Resolve merge conflicts with main after SSO/OIDC/MFA merge

Take main's versions for all non-cache files now that #813 provides
OIDC/MFA infrastructure. Keep MfaCredentialTests fix with both
empty-string and null clearing test cases.

Author: Chris0Jeky

backend/src/Taskdeck.Api/Controllers/AuthController.cs

@@ -17,7 +17,7 @@
 
 namespace Taskdeck.Api.Controllers;
 
-public record ChangePasswordRequest(string CurrentPassword, string NewPassword);
+public record ChangePasswordRequest(string CurrentPassword, string NewPassword, string? MfaCode = null);
 public record ExchangeCodeRequest(string Code);
 public record LinkExchangeRequest(string Code);
 
@@ -32,13 +32,23 @@ public class AuthController : AuthenticatedControllerBase
 {
     private readonly AuthenticationService _authService;
     private readonly GitHubOAuthSettings _gitHubOAuthSettings;
+    private readonly OidcSettings _oidcSettings;
+    private readonly MfaService _mfaService;
     private readonly IUnitOfWork _unitOfWork;
 
-    public AuthController(AuthenticationService authService, GitHubOAuthSettings gitHubOAuthSettings, IUserContext userContext, IUnitOfWork unitOfWork)
+    public AuthController(
+        AuthenticationService authService,
+        GitHubOAuthSettings gitHubOAuthSettings,
+        OidcSettings oidcSettings,
+        MfaService mfaService,
+        IUserContext userContext,
+        IUnitOfWork unitOfWork)
         : base(userContext)
     {
         _authService = authService;
         _gitHubOAuthSettings = gitHubOAuthSettings;
+        _oidcSettings = oidcSettings;
+        _mfaService = mfaService;
         _unitOfWork = unitOfWork;
     }
 
@@ -93,24 +103,40 @@ public async Task<IActionResult> Register([FromBody] CreateUserDto dto)
     /// <summary>
     /// Change the password for the authenticated caller.
     /// The target user is always derived from the JWT — client-supplied user IDs are not accepted.
+    /// When MFA is enabled and RequireMfaForSensitiveActions is true, a valid MFA code is required.
     /// </summary>
-    /// <param name="request">Current and new password.</param>
+    /// <param name="request">Current password, new password, and optional MFA code.</param>
     /// <response code="204">Password changed successfully.</response>
     /// <response code="400">Validation error.</response>
     /// <response code="401">Not authenticated or current password is incorrect.</response>
+    /// <response code="403">MFA verification required but not provided or invalid.</response>
     /// <response code="429">Rate limit exceeded.</response>
     [HttpPost("change-password")]
     [Authorize]
     [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
     [ProducesResponseType(StatusCodes.Status204NoContent)]
     [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status400BadRequest)]
     [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status403Forbidden)]
     [ProducesResponseType(typeof(ApiErrorResponse), StatusCodes.Status429TooManyRequests)]
     public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest request)
     {
         if (!TryGetCurrentUserId(out var callerUserId, out var errorResult))
             return errorResult!;
 
+        // Enforce MFA for sensitive actions when policy requires it
+        if (await _mfaService.IsMfaRequiredForSensitiveActionAsync(callerUserId))
+        {
+            if (string.IsNullOrWhiteSpace(request.MfaCode))
+                return StatusCode(StatusCodes.Status403Forbidden, new ApiErrorResponse(
+                    ErrorCodes.Forbidden, "MFA verification is required for this action"));
+
+            var mfaResult = await _mfaService.VerifyCodeAsync(callerUserId, request.MfaCode);
+            if (!mfaResult.IsSuccess)
+                return StatusCode(StatusCodes.Status403Forbidden, new ApiErrorResponse(
+                    ErrorCodes.AuthenticationFailed, "Invalid MFA verification code"));
+        }
+
         var result = await _authService.ChangePasswordAsync(callerUserId, request.CurrentPassword, request.NewPassword);
         return result.IsSuccess ? NoContent() : result.ToErrorActionResult();
     }
@@ -447,17 +473,166 @@ public async Task<IActionResult> GetLinkedAccounts()
     }
 
     /// <summary>
-    /// Returns whether GitHub OAuth login is available on this instance.
+    /// Returns available authentication providers on this instance.
     /// </summary>
     [HttpGet("providers")]
     public IActionResult GetProviders()
     {
+        var oidcProviders = _oidcSettings.ConfiguredProviders
+            .Select(p => new OidcProviderInfoDto(p.Name, p.DisplayName))
+            .ToList();
+
         return Ok(new
         {
-            GitHub = _gitHubOAuthSettings.IsConfigured
+            GitHub = _gitHubOAuthSettings.IsConfigured,
+            Oidc = oidcProviders
         });
     }
 
+    /// <summary>
+    /// Initiates OIDC login flow for a named provider. Only available when the provider is configured.
+    /// </summary>
+    [HttpGet("oidc/{providerName}/login")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public IActionResult OidcLogin(string providerName, [FromQuery] string? returnUrl = null)
+    {
+        var provider = _oidcSettings.ConfiguredProviders
+            .FirstOrDefault(p => string.Equals(p.Name, providerName, StringComparison.OrdinalIgnoreCase));
+
+        if (provider == null)
+            return NotFound(new ApiErrorResponse(ErrorCodes.NotFound, $"OIDC provider '{providerName}' is not configured"));
+
+        if (!string.IsNullOrWhiteSpace(returnUrl) && !Url.IsLocalUrl(returnUrl))
+            return BadRequest(new ApiErrorResponse(ErrorCodes.ValidationError, "Invalid return URL"));
+
+        var schemeName = $"Oidc_{provider.Name}";
+        var properties = new AuthenticationProperties
+        {
+            RedirectUri = Url.Action(nameof(OidcCallback), new { providerName = provider.Name, returnUrl }),
+            Items = { { "LoginProvider", provider.Name } }
+        };
+
+        return Challenge(properties, schemeName);
+    }
+
+    /// <summary>
+    /// Handles the OIDC callback, creates/links the user, and redirects with a short-lived code.
+    /// </summary>
+    [HttpGet("oidc/{providerName}/callback")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public async Task<IActionResult> OidcCallback(string providerName, [FromQuery] string? returnUrl = null)
+    {
+        var provider = _oidcSettings.ConfiguredProviders
+            .FirstOrDefault(p => string.Equals(p.Name, providerName, StringComparison.OrdinalIgnoreCase));
+
+        if (provider == null)
+            return NotFound(new ApiErrorResponse(ErrorCodes.NotFound, $"OIDC provider '{providerName}' is not configured"));
+
+        var schemeName = $"Oidc_{provider.Name}";
+        var authenticateResult = await HttpContext.AuthenticateAsync(schemeName);
+        if (!authenticateResult.Succeeded || authenticateResult.Principal == null)
+        {
+            return Unauthorized(new ApiErrorResponse(
+                ErrorCodes.AuthenticationFailed,
+                $"OIDC authentication with '{provider.DisplayName}' failed"));
+        }
+
+        var claims = authenticateResult.Principal.Claims.ToList();
+        var providerUserId = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
+        var username = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.Name)?.Value
+                       ?? claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
+        var email = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.Email)?.Value;
+        var displayName = claims.FirstOrDefault(c => c.Type == "name")?.Value;
+
+        if (string.IsNullOrWhiteSpace(providerUserId))
+        {
+            return Unauthorized(new ApiErrorResponse(
+                ErrorCodes.AuthenticationFailed,
+                $"OIDC provider '{provider.DisplayName}' did not return a user identifier"));
+        }
+
+        if (string.IsNullOrWhiteSpace(email))
+            email = $"{provider.Name.ToLowerInvariant()}-{providerUserId}@external.taskdeck.local";
+
+        if (string.IsNullOrWhiteSpace(username))
+            username = $"{provider.Name.ToLowerInvariant()}-user-{providerUserId}";
+
+        var dto = new ExternalLoginDto(
+            Provider: $"oidc_{provider.Name}",
+            ProviderUserId: providerUserId,
+            Username: username,
+            Email: email,
+            DisplayName: displayName,
+            AvatarUrl: null);
+
+        var result = await _authService.ExternalLoginAsync(dto);
+
+        if (!result.IsSuccess)
+            return result.ToErrorActionResult();
+
+        // Sign out the temporary cookie used during the OIDC handshake
+        await HttpContext.SignOutAsync(AuthenticationRegistration.ExternalAuthenticationScheme);
+
+        // Store only the user ID in the auth code -- JWT is re-issued at exchange time.
+        var code = GenerateAuthCode();
+        var authCode = new OAuthAuthCode(
+            code: code,
+            userId: result.Value.User.Id,
+            token: "placeholder", // Not stored; JWT re-issued at exchange
+            expiresAt: DateTimeOffset.UtcNow.AddSeconds(60));
+
+        await _unitOfWork.OAuthAuthCodes.AddAsync(authCode);
+        await _unitOfWork.SaveChangesAsync();
+
+        // Best-effort cleanup of expired/consumed codes
+        await CleanupExpiredCodesAsync();
+
+        var safeReturnUrl = !string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl)
+            ? returnUrl
+            : "/";
+
+        var separator = safeReturnUrl.Contains('?') ? "&" : "?";
+        return Redirect($"{safeReturnUrl}{separator}oauth_code={Uri.EscapeDataString(code)}&oauth_provider=oidc");
+    }
+
+    /// <summary>
+    /// Exchanges a short-lived OIDC authorization code for a JWT token.
+    /// Reuses the same database-backed code store as GitHub OAuth.
+    /// </summary>
+    [HttpPost("oidc/exchange")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public async Task<IActionResult> OidcExchangeCode([FromBody] ExchangeCodeRequest request)
+    {
+        const string genericError = "Invalid or expired code";
+
+        if (string.IsNullOrWhiteSpace(request.Code))
+            return BadRequest(new ApiErrorResponse(ErrorCodes.ValidationError, "Code is required"));
+
+        var authCode = await _unitOfWork.OAuthAuthCodes.GetByCodeAsync(request.Code);
+        if (authCode == null || authCode.IsLinkingCode || authCode.IsExpired || authCode.IsConsumed)
+            return Unauthorized(new ApiErrorResponse(ErrorCodes.AuthenticationFailed, genericError));
+
+        var consumed = await _unitOfWork.OAuthAuthCodes.TryConsumeAtomicAsync(request.Code);
+        if (!consumed)
+            return Unauthorized(new ApiErrorResponse(ErrorCodes.AuthenticationFailed, genericError));
+
+        var user = await _unitOfWork.Users.GetByIdAsync(authCode.UserId);
+        if (user == null)
+            return Unauthorized(new ApiErrorResponse(ErrorCodes.AuthenticationFailed, genericError));
+
+        var userDto = new UserDto(
+            user.Id,
+            user.Username,
+            user.Email,
+            user.DefaultRole,
+            user.IsActive,
+            user.CreatedAt,
+            user.UpdatedAt);
+
+        var freshToken = _authService.GenerateJwtToken(user);
+        return Ok(new AuthResultDto(freshToken, userDto));
+    }
+
     private static string GenerateAuthCode()
     {
         var bytes = RandomNumberGenerator.GetBytes(32);

backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs

@@ -1,8 +1,11 @@
 using System.Security.Claims;
 using System.Text;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authentication.OAuth.Claims;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Http;
 using Microsoft.IdentityModel.Tokens;
 using Taskdeck.Api.Contracts;
 using Taskdeck.Application.Services;
@@ -13,10 +16,16 @@ namespace Taskdeck.Api.Extensions;
 
 public static class AuthenticationRegistration
 {
+    /// <summary>
+    /// Cookie scheme used for temporary external auth state (OAuth/OIDC handshake).
+    /// </summary>
+    public const string ExternalAuthenticationScheme = "External";
+
     public static IServiceCollection AddTaskdeckAuthentication(
         this IServiceCollection services,
         JwtSettings jwtSettings,
-        GitHubOAuthSettings? gitHubOAuthSettings = null)
+        GitHubOAuthSettings? gitHubOAuthSettings = null,
+        OidcSettings? oidcSettings = null)
     {
         if (string.IsNullOrWhiteSpace(jwtSettings.SecretKey) ||
             jwtSettings.SecretKey.Length < 32 ||
@@ -26,7 +35,21 @@ public static IServiceCollection AddTaskdeckAuthentication(
             return services;
         }
 
-        var authBuilder = services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+        var authBuilder = services.AddAuthentication(options =>
+            {
+                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                options.DefaultSignInScheme = ExternalAuthenticationScheme;
+            })
+            .AddCookie(ExternalAuthenticationScheme, options =>
+            {
+                options.Cookie.Name = ".Taskdeck.ExternalAuth";
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SameSite = SameSiteMode.Lax;
+                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
+                options.SlidingExpiration = false;
+            })
             .AddJwtBearer(options =>
             {
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -90,6 +113,7 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
         {
             authBuilder.AddOAuth("GitHub", options =>
             {
+                options.SignInScheme = ExternalAuthenticationScheme;
                 options.ClientId = gitHubOAuthSettings.ClientId;
                 options.ClientSecret = gitHubOAuthSettings.ClientSecret;
                 options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
@@ -118,6 +142,42 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
             });
         }
 
+        // Environment-gated: add OIDC providers when configured
+        if (oidcSettings != null)
+        {
+            foreach (var provider in oidcSettings.ConfiguredProviders)
+            {
+                var schemeName = $"Oidc_{provider.Name}";
+                var callbackPath = !string.IsNullOrWhiteSpace(provider.CallbackPath)
+                    ? provider.CallbackPath
+                    : $"/api/auth/oidc/{provider.Name.ToLowerInvariant()}/oauth-redirect";
+
+                authBuilder.AddOpenIdConnect(schemeName, provider.DisplayName, options =>
+                {
+                    options.SignInScheme = ExternalAuthenticationScheme;
+                    options.Authority = provider.Authority;
+                    options.ClientId = provider.ClientId;
+                    options.ClientSecret = provider.ClientSecret;
+                    options.CallbackPath = callbackPath;
+                    options.ResponseType = "code";
+                    options.SaveTokens = false;
+                    options.GetClaimsFromUserInfoEndpoint = true;
+
+                    options.Scope.Clear();
+                    foreach (var scope in provider.Scopes)
+                    {
+                        options.Scope.Add(scope);
+                    }
+
+                    // Map standard OIDC claims to ClaimTypes
+                    options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
+                    options.ClaimActions.MapJsonKey(ClaimTypes.Name, "preferred_username");
+                    options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
+                    options.ClaimActions.MapJsonKey("name", "name");
+                });
+            }
+        }
+
         return services;
     }
 

backend/src/Taskdeck.Api/Extensions/RateLimitingRegistration.cs

@@ -6,6 +6,7 @@
 using Taskdeck.Api.RateLimiting;
 using Taskdeck.Application.Services;
 using Taskdeck.Domain.Exceptions;
+using Taskdeck.Infrastructure.Mcp;
 
 namespace Taskdeck.Api.Extensions;
 
@@ -106,11 +107,21 @@ private static RateLimitPartition<string> BuildFixedWindowPartition(string parti
 
     private static string ResolveUserOrClientIdentifier(HttpContext context)
     {
+        // Check JWT claims first (REST API path).
         var userId = context.User.FindFirstValue(ClaimTypes.NameIdentifier)
             ?? context.User.FindFirstValue("sub");
-        return !string.IsNullOrWhiteSpace(userId)
-            ? userId
-            : ResolveClientAddress(context);
+        if (!string.IsNullOrWhiteSpace(userId))
+            return userId;
+
+        // Check API key user ID from HttpContext.Items (MCP HTTP path).
+        // ApiKeyMiddleware sets this after validating the Bearer token.
+        if (context.Items.TryGetValue(HttpUserContextProvider.UserIdItemKey, out var apiKeyUserId)
+            && apiKeyUserId is Guid apiKeyGuid)
+        {
+            return apiKeyGuid.ToString();
+        }
+
+        return ResolveClientAddress(context);
     }
 
     private static string ResolveClientAddress(HttpContext context)