PAS-554 | Fix Access Denied creating application in different session…

…/window. (#672)
bitwarden · Aug 15, 2024 · 4d08754 · 4d08754
1 parent dda0071
commit 4d08754
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 24 deletions.
diff --git a/src/AdminConsole/Authorization/CustomClaimTypes.cs b/src/AdminConsole/Authorization/CustomClaimTypes.cs
@@ -3,5 +3,4 @@ namespace Passwordless.AdminConsole.Authorization;
 public static class CustomClaimTypes
 {
     public const string OrgId = "OrgId";
-    public const string AppId = "AppId";
 }
diff --git a/src/AdminConsole/Authorization/HasAppHandler.cs b/src/AdminConsole/Authorization/HasAppHandler.cs
@@ -1,10 +1,19 @@
 using Microsoft.AspNetCore.Authorization;
+using Passwordless.AdminConsole.Db;
+using Passwordless.AdminConsole.Helpers;
 using Passwordless.AdminConsole.Middleware;
 
 namespace Passwordless.AdminConsole.Authorization;
 
 public class HasAppHandler : AuthorizationHandler<HasAppRoleRequirement>
 {
+    private readonly ConsoleDbContext _dbContext;
+
+    public HasAppHandler(ConsoleDbContext dbContext)
+    {
+        _dbContext = dbContext;
+    }
+
     protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasAppRoleRequirement requirement)
     {
         if (HasAppInTenant(context))
@@ -22,15 +31,21 @@ private bool HasAppInTenant(AuthorizationHandlerContext context)
             return false;
         }
 
-        // get app
-        var gotApp = httpContext.GetRouteData().Values.TryGetValue(RouteParameters.AppId, out var app);
-        if (!gotApp)
+        var organizationId = httpContext.User.GetOrgId();
+
+        if (!organizationId.HasValue)
+        {
+            return false;
+        }
+
+        var hasAppId = httpContext.GetRouteData().Values.TryGetValue(RouteParameters.AppId, out var appIdObj);
+        if (!hasAppId)
         {
             return false;
         }
 
-        string appId = app.ToString();
+        var appId = appIdObj!.ToString();
 
-        return context.User.HasClaim(c => c.Type == CustomClaimTypes.AppId && c.Value == appId);
+        return _dbContext.Applications.Any(x => x.OrganizationId == organizationId.Value && x.Id == appId);
     }
 }
diff --git a/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs b/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs
@@ -1,40 +1,25 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Options;
-using Passwordless.AdminConsole.Db;
+using Passwordless.AdminConsole.Authorization;
 using Passwordless.AdminConsole.Identity;
 
 namespace Passwordless.AdminConsole.Services;
 
 public class CustomUserClaimsPrincipalFactory : UserClaimsPrincipalFactory<ConsoleAdmin>
 {
-    private readonly ConsoleDbContext _db;
-
     public CustomUserClaimsPrincipalFactory(
         UserManager<ConsoleAdmin> userManager,
-        IOptions<IdentityOptions> optionsAccessor,
-        ConsoleDbContext db
+        IOptions<IdentityOptions> optionsAccessor
     )
         : base(userManager, optionsAccessor)
     {
-        _db = db;
     }
 
     protected override async Task<ClaimsIdentity> GenerateClaimsAsync(ConsoleAdmin user)
     {
         ClaimsIdentity identity = await base.GenerateClaimsAsync(user);
-        identity.AddClaim(new Claim("OrgId", user.OrganizationId.ToString()));
-
-        // add apps
-        List<string> apps = await _db.Applications.Where(a => a.OrganizationId == user.OrganizationId)
-            .Select(a => a.Id).ToListAsync();
-
-        foreach (var appId in apps)
-        {
-            identity.AddClaim(new Claim("AppId", appId));
-        }
-
+        identity.AddClaim(new Claim(CustomClaimTypes.OrgId, user.OrganizationId.ToString()));
         return identity;
     }
 }