From b2b9d148a32492edf7341870b1962b4ccbdabb4f Mon Sep 17 00:00:00 2001 From: Sebastian Date: Thu, 30 Apr 2020 16:33:42 +0200 Subject: [PATCH] Check app name --- backend/src/Squidex.Web/Extensions.cs | 14 +++++++++++++- backend/src/Squidex.Web/Pipeline/AppResolver.cs | 7 ++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/backend/src/Squidex.Web/Extensions.cs b/backend/src/Squidex.Web/Extensions.cs index cabaf7692..62d389beb 100644 --- a/backend/src/Squidex.Web/Extensions.cs +++ b/backend/src/Squidex.Web/Extensions.cs @@ -23,8 +23,20 @@ namespace Squidex.Web return clientId?.GetClientParts().ClientId; } - public static (string? App, string? ClientId) GetClientParts(this string clientId) + public static (string? App, string? ClientId) GetClient(this ClaimsPrincipal principal) { + var clientId = principal.FindFirst(OpenIdClaims.ClientId)?.Value; + + return clientId.GetClientParts(); + } + + public static (string? App, string? ClientId) GetClientParts(this string? clientId) + { + if (clientId == null) + { + return (null, null); + } + var parts = clientId.Split(':', '~'); if (parts.Length == 1) diff --git a/backend/src/Squidex.Web/Pipeline/AppResolver.cs b/backend/src/Squidex.Web/Pipeline/AppResolver.cs index 4e5d43cae..856480917 100644 --- a/backend/src/Squidex.Web/Pipeline/AppResolver.cs +++ b/backend/src/Squidex.Web/Pipeline/AppResolver.cs @@ -99,7 +99,12 @@ namespace Squidex.Web.Pipeline private static (string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user) { - var clientId = user.GetClientId(); + var (appName, clientId) = user.GetClient(); + + if (app.Name != appName) + { + return (null, null); + } if (clientId != null && app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, out var role)) {