94 lines
3.3 KiB
C#
94 lines
3.3 KiB
C#
// Copyright (C) 2023-present sam/u1f320 (vulpine.solutions)
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published
|
|
// by the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
using Foxnouns.Backend.Database.Models;
|
|
using Foxnouns.Backend.Utils;
|
|
|
|
namespace Foxnouns.Backend.Middleware;
|
|
|
|
public class AuthorizationMiddleware : IMiddleware
|
|
{
|
|
public async Task InvokeAsync(HttpContext ctx, RequestDelegate next)
|
|
{
|
|
Endpoint? endpoint = ctx.GetEndpoint();
|
|
AuthorizeAttribute? authorizeAttribute =
|
|
endpoint?.Metadata.GetMetadata<AuthorizeAttribute>();
|
|
LimitAttribute? limitAttribute = endpoint?.Metadata.GetMetadata<LimitAttribute>();
|
|
|
|
if (authorizeAttribute == null || authorizeAttribute.Scopes.Length == 0)
|
|
{
|
|
await next(ctx);
|
|
return;
|
|
}
|
|
|
|
Token? token = ctx.GetToken();
|
|
if (token == null)
|
|
{
|
|
throw new ApiError.Unauthorized(
|
|
"This endpoint requires an authenticated user.",
|
|
ErrorCode.AuthenticationRequired
|
|
);
|
|
}
|
|
|
|
// Users who got suspended by a moderator can still access *some* endpoints.
|
|
if (
|
|
token.User.Deleted
|
|
&& (limitAttribute?.UsableBySuspendedUsers != true || token.User.DeletedBy == null)
|
|
)
|
|
{
|
|
throw new ApiError.Forbidden("Deleted users cannot access this endpoint.");
|
|
}
|
|
|
|
if (
|
|
authorizeAttribute.Scopes.Length > 0
|
|
&& authorizeAttribute.Scopes.Except(token.Scopes.ExpandScopes()).Any()
|
|
)
|
|
{
|
|
throw new ApiError.Forbidden(
|
|
"This endpoint requires ungranted scopes.",
|
|
authorizeAttribute.Scopes.Except(token.Scopes.ExpandScopes()),
|
|
ErrorCode.MissingScopes
|
|
);
|
|
}
|
|
|
|
if (limitAttribute?.RequireAdmin == true && token.User.Role != UserRole.Admin)
|
|
{
|
|
throw new ApiError.Forbidden("This endpoint can only be used by admins.");
|
|
}
|
|
|
|
if (
|
|
limitAttribute?.RequireModerator == true
|
|
&& token.User.Role is not (UserRole.Admin or UserRole.Moderator)
|
|
)
|
|
{
|
|
throw new ApiError.Forbidden("This endpoint can only be used by moderators.");
|
|
}
|
|
|
|
await next(ctx);
|
|
}
|
|
}
|
|
|
|
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
|
|
public class AuthorizeAttribute(params string[] scopes) : Attribute
|
|
{
|
|
public readonly string[] Scopes = scopes.Except([":admin", ":moderator", ":deleted"]).ToArray();
|
|
}
|
|
|
|
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
|
|
public class LimitAttribute : Attribute
|
|
{
|
|
public bool UsableBySuspendedUsers { get; init; }
|
|
public bool RequireAdmin { get; init; }
|
|
public bool RequireModerator { get; init; }
|
|
}
|