public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var user = context.HttpContext.User;
var appName = context.RouteData.Values["app"]?.ToString();
if (!string.IsNullOrWhiteSpace(appName))
{
var isFrontend = user.IsInClient(DefaultClients.Frontend);
var app = await appProvider.GetAppAsync(appName, !isFrontend);
if (app == null)
{
var log = context.HttpContext.RequestServices?.GetService <ISemanticLog>();
log?.LogWarning(w => w
.WriteProperty("message", "Cannot find app with the given name.")
.WriteProperty("appId", "404")
.WriteProperty("appName", appName));
context.Result = new NotFoundResult();
return;
}
string?clientId = null;
var(role, permissions) = FindByOpenIdSubject(app, user, isFrontend);
if (permissions == null)
{
(clientId, role, permissions) = FindByOpenIdClient(app, user, isFrontend);
}
if (permissions == null)
{
(clientId, role, permissions) = FindAnonymousClient(app, isFrontend);
}
if (permissions != null)
{
var identity = user.Identities.First();
if (!string.IsNullOrWhiteSpace(role))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
foreach (var permission in permissions)
{
identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id));
}
if (user.Token() == null && clientId != null)
{
identity.AddClaim(new Claim(OpenIdClaims.ClientId, clientId));
}
}
var requestContext = SetContext(context.HttpContext, app);
if (!AllowAnonymous(context) && !HasPermission(appName, requestContext))
{
if (string.IsNullOrWhiteSpace(user.Identity?.AuthenticationType))
{
context.Result = new UnauthorizedResult();
}
else
{
var log = context.HttpContext.RequestServices?.GetService <ISemanticLog>();
log?.LogWarning(w => w
.WriteProperty("message", "Authenticated user has no permission to access the app.")
.WriteProperty("appId", app.Id.ToString())
.WriteProperty("appName", appName));
context.Result = new NotFoundResult();
}
return;
}
context.HttpContext.Features.Set <IAppFeature>(new AppFeature(app));
context.HttpContext.Response.Headers.Add("X-AppId", app.Id.ToString());
}
else
{
SetContext(context.HttpContext, null !);
}
await next();
}
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var user = context.HttpContext.User;
var appName = context.RouteData.Values["app"]?.ToString();
if (!string.IsNullOrWhiteSpace(appName))
{
var isFrontend = user.IsInClient(DefaultClients.Frontend);
var app = await appProvider.GetAppAsync(appName, !isFrontend);
if (app == null)
{
context.Result = new NotFoundResult();
return;
}
var(role, permissions) = FindByOpenIdSubject(app, user, isFrontend);
if (permissions == null)
{
(role, permissions) = FindByOpenIdClient(app, user, isFrontend);
}
if (permissions == null)
{
(role, permissions) = FindAnonymousClient(app, isFrontend);
}
if (permissions != null)
{
var identity = user.Identities.First();
if (!string.IsNullOrWhiteSpace(role))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
foreach (var permission in permissions)
{
identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id));
}
}
var requestContext = SetContext(context.HttpContext, app);
if (!AllowAnonymous(context) && !HasPermission(appName, requestContext))
{
if (string.IsNullOrWhiteSpace(user.Identity.AuthenticationType))
{
context.Result = new UnauthorizedResult();
}
else
{
context.Result = new NotFoundResult();
}
return;
}
context.HttpContext.Features.Set <IAppFeature>(new AppFeature(app.NamedId()));
context.HttpContext.Response.Headers.Add("X-AppId", app.Id.ToString());
}
else
{
SetContext(context.HttpContext, null !);
}
await next();
}
public async Task Should_return_not_found_if_app_name_is_null(string?app)
{
SetupUser();
actionExecutingContext.RouteData.Values["app"] = app;
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.IsType <NotFoundResult>(actionExecutingContext.Result);
Assert.False(isNextCalled);
A.CallTo(() => appProvider.GetAppAsync(A <string> ._, false, httpContext.RequestAborted))
.MustNotHaveHappened();
}
public async Task Should_return_not_found_if_app_not_found()
{
SetupUser();
A.CallTo(() => appProvider.GetAppAsync(appName, false))
.Returns(Task.FromResult <IAppEntity?>(null));
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.IsType <NotFoundResult>(actionExecutingContext.Result);
Assert.False(isNextCalled);
}