diff --git a/backend/src/Squidex.Web/Pipeline/AppResolver.cs b/backend/src/Squidex.Web/Pipeline/AppResolver.cs index 5b2650449..1e3bb67e9 100644 --- a/backend/src/Squidex.Web/Pipeline/AppResolver.cs +++ b/backend/src/Squidex.Web/Pipeline/AppResolver.cs @@ -14,6 +14,7 @@ using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.Extensions.DependencyInjection; +using Squidex.Domain.Apps.Core.Apps; using Squidex.Domain.Apps.Entities; using Squidex.Domain.Apps.Entities.Apps; using Squidex.Infrastructure; @@ -60,16 +61,18 @@ namespace Squidex.Web.Pipeline return; } + string? clientId = null; + var (role, permissions) = FindByOpenIdSubject(app, user, isFrontend); if (permissions == null) { - (role, permissions) = FindByOpenIdClient(app, user, isFrontend); + (clientId, role, permissions) = FindByOpenIdClient(app, user, isFrontend); } if (permissions == null) { - (role, permissions) = FindAnonymousClient(app, isFrontend); + (clientId, role, permissions) = FindAnonymousClient(app, isFrontend); } if (permissions != null) @@ -85,6 +88,11 @@ namespace Squidex.Web.Pipeline { identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id)); } + + if (user.Token() == null && clientId != null) + { + identity.AddClaim(new Claim(OpenIdClaims.ClientId, clientId)); + } } var requestContext = SetContext(context.HttpContext, app); @@ -150,45 +158,55 @@ namespace Squidex.Web.Pipeline return context.ActionDescriptor.EndpointMetadata.Any(x => x is AllowAnonymousAttribute); } - private static (string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user, bool isFrontend) + private static (string?, string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user, bool isFrontend) { var (appName, clientId) = user.GetClient(); - if (app.Name != appName) + if (app.Name != appName || clientId == null) { - return (null, null); + return default; } - if (clientId != null && app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role)) + if (app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role)) { - return (client.Role, role.Permissions); + return (clientId, client.Role, role.Permissions); } - return (null, null); + return default; } - private static (string?, PermissionSet?) FindAnonymousClient(IAppEntity app, bool isFrontend) + private static (string?, string?, PermissionSet?) FindAnonymousClient(IAppEntity app, bool isFrontend) { - var client = app.Clients.Values.FirstOrDefault(x => x.AllowAnonymous); + var client = app.Clients.FirstOrDefault(x => x.Value.AllowAnonymous); + + if (client.Value == null) + { + return default; + } - if (client != null && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role)) + if (app.Roles.TryGet(app.Name, client.Value.Role, isFrontend, out var role)) { - return (client.Role, role.Permissions); + return (client.Key, client.Value.Role, role.Permissions); } - return (null, null); + return default; } private static (string?, PermissionSet?) FindByOpenIdSubject(IAppEntity app, ClaimsPrincipal user, bool isFrontend) { var subjectId = user.OpenIdSubject(); - if (subjectId != null && app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGet(app.Name, roleName, isFrontend, out var role)) + if (subjectId == null) + { + return default; + } + + if (app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGet(app.Name, roleName, isFrontend, out var role)) { return (roleName, role.Permissions); } - return (null, null); + return default; } } } diff --git a/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs b/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs index 90ffe8830..c91afc099 100644 --- a/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs +++ b/backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs @@ -196,6 +196,7 @@ namespace Squidex.Web.Pipeline Assert.Same(app, httpContext.Context().App); Assert.True(user.Claims.Count() > 2); Assert.True(isNextCalled); + Assert.Contains(user.Claims, x => x.Type == OpenIdClaims.ClientId && x.Value == "client1"); } [Fact]