Fix Auth0 Role Extraction

[mpaulosky]

Summary

Fixes admin users not seeing admin-only menu items despite having the Admin role in Auth0.

Changes

• Enhanced Auth0AuthenticationStateProvider to handle multiple role formats:
  • Comma-separated strings
  • JSON arrays
  • Single role values
• Added debug logging for authentication and role extraction
• Updated auth0-setup.md with:
  • Post-Login Action configuration
  • Role creation and assignment steps
  • Troubleshooting guide
• Added 13 unit tests for Auth0AuthenticationStateProvider

Testing

• All 82 Web.Tests.Unit tests pass
• All 206 Web.Tests.Bunit tests pass
• All 11 Architecture.Tests pass

Closes #107

[Copilot]

Pull request overview

Fixes role extraction in the Web UI’s Auth0 authentication state provider so admin users reliably receive ClaimTypes.Role claims (and therefore see admin-only navigation) when Auth0 emits roles in different formats.

Changes:

• Updated Auth0AuthenticationStateProvider to extract roles from a custom namespaced claim (comma-separated, JSON array, or single value) and from standard "roles" claims.
• Added unit tests covering multiple role formats, whitespace/duplicates, and error scenarios.
• Expanded docs/auth0-setup.md with role setup, Post-Login Action configuration, and troubleshooting steps.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
src/Web/Services/Auth0AuthenticationStateProvider.cs	Adds multi-format role extraction + additional logging around claims/roles.
tests/Web.Tests.Unit/Services/Auth0AuthenticationStateProviderTests.cs	New unit test coverage for role parsing and edge cases.
tests/Web.Tests.Unit/GlobalUsings.cs	Adds Microsoft.Extensions.Logging for the new tests.
docs/auth0-setup.md	Documents Auth0 roles + Post-Login Action setup and troubleshooting.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

AddRoleIfNotExists assumes role is non-null and calls Trim(). When roles are sourced from JsonSerializer.Deserialize<string[]>(...), the array can contain null elements (e.g., ["Admin", null]), which would cause a NullReferenceException during role extraction. Consider treating roles as string? and skipping null/whitespace entries before trimming/adding.

[Copilot]

GetAuthenticationStateAsync is called frequently in a Blazor app; logging at Information/Warning on every call (especially the "No roles found" warning) can create significant log noise and may page on normal scenarios (users without roles, misconfigured dev environments). Consider downgrading these to Debug/Trace, or only warning when a roles claim is present but cannot be parsed / is unexpectedly empty.

Suggested change

	_logger.LogInformation("User roles extracted: {Roles}", string.Join(", ", finalRoles));
	}
	else
	{
	_logger.LogWarning("No roles found for authenticated user. Check Auth0 Post-Login Action configuration.");
	_logger.LogDebug("User roles extracted: {Roles}", string.Join(", ", finalRoles));
	}
	else
	{
	_logger.LogDebug("No roles found for authenticated user. Check Auth0 Post-Login Action configuration.");

[Copilot]

This test claims invalid JSON is handled gracefully, but it doesn't assert the expected outcome (e.g., that no role claims were added). Adding an assertion that ClaimTypes.Role claims are empty would better lock in the behavior and catch regressions.

Suggested change

	result.User.Identity!.IsAuthenticated.Should().BeTrue();
	result.User.Identity!.IsAuthenticated.Should().BeTrue();
	result.User.Claims.Where(c => c.Type == ClaimTypes.Role).Should().BeEmpty();

[github-actions]

Test Results Summary

  7 files  ± 0   38 suites  ±0   14s ⏱️ -1s
853 tests +13  853 ✅ +13  0 💤 ±0  0 ❌ ±0 
864 runs  +13  864 ✅ +13  0 💤 ±0  0 ❌ ±0 

Results for commit c95a0f1. ± Comparison against base commit dfcc460.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

❌ Patch coverage is 70.24793% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.52%. Comparing base (dfcc460) to head (c95a0f1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Web/Extensions/AuthExtensions.cs	59.49%	12 Missing and 20 partials ⚠️
...c/Web/Services/Auth0AuthenticationStateProvider.cs	95.00%	1 Missing and 1 partial ⚠️
src/Web/Components/Layout/NavMenu.razor	0.00%	0 Missing and 1 partial ⚠️
src/Web/Program.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #110      +/-   ##
==========================================
+ Coverage   54.10%   55.52%   +1.41%     
==========================================
  Files         124      124              
  Lines        2717     2826     +109     
  Branches      287      313      +26     
==========================================
+ Hits         1470     1569      +99     
+ Misses       1032     1027       -5     
- Partials      215      230      +15     

Files with missing lines	Coverage Δ
src/Web/Components/User/Profile.razor	0.00% <ø> (ø)
src/Web/Components/Layout/NavMenu.razor	0.00% <0.00%> (ø)
src/Web/Program.cs	0.00% <0.00%> (ø)
...c/Web/Services/Auth0AuthenticationStateProvider.cs	94.54% <95.00%> (+94.54%)	⬆️
src/Web/Extensions/AuthExtensions.cs	65.59% <59.49%> (-34.41%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.