Hellmade.HubAuth.ServiceClients

Typed HTTP clients for Hub coarse authorization and directory/profile integration.

Includes

• IPermissionCheckClient
• IDirectoryClient
• AddHubAuthServiceClients(...) DI wiring

Behavior

• Calls Hub endpoints:
  • GET /api/v1/permissions/check
  • GET /api/v1/directory/users/{userId}
  • POST /api/v1/directory/users/batch
• Uses short-lived in-memory caching for resilience.
• Uses structured warning logs when falling back to cached values.
• Uses stable cache keys for directory batch lookups (order-independent user id sets).

Directory payload additions

Directory responses now expose two additional nullable fields on DirectoryUserProfileResponse:

• Position
• AccountUrl

AccountUrl is the full absolute Hub profile link for the exact user (for example https://hub.hellmadegames.com/users/{userId}), so downstream services should use it directly for "Hub Account" links and not build URL templates.

Example usage:

var profile = await directoryClient.GetUserAsync("my-service", userId, bearerToken, cancellationToken);
var hubAccountLink = profile?.AccountUrl;
var profileSubtitle = string.IsNullOrWhiteSpace(profile?.Position)
	? profile?.Email
	: profile.Position;

Configuration

AddHubAuthServiceClients accepts HubAuthServiceClientOptions:

• HubApiBaseUrl
• ServiceSharedSecret (optional service-to-service fallback for directory endpoints when no user bearer token is available)
• PermissionCacheSeconds (default: 120)
• DirectoryCacheSeconds (default: 600)
• MaxBatchSize (default: 200)
• FailOpenWithCachedValue (default: true)

When ServiceSharedSecret is configured and bearerToken is null, the directory client sends:

• X-Service-Key: <serviceKey>
• X-Service-Secret: <ServiceSharedSecret>

This enables service-authenticated directory lookups for anonymous/public service routes without requiring an end-user access token.

Scope

• Coarse service access checks and Hub directory lookups only.
• No service-local role models or business policy logic.