Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_BACK/llms.txt

Use this file to discover all available pages before exploring further.

Dragon Guard follows the standard ASP.NET Core configuration model. All settings are read from appsettings.json, with environment-specific overrides layered on top from appsettings.{Environment}.json (e.g. appsettings.Development.json). Any key can also be supplied as an environment variable using the double-underscore separator convention (ConnectionStrings__WmsDb, Jwt__Key, etc.), which makes the API straightforward to configure in Docker, Kubernetes, or any CI/CD pipeline without touching files on disk.

Connection Strings

ConnectionStrings:WmsDb
string
required
The ADO.NET / EF Core connection string for the SQL Server database that backs all WMS data. This value is passed directly to UseSqlServer(...) and also used by IDbConnectionFactory (Dapper). The API will fail to start if the database cannot be reached, because EF Core migrations are applied synchronously before the HTTP server opens.
"ConnectionStrings": {
  "WmsDb": "Server=.\\SQLEXPRESS;Database=Handheld_Core_Dev;Trusted_Connection=True;TrustServerCertificate=True;Encrypt=False;Connect Timeout=10"
}

JWT Authentication

All four JWT keys are required. The startup code reads Jwt:Key first and throws an InvalidOperationException immediately if it is absent, so misconfiguration surfaces as a clear startup error rather than a silent runtime failure.
Jwt:Key
string
required
The HMAC SHA-256 signing key used to issue and validate all JWT Bearer tokens. Must be kept secret — treat it like a password. A minimum of 32 characters is recommended to satisfy HMAC-SHA256 key-length requirements.
"Jwt": {
  "Key": "YOUR_SECRET_KEY_AT_LEAST_32_CHARACTERS_LONG"
}
Never commit a real Jwt:Key value to source control. Rotate it immediately if it is ever exposed. Use environment variables, a secrets manager (e.g. Azure Key Vault, AWS Secrets Manager), or the .NET user-secrets store (dotnet user-secrets set "Jwt:Key" "...") for local development.
Jwt:Issuer
string
required
The iss claim written into every token and validated on every authenticated request. Must match exactly between the issuing server and any consumer that validates tokens directly. Defaults to "wms-api" in the shipped configuration.
"Jwt": {
  "Issuer": "wms-api"
}
Jwt:Audience
string
required
The aud claim written into every token. Identifies the intended recipient of the token — typically the web or handheld client. Defaults to "wms-client" in the shipped configuration.
"Jwt": {
  "Audience": "wms-client"
}
Jwt:ExpiresInMinutes
integer
required
Token lifetime in minutes from the moment of issuance. After this period the token is rejected by the ValidateLifetime check in the JWT middleware and the client must re-authenticate. The shipped default is 60 minutes.
"Jwt": {
  "ExpiresInMinutes": 60
}

ERP Integration

GrupoMasLegacy:WebConfigPath
string
Absolute path to the legacy Grupo MAS web.config file on the host machine. The GrupoMasNativeHttpClient reads ERP connection parameters from this file when native Grupo MAS integration is enabled and no database-stored configuration is found. This is a fallback path intended for migration scenarios where the ERP configuration has not yet been moved into the WMS database.
"GrupoMasLegacy": {
  "WebConfigPath": "C:\\path\\to\\legacy\\Interfaz\\web.config"
}
If you are not using the Grupo MAS native integration, this key can be omitted. The legacy reader is only invoked when a Grupo MAS tenant resolver falls back to file-based config.

Environment-Specific Overrides

appsettings.Development.json is layered on top of appsettings.json when ASPNETCORE_ENVIRONMENT=Development (the default for dotnet run). It follows the same key structure and overrides only the values it explicitly declares — all other keys fall back to appsettings.json. The shipped appsettings.Development.json overrides the log levels and restores the GrupoMasLegacy:WebConfigPath to a developer-local path:
appsettings.Development.json
{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "GrupoMasLegacy": {
    "WebConfigPath": "C:\\Users\\Tony\\Documents\\GitHub\\MASACCOUNT\\Interfaz\\web.config"
  }
}
Environment-specific files are the right place to put developer-local database connection strings and JWT keys without touching the shared appsettings.json. Add appsettings.Development.json to .gitignore if it contains real secrets.

Data Protection Keys

Dragon Guard uses ASP.NET Core Data Protection for internal cryptographic operations (such as protecting cookies or sensitive payloads). Keys are persisted to the file system so they survive application restarts:
builder.Services.AddDataProtection()
    .PersistKeysToFileSystem(
        new DirectoryInfo(Path.Combine(builder.Environment.ContentRootPath, "DataProtectionKeys"))
    );
The key ring is written to the DataProtectionKeys/ directory inside the application content root (the project folder when running with dotnet run). Ensure this directory is not deployed to source control — add it to .gitignore — and that the process has write permission to it at runtime.
In containerised or ephemeral deployments, mount DataProtectionKeys/ as a persistent volume or switch to a shared key store (e.g. PersistKeysToAzureBlobStorage or PersistKeysToDbContext) so that keys are not lost on container restart.

CORS

The AllowAngular CORS policy registered in Program.cs currently permits any origin, any header, and any method:
policy.AllowAnyOrigin()
      .AllowAnyHeader()
      .AllowAnyMethod();
This permissive policy is intentional for local development and handheld device testing, where the requesting origin changes frequently. The policy is applied before UseAuthentication and UseAuthorization in the middleware pipeline.
AllowAnyOrigin must not be used in production. Replace it with an explicit allow-list of trusted origins (your Angular front-end domain, handheld device management portal, etc.) before deploying to a shared or customer-facing environment.

Build docs developers (and LLMs) love