fix: data protection

src/BCards.Web/BCards.Web.csproj

@@ -29,6 +29,7 @@
     <PackageReference Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="8.0.0" />
     <PackageReference Include="AspNetCore.HealthChecks.MongoDb" Version="7.0.0" />
+    <PackageReference Include="AspNetCore.DataProtection.MongoDB" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>

src/BCards.Web/Program.cs

@@ -2,6 +2,7 @@ using BCards.Web.Configuration;
 using BCards.Web.Services;
 using BCards.Web.Repositories;
 using BCards.Web.HealthChecks;
+using AspNetCore.DataProtection.MongoDb;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.Google;
 using Microsoft.AspNetCore.Localization;
@@ -19,6 +20,7 @@ using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Serilog.Sinks.OpenSearch;
 using BCards.Web.TestSupport;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.DataProtection;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -233,6 +235,30 @@ builder.Services.AddScoped(serviceProvider =>
     return client.GetDatabase(settings.DatabaseName);
 });
 
+var dataProtectionSection = builder.Configuration.GetSection("DataProtection:Mongo");
+var dataProtectionConnectionString = dataProtectionSection.GetValue<string>("ConnectionString")
+    ?? builder.Configuration.GetSection("MongoDb").GetValue<string>("ConnectionString");
+var dataProtectionDatabase = dataProtectionSection.GetValue<string>("DatabaseName")
+    ?? builder.Configuration.GetSection("MongoDb").GetValue<string>("DatabaseName")
+    ?? "BCardsDB";
+var dataProtectionCollection = dataProtectionSection.GetValue<string>("CollectionName") ?? "DataProtectionKeys";
+
+if (!string.IsNullOrWhiteSpace(dataProtectionConnectionString))
+{
+    Log.Information("Configuring DataProtection to persist keys in MongoDB database {Database} / collection {Collection}",
+        dataProtectionDatabase, dataProtectionCollection);
+
+    builder.Services.AddDataProtection()
+        .SetApplicationName("BCards")
+        .PersistKeysToMongoDb(
+            () => new MongoClient(dataProtectionConnectionString).GetDatabase(dataProtectionDatabase),
+            dataProtectionCollection);
+}
+else
+{
+    Log.Warning("DataProtection MongoDB configuration missing; encryption keys will be ephemeral per container.");
+}
+
 // Stripe Configuration with validation
 builder.Services.Configure<StripeSettings>(
     builder.Configuration.GetSection("Stripe"));