feat: ensure the security feature is initialized before the app is used

Author: lsipii

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs

@@ -9,6 +9,8 @@ public class ApplicationSecurity : IApplicationSecurity
 {
     private readonly ITermsOfServiceRepository _termsOfServiceRepository;
     private readonly SecuritySetup _setup;
+    private readonly int _initializationTimeoutInMilliseconds = 10000;
+
     public ApplicationSecurity(ITermsOfServiceRepository termsOfServiceRepository, SecuritySetup securitySetup)
     {
         _termsOfServiceRepository = termsOfServiceRepository;
@@ -27,7 +29,8 @@ public async Task<RequestAuthenticationCandinate> ParseJwtToken(string token)
         if (!tokenHandler.CanReadToken(token)) throw new NotAuthorizedException("The given token is not valid");
         var parsedToken = tokenHandler.ReadJwtToken(token);
 
-        // Resolve the security feature by token issuer (must be enabled) // @TODO: ensure the security feature is loaded before this
+        // Resolve the security feature by token issuer (must be enabled)
+        await EnsureSecurityInitializationCompleted();
         var tokenIssuer = parsedToken.Issuer;
         var securityFeature = _setup.Features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");
 
@@ -49,4 +52,17 @@ public async Task VerifyPersonTermsOfServiceAgreement(Guid personId)
         // Fetch person terms of service agreement
         _ = await _termsOfServiceRepository.GetTermsOfServiceAgreementOfTheLatestTermsByPersonId(personId) ?? throw new NotAuthorizedException("User has not accepted the latest terms of service.");
     }
+
+    /// <summary>
+    /// All the enabled security features must be initialized before the application can be used, verify that the initializations are completed
+    /// </summary>
+    private async Task EnsureSecurityInitializationCompleted()
+    {
+        var initializationTimeout = DateTime.Now.AddMilliseconds(_initializationTimeoutInMilliseconds);
+        while (_setup.Features.Any(o => !o.IsInitialized))
+        {
+            if (DateTime.Now > initializationTimeout) throw new NotAuthorizedException("Security initialization timeout");
+            await Task.Delay(100);
+        }
+    }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/ISecurityFeature.cs

@@ -13,4 +13,5 @@ public interface ISecurityFeature
     Task ValidateSecurityTokenAudience(string audience);
 
     public string Issuer { get; }
+    public bool IsInitialized { get; set; }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/SecurityFeature.cs

@@ -12,14 +12,19 @@
 
 namespace VirtualFinland.UserAPI.Security.Features;
 
-public class SecurityFeature : ISecurityFeature
+public abstract class SecurityFeature : ISecurityFeature
 {
     ///
     /// The issuer of the JWT token
     ///
     public string Issuer => _issuer ?? throw new ArgumentNullException("Issuer is not set");
     protected string? _issuer;
 
+    /// <summary>
+    /// Is the security feature initialized
+    /// </summary>
+    public bool IsInitialized { get; set; } = false;
+
     /// <summary>
     /// Security feature options
     /// </summary>
@@ -171,13 +176,18 @@ protected virtual void ConfigureOpenIdConnect(AuthenticationBuilder authenticati
     /// </summary>
     protected virtual async void LoadOpenIdConfigUrl()
     {
-        if (_openIDConfigurationURL == null) return;
+        if (_openIDConfigurationURL == null)
+        {
+            IsInitialized = true;
+            return;
+        }
 
         if (Options.IsOidcMetadataCachingEnabled && await CacheRepository.Exists(Constants.Cache.OpenIdConfigPrefix))
         {
             var cachedResult = await CacheRepository.Get<OpenIdConfiguration>(Constants.Cache.OpenIdConfigPrefix);
             _issuer = cachedResult.Issuer;
             _jwksOptionsUrl = cachedResult.JwksUri;
+            IsInitialized = true;
             return;
         }
 
@@ -205,6 +215,8 @@ protected virtual async void LoadOpenIdConfigUrl()
                             Issuer = _issuer,
                             JwksUri = _jwksOptionsUrl
                         }, cacheDuration);
+
+                        IsInitialized = true;
                     }
 
                     break;

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Features/TestbedSecurityFeature.cs

@@ -1,4 +1,3 @@
-using VirtualFinland.UserAPI.Data.Repositories;
 using VirtualFinland.UserAPI.Security.Models;
 
 namespace VirtualFinland.UserAPI.Security.Features;

VirtualFinland.UsersAPI.UnitTests/Helpers/APITestBase.cs

@@ -66,7 +66,7 @@ private UsersDbContext GetMemoryContext()
             new SecuritySetup()
             {
                 Features = new List<ISecurityFeature>() {
-                    new SecurityFeature(
+                    new TestSecurityFeature(
                         new SecurityFeatureOptions {
                             Issuer = requestAuthenticationCandinate.Issuer,
                             OpenIdConfigurationUrl = "test-openid-config-url",

VirtualFinland.UsersAPI.UnitTests/Helpers/TestSecurityFeature.cs

@@ -8,6 +8,7 @@ public class TestSecurityFeature : SecurityFeature
 {
     public TestSecurityFeature(SecurityFeatureOptions options, SecurityClientProviders securityClientProviders) : base(options, securityClientProviders)
     {
+        IsInitialized = true;
     }
 
     /// <summary>