User roles

This commit is contained in:
2026-03-10 23:29:13 +02:00
parent b361f46afa
commit e89d971f41
16 changed files with 325 additions and 197 deletions

View File

@@ -53,10 +53,13 @@ public static class AuthEndpoints
new(ClaimTypes.Name, authenticatedUser.Username),
new("username", authenticatedUser.Username),
new("display_name", authenticatedUser.DisplayName),
new("is_admin", authenticatedUser.IsAdmin ? "true" : "false"),
new("scope", "openhours:write")
};
foreach (var role in authenticatedUser.Roles)
{
claims.Add(new Claim(ClaimTypes.Role, role));
}
var token = new JwtSecurityToken(
issuer: options.Issuer,
audience: options.Audience,
@@ -71,7 +74,7 @@ public static class AuthEndpoints
AccessToken = tokenValue,
Username = authenticatedUser.Username,
DisplayName = authenticatedUser.DisplayName,
IsAdmin = authenticatedUser.IsAdmin,
Roles = authenticatedUser.Roles,
TokenType = "Bearer",
ExpiresIn = 43200
});

View File

@@ -2,7 +2,7 @@ public static class LokEndpoints
{
public static void MapLokEndpoints(WebApplication app)
{
var createLokOpenHoursEndpoint = app.MapPost("/lok/open-hours", async (HttpContext httpContext) =>
app.MapPost("/lok/open-hours", async (HttpContext httpContext) =>
{
var lokService = httpContext.RequestServices.GetRequiredService<LokService>();
var openHours = await httpContext.Request.ReadFromJsonAsync<LokOpenHours>();
@@ -33,13 +33,9 @@ public static class LokEndpoints
await httpContext.Response.WriteAsJsonAsync(createdOpenHours);
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("HasLokRole")
.WithName("CreateLokOpenHours");
if (!app.Environment.IsDevelopment())
{
createLokOpenHoursEndpoint.RequireAuthorization("OpenHoursWrite");
}
app.MapGet("/lok/open-hours", async (HttpContext httpContext) =>
{
var lokService = httpContext.RequestServices.GetRequiredService<LokService>();
@@ -60,7 +56,7 @@ public static class LokEndpoints
.RequireCors("PublicReadCors")
.WithName("GetLokOpenHours");
var deleteLokOpenHoursEndpoint = app.MapDelete("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
app.MapDelete("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
{
var lokService = httpContext.RequestServices.GetRequiredService<LokService>();
var deleted = await lokService.DeleteOpenHours(id);
@@ -78,14 +74,10 @@ public static class LokEndpoints
httpContext.Response.StatusCode = StatusCodes.Status204NoContent;
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("HasLokRole")
.WithName("DeleteLokOpenHours");
if (!app.Environment.IsDevelopment())
{
deleteLokOpenHoursEndpoint.RequireAuthorization("OpenHoursWrite");
}
var updateLokOpenHoursEndpoint = app.MapPut("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
app.MapPut("/lok/open-hours/{id:long}", async (HttpContext httpContext, long id) =>
{
var lokService = httpContext.RequestServices.GetRequiredService<LokService>();
var openHours = await httpContext.Request.ReadFromJsonAsync<LokOpenHours>();
@@ -125,14 +117,10 @@ public static class LokEndpoints
await httpContext.Response.WriteAsJsonAsync(updatedOpenHours);
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("HasLokRole")
.WithName("UpdateLokOpenHours");
if (!app.Environment.IsDevelopment())
{
updateLokOpenHoursEndpoint.RequireAuthorization("OpenHoursWrite");
}
var setActiveLokOpenHoursEndpoint = app.MapPut("/lok/open-hours/{id:long}/active", async (HttpContext httpContext, long id) =>
app.MapPut("/lok/open-hours/{id:long}/active", async (HttpContext httpContext, long id) =>
{
var lokService = httpContext.RequestServices.GetRequiredService<LokService>();
var activated = await lokService.SetActiveOpenHours(id);
@@ -154,11 +142,7 @@ public static class LokEndpoints
});
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("HasLokRole")
.WithName("SetActiveLokOpenHours");
if (!app.Environment.IsDevelopment())
{
setActiveLokOpenHoursEndpoint.RequireAuthorization("OpenHoursWrite");
}
}
}

View File

@@ -11,7 +11,7 @@ public static class UserEndpoints
await httpContext.Response.WriteAsJsonAsync(users);
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("AdminOnly")
.RequireAuthorization("HasAdminRole")
.WithName("GetUsers");
app.MapPost("/users", async (HttpContext httpContext) =>
@@ -56,7 +56,7 @@ public static class UserEndpoints
}
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("AdminOnly")
.RequireAuthorization("HasAdminRole")
.WithName("CreateUser");
app.MapPut("/users/{username}", async (HttpContext httpContext, string username) =>
@@ -97,9 +97,9 @@ public static class UserEndpoints
return;
}
var adminCount = await userService.GetAdminCount();
var adminCount = await userService.GetUsersWithRoleCount(AppRoles.Admin);
if (existingUser.IsAdmin && !request.IsAdmin && adminCount <= 1)
if (existingUser.Roles.Contains(AppRoles.Admin) && !request.Roles.Contains(AppRoles.Admin) && adminCount <= 1)
{
httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
await httpContext.Response.WriteAsJsonAsync(new
@@ -124,7 +124,7 @@ public static class UserEndpoints
await httpContext.Response.WriteAsJsonAsync(updatedUser);
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("AdminOnly")
.RequireAuthorization("HasAdminRole")
.WithName("UpdateUser");
app.MapDelete("/users/{username}", async (HttpContext httpContext, string username) =>
@@ -154,8 +154,8 @@ public static class UserEndpoints
return;
}
var adminCount = await userService.GetAdminCount();
if (existingUser.IsAdmin && adminCount <= 1)
var adminCount = await userService.GetUsersWithRoleCount(AppRoles.Admin);
if (existingUser.Roles.Contains(AppRoles.Admin) && adminCount <= 1)
{
httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
await httpContext.Response.WriteAsJsonAsync(new
@@ -180,7 +180,7 @@ public static class UserEndpoints
httpContext.Response.StatusCode = StatusCodes.Status204NoContent;
})
.RequireCors("FrontendWriteCors")
.RequireAuthorization("AdminOnly")
.RequireAuthorization("HasAdminRole")
.WithName("DeleteUser");
}
}