Store Data Protection keys in SQL Server (non-production)

Replaces the local filesystem path (which required IIS app pool write
access to inetpub\wwwroot\DataProtection-Keys) with SQL Server storage
via IDataProtectionKeyContext. Keys now survive deploys and IIS recycles
without any server-side folder permission setup.

Production continues to use Azure Blob Storage unchanged.

- Add Microsoft.AspNetCore.DataProtection.EntityFrameworkCore 8.0.11 to
  Web and Infrastructure projects
- ApplicationDbContext implements IDataProtectionKeyContext
- Migration AddDataProtectionKeys creates DataProtectionKeys table
- Program.cs: non-production path uses PersistKeysToDbContext

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Infrastructure/Data/ApplicationDbContext.cs

@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
@@ -25,7 +26,7 @@ namespace PowderCoating.Infrastructure.Data;
 /// to repository methods) — reserved for SuperAdmin operations and document-number generation.
 /// </para>
 /// </summary>
-public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
+public class ApplicationDbContext : IdentityDbContext<ApplicationUser>, IDataProtectionKeyContext
 {
     private readonly IHttpContextAccessor? _httpContextAccessor;
     private readonly IServiceProvider? _serviceProvider;
@@ -371,6 +372,12 @@ public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
     /// </summary>
     public DbSet<PlatformSetting> PlatformSettings { get; set; }
 
+    /// <summary>
+    /// ASP.NET Core Data Protection key ring — required by <see cref="IDataProtectionKeyContext"/>.
+    /// Keys stored here survive deploys and IIS app pool recycles.
+    /// </summary>
+    public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+
     /// <summary>
     /// IP address ban list. Login attempts from a matching active entry are rejected
     /// before Identity even checks credentials. No tenant filter; SuperAdmin-managed only.

src/PowderCoating.Infrastructure/Migrations/20260506020726_AddDataProtectionKeys.cs

@@ -0,0 +1,78 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace PowderCoating.Infrastructure.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDataProtectionKeys : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "DataProtectionKeys",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "int", nullable: false)
+                        .Annotation("SqlServer:Identity", "1, 1"),
+                    FriendlyName = table.Column<string>(type: "nvarchar(max)", nullable: true),
+                    Xml = table.Column<string>(type: "nvarchar(max)", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DataProtectionKeys", x => x.Id);
+                });
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 1,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2199));
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 2,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2206));
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 3,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2208));
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DataProtectionKeys");
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 1,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8603));
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 2,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8610));
+
+            migrationBuilder.UpdateData(
+                table: "PricingTiers",
+                keyColumn: "Id",
+                keyValue: 3,
+                column: "CreatedAt",
+                value: new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8612));
+        }
+    }
+}

src/PowderCoating.Infrastructure/Migrations/ApplicationDbContextModelSnapshot.cs

@@ -22,6 +22,25 @@ namespace PowderCoating.Infrastructure.Migrations
 
             SqlServerModelBuilderExtensions.UseIdentityColumns(modelBuilder);
 
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    SqlServerPropertyBuilderExtensions.UseIdentityColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("nvarchar(max)");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("nvarchar(max)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys");
+                });
+
             modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRole", b =>
                 {
                     b.Property<string>("Id")
@@ -6034,7 +6053,7 @@ namespace PowderCoating.Infrastructure.Migrations
                         {
                             Id = 1,
                             CompanyId = 0,
-                            CreatedAt = new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8603),
+                            CreatedAt = new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2199),
                             Description = "Standard pricing for regular customers",
                             DiscountPercent = 0m,
                             IsActive = true,
@@ -6045,7 +6064,7 @@ namespace PowderCoating.Infrastructure.Migrations
                         {
                             Id = 2,
                             CompanyId = 0,
-                            CreatedAt = new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8610),
+                            CreatedAt = new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2206),
                             Description = "5% discount for preferred customers",
                             DiscountPercent = 5m,
                             IsActive = true,
@@ -6056,7 +6075,7 @@ namespace PowderCoating.Infrastructure.Migrations
                         {
                             Id = 3,
                             CompanyId = 0,
-                            CreatedAt = new DateTime(2026, 5, 5, 23, 10, 14, 763, DateTimeKind.Utc).AddTicks(8612),
+                            CreatedAt = new DateTime(2026, 5, 6, 2, 7, 22, 625, DateTimeKind.Utc).AddTicks(2208),
                             Description = "10% discount for premium customers",
                             DiscountPercent = 10m,
                             IsActive = true,

src/PowderCoating.Infrastructure/PowderCoating.Infrastructure.csproj

@@ -9,6 +9,7 @@
   <ItemGroup>
     <PackageReference Include="Anthropic.SDK" Version="4.0.0" />
     <PackageReference Include="CsvHelper" Version="33.1.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.11" />
     <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.11" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.11" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.11" />

src/PowderCoating.Web/PowderCoating.Web.csproj

@@ -21,6 +21,7 @@
     <PackageReference Include="Fido2" Version="4.0.1" />
     <PackageReference Include="Fido2.AspNet" Version="4.0.1" />
     <PackageReference Include="Markdig" Version="0.40.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.11" />
     <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.11" />
     <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="8.0.11" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.11">

src/PowderCoating.Web/Program.cs

@@ -1,5 +1,6 @@
 using System.Threading.RateLimiting;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.AspNetCore.Identity;
@@ -147,23 +148,12 @@ if (builder.Environment.IsProduction())
 }
 else
 {
-    // Use Azure Blob Storage when the connection string is available (dev/staging servers).
+    // Non-production: store keys in SQL Server so they survive deploys and IIS app pool recycles
-    // Fall back to local filesystem for developer workstations where storage isn't configured.
+    // without needing filesystem write permissions on the web root.
-    var devStorageConnStr = builder.Configuration["Storage:ConnectionString"];
-    if (!string.IsNullOrEmpty(devStorageConnStr))
-    {
     builder.Services.AddDataProtection()
-            .PersistKeysToAzureBlobStorage(devStorageConnStr, "dataprotection-dev", "keys.xml")
+        .PersistKeysToDbContext<ApplicationDbContext>()
         .SetApplicationName("PowderCoatingApp");
 }
-    else
-    {
-        var keysPath = Path.Combine(builder.Environment.ContentRootPath, "DataProtection-Keys");
-        builder.Services.AddDataProtection()
-            .PersistKeysToFileSystem(new DirectoryInfo(keysPath))
-            .SetApplicationName("PowderCoatingApp");
-    }
-}
 
 // Configure Identity
 builder.Services.AddIdentity<ApplicationUser, IdentityRole>(options =>