Allow overriding forbid handler

src/GatewayAuth/Abstractions.cs

@@ -1,7 +1,14 @@
 using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
 
 namespace DIT.Authentication.GatewayAuth.Abstractions;
 
+public interface IForbidResponseHandler
+{
+    Task HandleForbiddenAsync(HttpContext context, AuthenticationProperties properties);
+}
+
 public interface ISignatureValidator
 {
 

src/GatewayAuth/Defaults.cs

@@ -1,13 +1,10 @@
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
-
 namespace DIT.Authentication.GatewayAuth;
 
 public static class GatewayAuthDefaults
 {
     public const string AuthenticationScheme = "Gateway";
 
-    public const string ConfigurationSection = "Authentication:Gateway";
+    public const string ConfigurationSection = "Gateway";
 
     public const string UserHeader = "x-auth-user";
 

src/GatewayAuth/Handler.cs

@@ -4,6 +4,7 @@ using System.Security.Claims;
 using System.Text.Encodings.Web;
 using DIT.Authentication.GatewayAuth.Abstractions;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -14,9 +15,11 @@ public class GatewayAuthHandler : AuthenticationHandler<GatewayAuthOptions>
 
     private readonly IClaimsProvider _claimsProvider;
     private readonly ISignatureValidator _signatureValidator;
+    private readonly IForbidResponseHandler? _forbidResponseHandler;
 
     public GatewayAuthHandler(
         IClaimsProvider claimsProvider,
+        IServiceProvider serviceProvider,
         UrlEncoder encoder,
         IOptionsMonitor<GatewayAuthOptions> options,
         ILoggerFactory logger,
@@ -25,6 +28,8 @@ public class GatewayAuthHandler : AuthenticationHandler<GatewayAuthOptions>
     {
         _claimsProvider = claimsProvider;
         _signatureValidator = signatureValidator;
+
+        _forbidResponseHandler = serviceProvider.GetService<IForbidResponseHandler>();
     }
 
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
@@ -59,6 +64,14 @@ public class GatewayAuthHandler : AuthenticationHandler<GatewayAuthOptions>
         }
     }
 
+    protected override Task HandleForbiddenAsync(AuthenticationProperties properties)
+    {
+        if (_forbidResponseHandler != null)
+            return _forbidResponseHandler.HandleForbiddenAsync(Context, properties);
+
+        return base.HandleForbiddenAsync(properties);
+    }
+
     private static bool ExtractSignatureValue(string signatureHeader, [NotNullWhen(true)] out string? signature)
     {
         const string signaturePrefix = "signature=";

src/GatewayAuth/Implementations/CertificateSignatureValidator.cs

@@ -15,6 +15,9 @@ internal sealed class CertificateSignatureValidator : ISignatureValidator
     {
         if (_rsa is not null) return;
 
+        if (string.IsNullOrWhiteSpace(options.Certificate))
+            throw new InvalidOperationException("Certificate is null or whitespace");
+
         var certificate = new X509Certificate2(Encoding.ASCII.GetBytes(options.Certificate));
         _rsa = certificate.GetRSAPublicKey() ?? throw new InvalidOperationException("Could not get RSA public key from certificate");
     }

src/GatewayAuth/Options/PostConfigureOptions.cs

@@ -14,9 +14,6 @@ public sealed class PostConfigureOptions : IPostConfigureOptions<GatewayAuthOpti
 
     public void PostConfigure(string? name, GatewayAuthOptions options)
     {
-        if (options.Certificate == null)
-            throw new InvalidOperationException("Certificate is null");
-
         _signatureValidator.Initialize(options);
     }
 }