Added a check that verifies that a id is in the database on authorized API calls

Author: Oyvind Timian Dokk Husveg

exercise.wwwapi/Authorization/Attributes/UserExistsAttribute.cs

@@ -0,0 +1,14 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace exercise.wwwapi.Authorization.Attributes
+{
+    /// <summary>
+    /// Requires authentication and validates that the user exists in the database
+    /// </summary>
+    public class AuthorizeUserExistsAttribute : AuthorizeAttribute
+    {
+        public AuthorizeUserExistsAttribute() : base("UserExists")
+        {
+        }
+    }
+}

exercise.wwwapi/Authorization/CustomAuthorizationResultHandler.cs

@@ -0,0 +1,31 @@
+using exercise.wwwapi.DTOs;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Policy;
+
+namespace exercise.wwwapi.Authorization
+{
+    public class CustomAuthorizationResultHandler : IAuthorizationMiddlewareResultHandler
+    {
+        private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();
+
+        public async Task HandleAsync(
+            RequestDelegate next,
+            HttpContext context,
+            AuthorizationPolicy policy,
+            PolicyAuthorizationResult authorizeResult)
+        {
+            if (!authorizeResult.Succeeded)
+            {
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                await context.Response.WriteAsJsonAsync(new ResponseDTO<Object>()
+                {
+                    Message = "Authorization failed"
+                });
+                return;
+            }
+
+            await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
+        }
+    }
+
+}

exercise.wwwapi/Authorization/Extensions/AuthorizationServiceExtensions.cs

@@ -0,0 +1,30 @@
+using exercise.wwwapi.Authorization.Handlers;
+using exercise.wwwapi.Authorization.Requirements;
+using Microsoft.AspNetCore.Authorization;
+
+namespace exercise.wwwapi.Authorization.Extensions
+{
+    public static class AuthorizationServiceExtensions
+    {
+        public static IServiceCollection AddCustomAuthorization(this IServiceCollection services)
+        {
+            services.AddAuthorization(options =>
+            {
+                // Create policy that requires user to exist in database
+                options.AddPolicy("UserExists", policy =>
+                {
+                    policy.RequireAuthenticatedUser();
+                    policy.AddRequirements(new UserExistsRequirement());
+                });
+
+                // Make this the default policy [Authorize]
+                options.DefaultPolicy = options.GetPolicy("UserExists")!;
+            });
+
+            // Register the handlers
+            services.AddScoped<IAuthorizationHandler, UserExistsHandler>();
+
+            return services;
+        }
+    }
+}

exercise.wwwapi/Authorization/Handlers/UserExistsHandler.cs

@@ -0,0 +1,66 @@
+using exercise.wwwapi.Authorization.Requirements;
+using exercise.wwwapi.Data;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.EntityFrameworkCore;
+using System.Security.Claims;
+
+namespace exercise.wwwapi.Authorization.Handlers
+{
+    public class UserExistsHandler : AuthorizationHandler<UserExistsRequirement>
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ILogger<UserExistsHandler> _logger;
+
+        public UserExistsHandler(IServiceProvider serviceProvider, ILogger<UserExistsHandler> logger)
+        {
+            _serviceProvider = serviceProvider;
+            _logger = logger;
+        }
+
+        protected override async Task HandleRequirementAsync(
+            AuthorizationHandlerContext context,
+            UserExistsRequirement requirement)
+        {
+            //_logger.LogWarning("Starting user existence validation for authorization");
+
+            //var claims = context.User.Claims.Select(c => $"{c.Type}: {c.Value}").ToList();
+            //_logger.LogWarning("Available claims in token: {Claims}", string.Join(", ", claims));
+
+            // Get user ID from claims
+            var userIdClaim = context.User.FindFirst(ClaimTypes.NameIdentifier)
+                             ?? context.User.FindFirst(ClaimTypes.Sid);
+
+
+            if (userIdClaim == null || !int.TryParse(userIdClaim.Value, out int userId))
+            {
+                //_logger.LogWarning("No valid user ID found in token claims");
+                context.Fail();
+                return;
+            }
+            //_logger.LogWarning("Found user ID claim: {ClaimType} = {ClaimValue}", userIdClaim.Type, userIdClaim.Value);
+
+            try
+            {
+                //_logger.LogWarning("Checking if user {UserId} exists in database...", userId);
+                // Check if user exists in database
+                using var scope = _serviceProvider.CreateScope();
+                var dbContext = scope.ServiceProvider.GetRequiredService<DataContext>();
+
+                var userExists = await dbContext.Users.AnyAsync(u => u.Id == userId);
+
+                if (userExists) context.Succeed(requirement);
+                else
+                {
+                    _logger.LogWarning("User {UserId} not found in database", userId);
+                    context.Fail();
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Error checking if user {UserId} exists", userId);
+                context.Fail();
+            }
+            //_logger.LogWarning("Completed user existence validation for user {UserId}", userId);
+        }
+    }
+}

exercise.wwwapi/Authorization/Requirements/UserExistsRequirement.cs

@@ -0,0 +1,9 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace exercise.wwwapi.Authorization.Requirements
+{
+    public class UserExistsRequirement : IAuthorizationRequirement
+    {
+        // supposed to be empty apparently
+    }
+}

exercise.wwwapi/Endpoints/PostEndpoints.cs

@@ -47,9 +47,7 @@ public static IResult CreatePost(
             CreatePostDTO request
             )
         {
-            int? userid = user.UserRealId();
-            if ( userid == null ) return Results.NotFound(new ResponseDTO<Object> { Message = "UserId missing" });
-            User? dbUser = userservice.GetById(userid);
+            User? dbUser = userservice.GetById(user.UserRealId());
             if (dbUser == null) return Results.NotFound(new ResponseDTO<Object> { Message = "Invalid userID" });
 
             if (string.IsNullOrWhiteSpace(request.Content))

exercise.wwwapi/Program.cs

@@ -1,10 +1,13 @@
+using exercise.wwwapi.Authorization;
+using exercise.wwwapi.Authorization.Extensions;
 using exercise.wwwapi.Configuration;
 using exercise.wwwapi.Data;
 using exercise.wwwapi.Endpoints;
 using exercise.wwwapi.EndPoints;
 using exercise.wwwapi.Models;
 using exercise.wwwapi.Repository;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
@@ -28,10 +31,11 @@
 builder.Services.AddScoped<IRepository<CohortCourseUser>, Repository<CohortCourseUser>>();
 builder.Services.AddScoped<ILogger, Logger<string>>();
 builder.Services.AddAutoMapper(typeof(Program));
+builder.Services.AddSingleton<IAuthorizationMiddlewareResultHandler, CustomAuthorizationResultHandler>();
+
 
 builder.Services.AddDbContext<DataContext>(options =>
 {
-
     //options.UseNpgsql(builder.Configuration.GetConnectionString("LocalDatabase"));
     options.UseNpgsql(builder.Configuration.GetConnectionString("LocalDatabase"));
     options.LogTo(message => Debug.WriteLine(message));
@@ -91,7 +95,9 @@
             });
 
 });
-builder.Services.AddAuthorization();
+//builder.Services.AddAuthorization();
+builder.Services.AddCustomAuthorization();
+
 
 builder.Services.AddControllers();
 builder.Services.AddEndpointsApiExplorer();
@@ -124,6 +130,8 @@
 
 app.UseAuthentication();
 
+
+
 app.UseAuthorization();
 
 app.MapControllers();