public async Task <EmployeeRole> FindByIdAsync(string roleId, CancellationToken cancellationToken)
{
return((await roles.FetchEmployeeRole(int.Parse(roleId)).ConfigureAwait(false))
.Ensure(e => e.HasValue, "Role is available")
.OnBoth(e => e.IsFailure
? null
: e.Value.Value));
}
public async Task <IList <string> > GetRolesAsync(Employee user, CancellationToken cancellationToken)
{
var results = await roles.FetchEmployeeRole(user.RoleId)
.Ensure(e => e.HasValue, "Role is available")
.OnSuccess(e => e.Value)
.ConfigureAwait(false);
if (results.IsFailure)
{
return(new List <string>());
}
return(new List <string> {
results.Value.RoleName
});
}
public async Task <IActionResult> SubmitToken([FromQuery] string code, [FromQuery] string response_type, [FromQuery] string state)
{
if (string.IsNullOrWhiteSpace(code) || string.IsNullOrWhiteSpace(response_type) || string.IsNullOrWhiteSpace(state) || !string.Equals(response_type, "code", StringComparison.OrdinalIgnoreCase))
{
return(RedirectToPage("/Index"));
}
var employeeId = await cache.GetStringAsync($"company-square-verify-{state}").ConfigureAwait(false);
if (string.IsNullOrWhiteSpace(employeeId))
{
return(RedirectToPage("/Index"));
}
int rawEmployeeId = -1;
if (!int.TryParse(employeeId, out rawEmployeeId))
{
return(RedirectToPage("/Index"));
}
if (rawEmployeeId == -1)
{
return(RedirectToPage("/Index"));
}
var employee = await employees.FetchEmployee(rawEmployeeId)
.Ensure(e => e.HasValue, "Employee found")
.OnSuccess(e => e.Value)
.ConfigureAwait(false);
if (employee.IsFailure)
{
return(RedirectToPage("/Index"));
}
var role = await roles.FetchEmployeeRole(employee.Value.RoleId)
.Ensure(r => r.HasValue, "Role found")
.OnSuccess(r => r.Value)
.ConfigureAwait(false);
if (role.IsFailure || !role.Value.CanAdministerCompany)
{
return(RedirectToPage("/Index"));
}
var company = await companies.FetchCompany(employee.Value.CompanyId)
.Ensure(c => c.HasValue, "Company found")
.OnSuccess(c => c.Value)
.ConfigureAwait(false);
if (company.IsFailure)
{
return(RedirectToPage("/Index"));
}
var client = new SquareClient.Builder()
.Environment(settings.Connection.SquarePaymentsSandbox ? Square.Environment.Sandbox : Square.Environment.Production)
.Build();
var body = new ObtainTokenRequest(settings.Connection.SquareAppId, settings.Connection.SquareAccessToken, "authorization_code", code);
ObtainTokenResponse response = null;
try
{
response = await client.OAuthApi.ObtainTokenAsync(body).ConfigureAwait(false);
}
catch (Exception)
{
return(RedirectToPage("/Index"));
}
if (response == null)
{
return(RedirectToPage("/Index"));
}
var accessToken = response.AccessToken;
var refreshToken = response.RefreshToken;
var expiresAt = response.ExpiresAt;
var merchantId = response.MerchantId;
DateTime tokenExpiry;
if (!DateTime.TryParse(response.ExpiresAt, out tokenExpiry))
{
return(RedirectToPage("/Index"));
}
var companyId = company.Value.CompanyId;
SynchVenuesWithExternalPaymentProvider(accessToken, company.Value);
accessToken = await EncryptString(accessToken).ConfigureAwait(false);
refreshToken = await EncryptString(refreshToken).ConfigureAwait(false);
return(await companies.UpdateCompany(new CompanyPatch
{
ResourceId = companyId,
ExternalAccessToken = new PatchOperation <string> {
Operation = OperationKind.Update, Value = accessToken
},
ExternalRefreshToken = new PatchOperation <string> {
Operation = OperationKind.Update, Value = refreshToken
},
ExternalAccountId = new PatchOperation <string> {
Operation = OperationKind.Update, Value = merchantId
},
ExternalTokenExpiry = new PatchOperation <DateTime> {
Operation = OperationKind.Update, Value = tokenExpiry
}
}).OnBoth(u => RedirectToPage("/Index")).ConfigureAwait(false));
}
private async Task<AuthorisationResult> EnforceRBACRequirements(AuthContext authContext, Microsoft.AspNetCore.Routing.RouteData routeData)
{
var userType = authContext.UserType;
// Grab the route name via the [ActionName(...)] annotation on a controller method.
// If you don't annotate your methods, or have not configured this route as authenticated, we won't apply any auth restrictions.
var routeName = (string)routeData.Values["action"];
if (routeName == null || !settings.Meta.AuthRequirements.ContainsKey(routeName))
{
return AuthorisationResult.InjectAndContinue;
}
var requirements = settings.Meta.AuthRequirements[routeName];
Maybe<Employee> employee = null;
Maybe<EmployeeRole> employeeRole = null;
Maybe<User> user = null;
if (userType != settings.Meta.AuthRequirements[routeName].UserType && UserType.Any != settings.Meta.AuthRequirements[routeName].UserType)
{
return AuthorisationResult.AbortUnauthorised;
}
if (authContext.AuthToken.HasNoValue)
{
return AuthorisationResult.AbortUnauthorised;
}
var authToken = authContext.AuthToken.Value;
// Depending on the session type, attempt to fetch the equivalent model (User or Employee).
if (userType == UserType.Employee)
{
employee = (await employeeSessions.FetchEmployeeSessionAndEmployeeFromToken(authToken).ConfigureAwait(false))
.OnBoth(x => x.IsSuccess
? x.Value
: Maybe<Employee>.None
);
if (employee.HasNoValue)
{
return AuthorisationResult.AbortUnauthorised;
}
// For employees, their permissions are scoped to an employee role. First we fetch the role.
employeeRole = (await employeeRoles.FetchEmployeeRole(employee.Value.RoleId).ConfigureAwait(false))
.OnBoth(x => x.IsSuccess
? x.Value
: Maybe<EmployeeRole>.None
);
// If the employee role wasn't found but the route didn't require any permissions, we let them through.
if (employeeRole.HasNoValue && RouteRequiresAtLeastOnePermission(requirements))
{
return AuthorisationResult.AbortUnauthorised;
}
// Verify each of the role permissions in turn, if one is missing and the route requires it, deny access.
if (!RoleHasCorrectPermissions(employeeRole.Value, requirements))
{
return AuthorisationResult.AbortUnauthorised;
}
}
else if (userType == UserType.User)
{
user = (await userSessions.FetchUserSessionAndUserFromToken(authToken, (int)authContext.AuthType).ConfigureAwait(false))
.OnBoth(x => x.IsSuccess
? x.Value
: Maybe<User>.None
);
if (user.HasNoValue)
{
return AuthorisationResult.AbortUnauthorised;
}
}
// After verifying the user's permissions, update the context with relevant user data and continue.
authContext.Employee = employee;
authContext.EmployeeRole = employeeRole;
authContext.User = user;
return AuthorisationResult.Continue;
}
