Initial import into Gitea

Gateway/Controllers/AuthController.cs

@@ -44,10 +44,18 @@ public sealed class AuthController : ControllerBase
         _log.LogWarning("[Session] Authenticated: ClientId={ClientId}, Email={Email}",
             _client.ClientId, _client.Email);
 
+        // Gateway handles CIAM client sessions only.
+        // Staff apps authenticate directly to Management API via JWT Bearer — never via Gateway.
+        if (_client.IsStaff)
+        {
+            _log.LogWarning("[Session] Staff token rejected — use JWT Bearer directly to Management API");
+            return StatusCode(403, new { ok = false, error = "Staff authentication does not use Gateway sessions" });
+        }
+
         var rqst = JsonSerializer.Serialize(new
         {
             provider = _client.AuthProvider ?? "EntraExternalId",
-            subject = _client.ClientId,
+            subject  = _client.ClientId,
             email = _client.Email,
             displayName = _client.ClientName,
             clientId = request?.PreferredClientId,
@@ -56,13 +64,15 @@ public sealed class AuthController : ControllerBase
             sessionDurationHours = request?.SessionDurationHours ?? 24
         });
 
-        _log.LogWarning("[Session] Calling spSession with: {Rqst}", rqst);
+        _log.LogWarning("[Session] Calling proc with: {Rqst}", rqst);
+
+        _log.LogWarning("[Session] Using proc=dbo.spClientSession");
 
         try
         {
-            var resp = await _sql.ExecProcAsync("dbo.spSession", "createFromIdentity", rqst, ct: ct);
+            var resp = await _sql.ExecProcAsync("dbo.spClientSession", "createFromIdentity", rqst, ct: ct);
 
-            _log.LogWarning("[Session] spSession response: {Resp}", resp ?? "(null)");
+            _log.LogWarning("[Session] Proc response: {Resp}", resp ?? "(null)");
 
             if (string.IsNullOrWhiteSpace(resp))
             {
@@ -118,7 +128,7 @@ public sealed class AuthController : ControllerBase
         var rqst = JsonSerializer.Serialize(new
         {
             provider = _client.AuthProvider ?? "EntraExternalId",
-            subject = _client.ClientId,
+            subject  = _client.ClientId,
             email = _client.Email,
             displayName = _client.ClientName,
             companyName = request.CompanyName,
@@ -173,10 +183,11 @@ public sealed class AuthController : ControllerBase
         }
 
         var rqst = JsonSerializer.Serialize(new { sessionToken = token });
+        var signoffProc = "dbo.spClientSession"; // Gateway handles client sessions only
 
         try
         {
-            await _sql.ExecProcAsync("dbo.spSession", "signoff", rqst, ct: ct);
+            await _sql.ExecProcAsync(signoffProc, "signoff", rqst, ct: ct);
             return Ok(new { ok = true, message = "Signed out successfully" });
         }
         catch (Exception ex)
@@ -204,10 +215,11 @@ public sealed class AuthController : ControllerBase
             sessionToken = token,
             sessionDurationHours = request?.SessionDurationHours ?? 24
         });
+        var refreshProc = "dbo.spClientSession"; // Gateway handles client sessions only
 
         try
         {
-            var resp = await _sql.ExecProcAsync("dbo.spSession", "refresh", rqst, ct: ct);
+            var resp = await _sql.ExecProcAsync(refreshProc, "refresh", rqst, ct: ct);
 
             if (string.IsNullOrWhiteSpace(resp))
             {
@@ -251,7 +263,7 @@ public sealed class AuthController : ControllerBase
 
         try
         {
-            var resp = await _sql.ExecProcAsync("dbo.spSession", "validate", rqst, ct: ct);
+            var resp = await _sql.ExecProcAsync("dbo.spClientSession", "validate", rqst, ct: ct);
 
             if (string.IsNullOrWhiteSpace(resp))
             {
@@ -304,7 +316,7 @@ public sealed class AuthController : ControllerBase
 
         try
         {
-            var resp = await _sql.ExecProcAsync("dbo.spSession", "switchClient", rqst, ct: ct);
+            var resp = await _sql.ExecProcAsync("dbo.spClientSession", "switchClient", rqst, ct: ct);
 
             if (string.IsNullOrWhiteSpace(resp))
             {
@@ -338,11 +350,18 @@ public sealed class AuthController : ControllerBase
         if (!string.IsNullOrWhiteSpace(token))
             return token;
 
-        // Check Authorization header (for session tokens, not JWTs)
+        // Check Authorization header — accept both "Session <token>" and "Bearer <token>".
+        // NOTE: Bearer here is a session token (not an Entra JWT) because the middleware
+        // only routes to these controller actions after session validation succeeds.
+        // The JWT-only endpoint (/api/auth/session) never calls ExtractSessionToken().
         var auth = Request.Headers.Authorization.FirstOrDefault();
-        if (!string.IsNullOrWhiteSpace(auth) && auth.StartsWith("Session ", StringComparison.OrdinalIgnoreCase))
+        if (!string.IsNullOrWhiteSpace(auth))
         {
-            return auth.Substring(8).Trim();
+            if (auth.StartsWith("Session ", StringComparison.OrdinalIgnoreCase))
+                return auth.Substring(8).Trim();
+
+            if (auth.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+                return auth.Substring(7).Trim();
         }
 
         return null;