Authorization Behaviour #994

sechabamot · 2023-09-21T06:55:14Z

sechabamot
Sep 21, 2023

Came across an issue (sort off) with the authorization during development.
I was using a valid token for authentication but the token was for a user that was no longer in my database so I could not retrieve the username.

This affected the logging behavior and any other services that required retrieving the username.

Was suggesting an edit to the current code in the current 'AuthorizationBehaviour' class.
I can't be the only one who reuses tokens while testing my applications, this might help I think.

public AuthorizationBehaviour(
    ICurrentUserService currentUserService,
    IIdentityService identityService)
{
    _currentUserService = currentUserService;
    _identityService = identityService;
}

public async Task<TResponse> Handle(TRequest request, RequestHandlerDelegate<TResponse> next, CancellationToken cancellationToken)
{
    var authorizeAttributes = request.GetType().GetCustomAttributes<AuthorizeRequestAttribute>();

    if (authorizeAttributes.Any())
    {
        string userId = _currentUserService.UserId;

        //Must be a currently existing user
        if (!await _identityService.DoesUserExistAsync(userId))
        {
            throw new UnauthorizedAccessException("We are not quite sure who you are, try logging in again or signing-up");
        }

        // Must be an authenticated user
        if (string.IsNullOrEmpty(userId))
        {
            throw new UnauthorizedAccessException();
        }

        // Role-based authorization
        var authorizeAttributesWithRoles = authorizeAttributes.Where(a => !string.IsNullOrWhiteSpace(a.Roles));

        if (authorizeAttributesWithRoles.Any())
        {
            var authorized = false;

            foreach (var roles in authorizeAttributesWithRoles.Select(a => a.Roles.Split(',')))
            {
                foreach (var role in roles)
                {
                    var isInRole = await _identityService.IsInRoleAsync(_currentUserService.UserId, role.Trim());
                    if (isInRole)
                    {
                        authorized = true;
                        break;
                    }
                }
            }

            // Must be a member of at least one role in roles
            if (!authorized)
            {
                throw new ForbiddenAccessException();
            }
        }

        // Policy-based authorization
        var authorizeAttributesWithPolicies = authorizeAttributes.Where(a => !string.IsNullOrWhiteSpace(a.Policy));
       
        if (authorizeAttributesWithPolicies.Any())
        {
            foreach (var policy in authorizeAttributesWithPolicies.Select(a => a.Policy))
            {
                var authorized = await _identityService.AuthorizeAsync(_currentUserService.UserId, policy);

                if (!authorized)
                {
                    throw new ForbiddenAccessException();
                }
            }
        }
    
    }

    // User is authorized / authorization not required
    return await next();
}

`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authorization Behaviour #994

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Authorization Behaviour #994

sechabamot Sep 21, 2023

Replies: 0 comments

sechabamot
Sep 21, 2023