feat(backend): allow suspended users to access some endpoints, add flag scopes

2024-12-11 16:54:06 +01:00 · 2024-12-11 16:54:06 +01:00 · 5cb3faa92b
commit 5cb3faa92b
parent 7f8e72e857
7 changed files with 57 additions and 25 deletions
--- a/Foxnouns.Backend/Middleware/AuthorizationMiddleware.cs
+++ b/Foxnouns.Backend/Middleware/AuthorizationMiddleware.cs
@ -14,6 +14,7 @@
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 using Foxnouns.Backend.Database.Models;
 using Foxnouns.Backend.Utils;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;

 namespace Foxnouns.Backend.Middleware;

@ -22,9 +23,11 @@ public class AuthorizationMiddleware : IMiddleware
    public async Task InvokeAsync(HttpContext ctx, RequestDelegate next)
    {
        Endpoint? endpoint = ctx.GetEndpoint();
-        AuthorizeAttribute? attribute = endpoint?.Metadata.GetMetadata<AuthorizeAttribute>();
+        AuthorizeAttribute? authorizeAttribute =
+            endpoint?.Metadata.GetMetadata<AuthorizeAttribute>();
+        LimitAttribute? limitAttribute = endpoint?.Metadata.GetMetadata<LimitAttribute>();

-        if (attribute == null)
+        if (authorizeAttribute == null || authorizeAttribute.Scopes.Length == 0)
        {
            await next(ctx);
            return;
@ -39,24 +42,35 @@ public class AuthorizationMiddleware : IMiddleware
            );
        }

+        // Users who got suspended by a moderator can still access *some* endpoints.
        if (
-            attribute.Scopes.Length > 0
-            && attribute.Scopes.Except(token.Scopes.ExpandScopes()).Any()
+            token.User.Deleted
+            && (limitAttribute?.UsableBySuspendedUsers != true || token.User.DeletedBy == null)
+        )
+        {
+            throw new ApiError.Forbidden("Deleted users cannot access this endpoint.");
+        }
+
+        if (
+            authorizeAttribute.Scopes.Length > 0
+            && authorizeAttribute.Scopes.Except(token.Scopes.ExpandScopes()).Any()
        )
        {
            throw new ApiError.Forbidden(
                "This endpoint requires ungranted scopes.",
-                attribute.Scopes.Except(token.Scopes.ExpandScopes()),
+                authorizeAttribute.Scopes.Except(token.Scopes.ExpandScopes()),
                ErrorCode.MissingScopes
            );
        }

-        if (attribute.RequireAdmin && token.User.Role != UserRole.Admin)
+        if (limitAttribute?.RequireAdmin == true && token.User.Role != UserRole.Admin)
+        {
            throw new ApiError.Forbidden("This endpoint can only be used by admins.");
+        }
+
        if (
-            attribute.RequireModerator
-            && token.User.Role != UserRole.Admin
-            && token.User.Role != UserRole.Moderator
+            limitAttribute?.RequireModerator == true
+            && token.User.Role is not (UserRole.Admin or UserRole.Moderator)
        )
        {
            throw new ApiError.Forbidden("This endpoint can only be used by moderators.");
@ -69,8 +83,13 @@ public class AuthorizationMiddleware : IMiddleware
 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
 public class AuthorizeAttribute(params string[] scopes) : Attribute
 {
-    public readonly bool RequireAdmin = scopes.Contains(":admin");
-    public readonly bool RequireModerator = scopes.Contains(":moderator");
-
-    public readonly string[] Scopes = scopes.Except([":admin", ":moderator"]).ToArray();
+    public readonly string[] Scopes = scopes.Except([":admin", ":moderator", ":deleted"]).ToArray();
+}
+
+[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+public class LimitAttribute : Attribute
+{
+    public bool UsableBySuspendedUsers { get; init; }
+    public bool RequireAdmin { get; init; }
+    public bool RequireModerator { get; init; }
 }