From 5d1c104cae1275cf72be3a6553e8288406e6ea4f Mon Sep 17 00:00:00 2001 From: Jonas Hendrickx Date: Thu, 15 Aug 2024 15:59:05 +0200 Subject: [PATCH] PAS-554 | Fix Access Denied creating application in different session/window. --- .../Authorization/CustomClaimTypes.cs | 1 - .../Authorization/HasAppHandler.cs | 25 +++++++++++++++---- .../CustomUserClaimsPrincipalFactory.cs | 21 +++------------- 3 files changed, 23 insertions(+), 24 deletions(-) diff --git a/src/AdminConsole/Authorization/CustomClaimTypes.cs b/src/AdminConsole/Authorization/CustomClaimTypes.cs index c13541a66..c7b73d33b 100644 --- a/src/AdminConsole/Authorization/CustomClaimTypes.cs +++ b/src/AdminConsole/Authorization/CustomClaimTypes.cs @@ -3,5 +3,4 @@ namespace Passwordless.AdminConsole.Authorization; public static class CustomClaimTypes { public const string OrgId = "OrgId"; - public const string AppId = "AppId"; } \ No newline at end of file diff --git a/src/AdminConsole/Authorization/HasAppHandler.cs b/src/AdminConsole/Authorization/HasAppHandler.cs index 8c67005b6..304f7aa4a 100644 --- a/src/AdminConsole/Authorization/HasAppHandler.cs +++ b/src/AdminConsole/Authorization/HasAppHandler.cs @@ -1,10 +1,19 @@ using Microsoft.AspNetCore.Authorization; +using Passwordless.AdminConsole.Db; +using Passwordless.AdminConsole.Helpers; using Passwordless.AdminConsole.Middleware; namespace Passwordless.AdminConsole.Authorization; public class HasAppHandler : AuthorizationHandler { + private readonly ConsoleDbContext _dbContext; + + public HasAppHandler(ConsoleDbContext dbContext) + { + _dbContext = dbContext; + } + protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasAppRoleRequirement requirement) { if (HasAppInTenant(context)) @@ -22,15 +31,21 @@ private bool HasAppInTenant(AuthorizationHandlerContext context) return false; } - // get app - var gotApp = httpContext.GetRouteData().Values.TryGetValue(RouteParameters.AppId, out var app); - if (!gotApp) + var organizationId = httpContext.User.GetOrgId(); + + if (!organizationId.HasValue) + { + return false; + } + + var hasAppId = httpContext.GetRouteData().Values.TryGetValue(RouteParameters.AppId, out var appIdObj); + if (!hasAppId) { return false; } - string appId = app.ToString(); + var appId = appIdObj!.ToString(); - return context.User.HasClaim(c => c.Type == CustomClaimTypes.AppId && c.Value == appId); + return _dbContext.Applications.Any(x => x.OrganizationId == organizationId.Value && x.Id == appId); } } \ No newline at end of file diff --git a/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs b/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs index 2fd51228e..8f0bb9529 100644 --- a/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs +++ b/src/AdminConsole/Services/CustomUserClaimsPrincipalFactory.cs @@ -1,40 +1,25 @@ using System.Security.Claims; using Microsoft.AspNetCore.Identity; -using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.Options; -using Passwordless.AdminConsole.Db; +using Passwordless.AdminConsole.Authorization; using Passwordless.AdminConsole.Identity; namespace Passwordless.AdminConsole.Services; public class CustomUserClaimsPrincipalFactory : UserClaimsPrincipalFactory { - private readonly ConsoleDbContext _db; - public CustomUserClaimsPrincipalFactory( UserManager userManager, - IOptions optionsAccessor, - ConsoleDbContext db + IOptions optionsAccessor ) : base(userManager, optionsAccessor) { - _db = db; } protected override async Task GenerateClaimsAsync(ConsoleAdmin user) { ClaimsIdentity identity = await base.GenerateClaimsAsync(user); - identity.AddClaim(new Claim("OrgId", user.OrganizationId.ToString())); - - // add apps - List apps = await _db.Applications.Where(a => a.OrganizationId == user.OrganizationId) - .Select(a => a.Id).ToListAsync(); - - foreach (var appId in apps) - { - identity.AddClaim(new Claim("AppId", appId)); - } - + identity.AddClaim(new Claim(CustomClaimTypes.OrgId, user.OrganizationId.ToString())); return identity; } } \ No newline at end of file