open source Notesnook API

Notesnook.API/Authorization/SyncRequirement.cs

@@ -0,0 +1,89 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.SignalR;
+
+namespace Notesnook.API.Authorization
+{
+    public class SyncRequirement : AuthorizationHandler<SyncRequirement>, IAuthorizationRequirement
+    {
+        private Dictionary<string, string> pathErrorPhraseMap = new Dictionary<string, string>
+        {
+            ["/sync/attachments"] = "use attachments",
+            ["/sync"] = "sync your notes",
+            ["/hubs/sync"] = "sync your notes",
+            ["/monographs"] = "publish monographs"
+        };
+
+        private string[] allowedClaims = { "trial", "premium", "premium_canceled" };
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SyncRequirement requirement)
+        {
+            PathString path = context.Resource is DefaultHttpContext httpContext ? httpContext.Request.Path : null;
+            var result = this.IsAuthorized(context.User, path);
+            if (result.Succeeded) context.Succeed(requirement);
+            else
+            {
+                var hasReason = result.AuthorizationFailure.FailureReasons.Count() > 0;
+                if (hasReason)
+                    context.Fail(result.AuthorizationFailure.FailureReasons.First());
+                else context.Fail();
+            }
+
+            return Task.CompletedTask;
+        }
+
+        public PolicyAuthorizationResult IsAuthorized(ClaimsPrincipal User, PathString requestPath)
+        {
+            var id = User.FindFirstValue("sub");
+
+            if (string.IsNullOrEmpty(id))
+            {
+                var reason = new AuthorizationFailureReason[]
+                {
+                    new AuthorizationFailureReason(this, "Invalid token.")
+                };
+                return PolicyAuthorizationResult.Forbid(AuthorizationFailure.Failed(reason));
+            }
+
+            var hasSyncScope = User.HasClaim("scope", "notesnook.sync");
+            var isInAudience = User.HasClaim("aud", "notesnook");
+            var hasRole = User.HasClaim("role", "notesnook");
+
+            var isEmailVerified = User.HasClaim("verified", "true");
+
+            if (!isEmailVerified)
+            {
+                var phrase = "continue";
+
+                foreach (var item in pathErrorPhraseMap)
+                {
+                    if (requestPath != null && requestPath.StartsWithSegments(item.Key))
+                        phrase = item.Value;
+                }
+
+                var error = $"Please confirm your email to {phrase}.";
+                var reason = new AuthorizationFailureReason[]
+                {
+                    new AuthorizationFailureReason(this, error)
+                };
+                return PolicyAuthorizationResult.Forbid(AuthorizationFailure.Failed(reason));
+                //  context.Fail(new AuthorizationFailureReason(this, error));
+            }
+
+            var isProOrTrial = User.HasClaim((c) => c.Type == "notesnook:status" && allowedClaims.Contains(c.Value));
+            if (hasSyncScope && isInAudience && hasRole && isEmailVerified)
+                return PolicyAuthorizationResult.Success(); //(requirement);
+            return PolicyAuthorizationResult.Forbid();
+        }
+
+        public override Task HandleAsync(AuthorizationHandlerContext context)
+        {
+            return this.HandleRequirementAsync(context, this);
+        }
+
+    }
+}