autentizace - prepinani Internal a Windows

RIIT/RIIT/Components/App.razor

@@ -15,8 +15,11 @@
 </head>
 
 <body>
+    @* <CascadingAuthenticationState> *@
     <Routes @rendermode="PageRenderMode" />
+   @*  </CascadingAuthenticationState> *@
     <ReconnectModal />
+
     <script src="@Assets["_framework/blazor.web.js"]"></script>
     <script src="@Assets["Components/Account/Shared/PasskeySubmit.razor.js"]" type="module"></script>
 </body>

RIIT/RIIT/Components/Pages/Home.razor

@@ -5,3 +5,5 @@
 <h1>Hello, world!</h1>
 
 Welcome to your new app.
+
+

RIIT/RIIT/Components/Routes.razor

@@ -1,8 +1,9 @@
 @using RIIT.Components.Account.Shared
-<Router AppAssembly="typeof(Program).Assembly" NotFoundPage="typeof(Pages.NotFound)">
+<Router AppAssembly="@typeof(Program).Assembly" NotFoundPage="typeof(Pages.NotFound)">
     <Found Context="routeData">
         <AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(Layout.MainLayout)">
             <NotAuthorized>
+                @* <p>Windows vás nepoznal (401 Unauthorized).</p> *@
                 <RedirectToLogin />
             </NotAuthorized>
         </AuthorizeRouteView>

RIIT/RIIT/Program.cs

@@ -1,6 +1,5 @@
-using System.Security.Claims;
-using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Negotiate;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Components.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
@@ -10,164 +9,111 @@ using RIIT.Data;
 
 var builder = WebApplication.CreateBuilder(args);
 
-// ===== Auth mode switches (configurable via appsettings.json) =====
+// ===== Pøepínaè režimu (appsettings.json: "Auth:Mode": "Windows" | "Internal") =====
 var authMode = builder.Configuration["Auth:Mode"]?.Trim() ?? "Internal";
 var windowsEnabled = string.Equals(authMode, "Windows", StringComparison.OrdinalIgnoreCase);
 
-// Detect IIS / IIS Express hosting (intranet scenario)
-var runningUnderIis = !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("ASPNETCORE_IIS_PHYSICAL_PATH"));
-
-// Add services to the container.
-builder.Services.AddRazorComponents()
-    .AddInteractiveServerComponents();
-
-builder.Services.AddCascadingAuthenticationState();
-builder.Services.AddScoped<IdentityRedirectManager>();
-builder.Services.AddScoped<AuthenticationStateProvider, IdentityRevalidatingAuthenticationStateProvider>();
-
-// Authentication: primary = Identity cookie
-builder.Services.AddAuthentication(options =>
+if (windowsEnabled)
 {
-    options.DefaultScheme = IdentityConstants.ApplicationScheme;
-    options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
-
-    // Keep challenge on cookie/login page; Windows is performed explicitly via /auth/windows.
-    options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
-})
-    .AddIdentityCookies();
-
-// Windows Integrated (Kerberos/NTLM):
-// - On IIS / IIS Express: do NOT register AddNegotiate(); IIS handles Windows auth and populates HttpContext.User.
-// - Outside IIS: you may register AddNegotiate() (optional), but typical intranet hosting uses IIS anyway.
-if (windowsEnabled && !runningUnderIis)
-{
-    builder.Services.AddAuthentication()
+    // ? Negotiate v aplikaci (Kestrel) – POZOR: nepoužívej za IIS s Windows Auth!
+    builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
                     .AddNegotiate();
-}
 
-builder.Services.AddAuthorization();
-
-var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
-    ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found.");
-
-builder.Services.AddDbContext<ApplicationDbContext>(options =>
-    options.UseSqlServer(connectionString));
-
-builder.Services.AddDatabaseDeveloperPageExceptionFilter();
-
-builder.Services.AddIdentityCore<ApplicationUser>(options =>
-{
-    // Email confirmation disabled for now (can be enabled later)
-    options.SignIn.RequireConfirmedAccount = false;
-    options.Stores.SchemaVersion = IdentitySchemaVersions.Version3;
-})
-    .AddEntityFrameworkStores<ApplicationDbContext>()
-    .AddSignInManager()
-    .AddDefaultTokenProviders();
-
-builder.Services.AddSingleton<IEmailSender<ApplicationUser>, IdentityNoOpEmailSender>();
-
-var app = builder.Build();
-
-// Optionally guard against misconfiguration
-// (Windows mode is intended for IIS/IIS Express intranet hosting)
-if (windowsEnabled && !runningUnderIis)
-{
-    app.Logger.LogWarning("Auth:Mode=Windows but the app is not running under IIS/IIS Express. Windows Integrated auth may not work as expected.");
-}
-
-// Configure the HTTP request pipeline.
-if (app.Environment.IsDevelopment())
-{
-    app.UseMigrationsEndPoint();
+    // Vyžaduj pøihlášení všude (Fallback = Default)
+    builder.Services.AddAuthorization(options =>
+    {
+        options.FallbackPolicy = options.DefaultPolicy;
+    });
 }
 else
 {
-    app.UseExceptionHandler("/Error", createScopeForErrors: true);
+    // ? Interní Identity úèty (cookies)
+    builder.Services.AddScoped<IdentityRedirectManager>();
+    builder.Services.AddScoped<AuthenticationStateProvider, IdentityRevalidatingAuthenticationStateProvider>();
+    builder.Services.AddAuthentication(options =>
+    {
+        options.DefaultScheme = IdentityConstants.ApplicationScheme;
+        options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
+    })
+    .AddIdentityCookies();
+
+    builder.Services.AddAuthorization();
+
+    builder.Services.AddIdentityCore<ApplicationUser>(options =>
+    {
+        options.SignIn.RequireConfirmedAccount = true;
+        options.Stores.SchemaVersion = IdentitySchemaVersions.Version3;
+    })
+        .AddEntityFrameworkStores<ApplicationDbContext>()
+        .AddSignInManager()
+        .AddDefaultTokenProviders();
+}
+
+// DB
+var connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
+    ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found.");
+builder.Services.AddDbContext<ApplicationDbContext>(o => o.UseSqlServer(connectionString));
+builder.Services.AddDatabaseDeveloperPageExceptionFilter();
+
+// Email (no-op)
+builder.Services.AddSingleton<IEmailSender<ApplicationUser>, IdentityNoOpEmailSender>();
+
+// Blazor (server interaktivnì) + cascading auth state (AuthorizeView apod.)
+builder.Services.AddRazorComponents()
+                .AddInteractiveServerComponents();
+builder.Services.AddCascadingAuthenticationState(); 
+
+var app = builder.Build();
+
+// ------ Pipeline ------
+if (!app.Environment.IsDevelopment())
+{
+    app.UseExceptionHandler("/Error");
     app.UseHsts();
 }
 
-app.UseStatusCodePagesWithReExecute("/not-found");
 app.UseHttpsRedirection();
-
 app.UseStaticFiles();
-app.UseRouting();
-
-
 
 app.UseAuthentication();
-
-if (windowsEnabled)
-{
-    app.Use(async (context, next) =>
-    {
-        // Pokud už je pøihlášený (cookie), nech vše projít.
-        if (context.User?.Identity?.IsAuthenticated == true)
-        {
-            await next();
-            return;
-        }
-
-        var path = context.Request.Path;
-
-        // Nikdy neredirectovat:
-        // - bootstrap endpoint
-        // - identity stránky/endpoints
-        // - chybové stránky
-        // - blazor framework a static web assets
-        if (path.StartsWithSegments("/auth/windows") ||
-            path.StartsWithSegments("/Account") ||
-            path.StartsWithSegments("/not-found") ||
-            path.StartsWithSegments("/Error") ||
-            path.StartsWithSegments("/_framework") ||
-            path.StartsWithSegments("/_content"))
-        {
-            await next();
-            return;
-        }
-
-        // Nezasahovat do statických souborù podle pøípony (CSS/JS/fonts/images/maps)
-        var ext = System.IO.Path.GetExtension(path);
-        if (!string.IsNullOrEmpty(ext))
-        {
-            await next();
-            return;
-        }
-
-        // Redirect jen pro "navigaèní" requesty (typicky HTML stránky)
-        if (!HttpMethods.IsGet(context.Request.Method))
-        {
-            await next();
-            return;
-        }
-
-        // Pokud klient nechce HTML (napø. fetch pro JSON), neredirectuj
-        var accept = context.Request.Headers.Accept.ToString();
-        if (!string.IsNullOrEmpty(accept) && !accept.Contains("text/html", StringComparison.OrdinalIgnoreCase))
-        {
-            await next();
-            return;
-        }
-
-        var returnUrl = context.Request.PathBase + context.Request.Path + context.Request.QueryString;
-        var target = "/auth/windows?returnUrl=" + Uri.EscapeDataString(returnUrl);
-        
-
-        context.Response.Redirect(target);
-    });
-}
-
 app.UseAuthorization();
-
 app.UseAntiforgery();
 
-
-
 app.MapStaticAssets();
 app.MapRazorComponents<App>()
     .AddInteractiveServerRenderMode();
 
 // Add additional endpoints required by the Identity /Account Razor components.
-app.MapAdditionalIdentityEndpoints();
 
+if (!windowsEnabled)
+{
+    app.MapAdditionalIdentityEndpoints();
+}
+/*
+// ? StatusCodePages: nikdy nesahat do 401/403 (kvùli Negotiate handshaku)
+app.UseStatusCodePages(async context =>
+{
+    var code = context.HttpContext.Response.StatusCode;
+
+    // Negotiate/Identity challenge – nesahej na to
+    if (code == 401 || code == 403) return;
+
+    // 404 apod. klidnì pøesmìruj
+    context.HttpContext.Response.Redirect("/not-found");
+});
+
+if (windowsEnabled)
+{
+    // FallbackPolicy už vyžaduje auth – tady .RequireAuthorization() není nutné
+    app.MapRazorComponents<App>()
+       .AddInteractiveServerRenderMode();
+}
+else
+{
+    // Interní úèty: výslovnì zamknout UI
+    app.MapRazorComponents<App>()
+       .AddInteractiveServerRenderMode()
+       .RequireAuthorization();
+}
+*/
 app.Run();

RIIT/RIIT/appsettings.json

@@ -9,10 +9,8 @@
     }
   },
   "Auth": {
-    "Mode": "Windows",
-    "Windows": {
-      "RequireAuthenticatedUser": true
-    }
+    "Mode": "Windows"
+    // možnosti pro Mode: "Windows", "Internal"
   },
   "AllowedHosts": "*"
 }