From c7a60a1fad626ba8c1783a4c3b3b49d379b10737 Mon Sep 17 00:00:00 2001
From: Scott Pouliot <spouliot@scppowdercoating.com>
Date: Tue, 5 May 2026 21:54:37 -0400
Subject: [PATCH] Use Azure Blob Storage for Data Protection keys on non-local
 deployments

When Storage:ConnectionString is configured (dev/staging servers), store
Data Protection keys in Azure Blob Storage (dataprotection-dev/keys.xml)
instead of the local filesystem. Local developer workstations without a
storage connection string continue to use the filesystem fallback.

Fixes UnauthorizedAccessException on the dev IIS server caused by the app
pool identity not having permission to create the DataProtection-Keys
directory after it was wiped during a deploy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/PowderCoating.Web/Program.cs | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/PowderCoating.Web/Program.cs b/src/PowderCoating.Web/Program.cs
index e1d07b5..e22e310 100644
--- a/src/PowderCoating.Web/Program.cs
+++ b/src/PowderCoating.Web/Program.cs
@@ -147,10 +147,22 @@ if (builder.Environment.IsProduction())
 }
 else
 {
-    var keysPath = Path.Combine(builder.Environment.ContentRootPath, "DataProtection-Keys");
-    builder.Services.AddDataProtection()
-        .PersistKeysToFileSystem(new DirectoryInfo(keysPath))
-        .SetApplicationName("PowderCoatingApp");
+    // Use Azure Blob Storage when the connection string is available (dev/staging servers).
+    // Fall back to local filesystem for developer workstations where storage isn't configured.
+    var devStorageConnStr = builder.Configuration["Storage:ConnectionString"];
+    if (!string.IsNullOrEmpty(devStorageConnStr))
+    {
+        builder.Services.AddDataProtection()
+            .PersistKeysToAzureBlobStorage(devStorageConnStr, "dataprotection-dev", "keys.xml")
+            .SetApplicationName("PowderCoatingApp");
+    }
+    else
+    {
+        var keysPath = Path.Combine(builder.Environment.ContentRootPath, "DataProtection-Keys");
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(new DirectoryInfo(keysPath))
+            .SetApplicationName("PowderCoatingApp");
+    }
 }
 
 // Configure Identity