Add JWT ****** to secure API endpoints

[Copilot]

All API endpoints were publicly accessible without authentication, including data mutation operations like POST /api/v1/gods.

Changes

Authentication & Authorization

• Added JWT ****** with HS256 signing
• Configured AdminOnly policy (requires Admin role) and ReadOnly policy (any authenticated user)
• Applied RequireAuthorization("AdminOnly") to POST endpoints
• GET endpoints remain public for read-only access

Configuration

• Created AuthConstants with shared JWT config (key, issuer, audience)
• Added startup validation: throws InvalidOperationException if production uses development key
• JWT settings configurable via Jwt:Key, Jwt:Issuer, Jwt:Audience (env vars or Key Vault)
• Clock skew set to zero for strict token expiration

Testing

• Added TestJwtTokenGenerator helper for integration tests
• 8 new integration tests covering: unauthorized access (401), forbidden access (403), admin access, invalid/expired tokens

Example usage:

# Public read access
curl http://localhost:5000/api/v1/gods

# Mutation requires Admin token
curl -X POST http://localhost:5000/api/v1/gods \
  -H "Authorization: ******" \
  -H "Content-Type: application/json" \
  -d '[{"name":"NewGod","mythologyId":1}]'

See AUTHENTICATION.md for token generation and configuration details.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CRITICAL] No authentication or authorization on any API endpoint</issue_title>
<issue_description>## Summary

None of the API endpoints in the application require authentication or authorization, leaving all operations — including data mutation and deletion — fully open to anonymous access.

Description

Both src/Endpoints/v1/Gods.cs and src/Endpoints/v1/Mythologies.cs register endpoints without any .RequireAuthorization() calls. The src/Program.cs file does not configure any authentication scheme (e.g., JWT Bearer, API Key) or authorization policies.

This means:

• POST /api/v1/gods — anyone can create or modify god records.
• DELETE /api/v1/gods — anyone can delete all records.
• All GET endpoints expose data without access control.

The project security policy requires: "Validate and authenticate all incoming requests" and "Limit permissions and access to only what is necessary."

Implementation

1. Choose an authentication scheme (JWT Bearer is recommended for APIs).
2. Add builder.Services.AddAuthentication() and builder.Services.AddAuthorization() in src/Program.cs.
3. Add app.UseAuthentication() and app.UseAuthorization() to the middleware pipeline.
4. Define authorization policies (e.g., AdminOnly, ReadOnly) as appropriate.
5. Apply .RequireAuthorization() to all mutating endpoints (POST, DELETE) in src/Endpoints/v1/Gods.cs.
6. Consider applying read-level authorization to GET endpoints or leaving them public based on requirements.
7. Update integration tests to account for authentication requirements.

References

• src/Endpoints/v1/Gods.cs — all endpoint registrations
• src/Endpoints/v1/Mythologies.cs — all endpoint registrations
• src/Program.cs — missing authentication/authorization middleware
• ASP.NET Core authentication docs: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [CRITICAL] No authentication or authorization on any API endpoint #18

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.