
             # - TOKEN=${TOKEN}
         volumes:
             - ./data:/app/data