add test verifying that we can login users with a jwt from query para…

…ms, fix bug where forgot password would not authenticate because of duplicate jti claims

backend/LexBoxApi/Auth/JwtTicketDataFormat.cs

@@ -50,7 +50,7 @@ public static string ConvertAuthTicketToJwt(AuthenticationTicket data,
     {
         var jwtDate = DateTime.UtcNow;
         _jwtSecurityTokenHandler.MapInboundClaims = jwtBearerOptions.MapInboundClaims;
-        var claimsIdentity = new ClaimsIdentity(data.Principal.Claims, data.Principal.Identity?.AuthenticationType);
+        var claimsIdentity = new ClaimsIdentity(data.Principal.Claims.Where(c => c.Type != JwtRegisteredClaimNames.Jti), data.Principal.Identity?.AuthenticationType);
         var keyId = Guid.NewGuid().ToString().GetHashCode().ToString("x", CultureInfo.InvariantCulture);
         claimsIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Jti, keyId));
         //there may already be an audience claim, we want to reuse that if it exists, if not fallback to the default audience

backend/Testing/LexCore/LexAuthUserTests.cs

@@ -8,13 +8,18 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Tokens;
 using Shouldly;
 
 namespace Testing.LexCore;
 
 public class LexAuthUserTests
 {
+    static LexAuthUserTests()
+    {
+        IdentityModelEventSource.ShowPII = true;
+    }
     private readonly LexAuthService _lexAuthService = new LexAuthService(
         new OptionsWrapper<JwtOptions>(JwtOptions.TestingOptions),
         null,
@@ -30,6 +35,12 @@ public class LexAuthUserTests
         Projects = new[] { new AuthUserProject("test-flex", ProjectRole.Manager, Guid.NewGuid()) }
     };
 
+    private static readonly JwtBearerOptions JwtBearerOptions = new()
+    {
+        TokenValidationParameters = LexAuthService.TokenValidationParameters(JwtOptions.TestingOptions),
+        MapInboundClaims = false
+    };
+
     [Fact]
     public void CanGetClaimsFromUser()
     {
@@ -73,11 +84,7 @@ public void CanRoundTripClaimsWhenUsingSecurityTokenDescriptor()
         var jwt = JwtTicketDataFormat.ConvertAuthTicketToJwt(
             new AuthenticationTicket(_user.GetPrincipal("test"), "test"),
             "testing",
-            new JwtBearerOptions
-            {
-                TokenValidationParameters = LexAuthService.TokenValidationParameters(jwtUserOptions),
-                MapInboundClaims = false
-            },
+            JwtBearerOptions,
             jwtUserOptions
         );
         var tokenHandler = new JwtSecurityTokenHandler();
@@ -97,4 +104,25 @@ public void CanRoundTripJwtFromUserThroughLexAuthService()
         var newUser = LexAuthUser.FromClaimsPrincipal(principal);
         _user.ShouldBeEquivalentTo(newUser);
     }
+
+    [Fact]
+    public void CanRoundTripThroughRefresh()
+    {
+        var (forgotJwt, _) = _lexAuthService.GenerateJwt(_user, audience:LexboxAudience.ForgotPassword);
+        //simulate parsing the token into a claims principal
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var forgotPrincipal = new ClaimsPrincipal(new ClaimsIdentity(tokenHandler.ReadJwtToken(forgotJwt).Claims, "Testing"));
+
+        //simulate redirect refreshing the token
+        var redirectJwt = JwtTicketDataFormat.ConvertAuthTicketToJwt(
+            new AuthenticationTicket(forgotPrincipal, "test"),
+            "testing",
+            JwtBearerOptions,
+            JwtOptions.TestingOptions
+        );
+
+        var loggedInPrincipal = new ClaimsPrincipal(new ClaimsIdentity(tokenHandler.ReadJwtToken(redirectJwt).Claims, "Testing"));
+        var newUser = LexAuthUser.FromClaimsPrincipal(loggedInPrincipal);
+        (_user with { Audience = LexboxAudience.ForgotPassword }).ShouldBeEquivalentTo(newUser);
+    }
 }