Working on auth attribute

SharpRSS.API/Auth/SessionAuthorizeAttribute.cs

@@ -3,6 +3,7 @@ using System.Linq;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.Primitives;
 using ToolQit;
 using ToolQit.Logging;
 
@@ -24,9 +25,16 @@ namespace SharpRSS.API.Auth
         {
             if (context.ActionDescriptor.EndpointMetadata.Any(obj => obj.GetType() == typeof(AllowAnonymousAttribute)))
             {
-                context.Result = new OkResult();
+                //context.Result = new OkResult();
                 return;
             }
+
+            if (context.HttpContext.Request.Headers.TryGetValue("SRSS-Session", out StringValues val))
+            {
+                //TODO: if no permission check for valid session, if permission check if session has access!
+                return;
+            }
+
             //TODO: Check session ID!
             context.Result = new UnauthorizedResult();
         }

SharpRSS.API/Controllers/AuthController.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
@@ -28,20 +29,22 @@ namespace SharpRSS.API.Controllers
         [HttpPost("[action]")]
         [AllowAnonymous]
         public async Task<ActionResult<string>> Authenticate(AuthenticateUser authenticateUser)
-        {
-            return Ok("Ok!");
+        {   // Return test result
+            return Ok(new { Expires = DateTime.Now.Add(TimeSpan.FromDays(7)), SessionToken = Guid.NewGuid().ToString(), Released = DateTime.Now });
         }
 
         [HttpPost("user")]
+        [SessionAuthorize("auth:user:create")]
         public async Task<ActionResult<UserDto>> CreateUser(AuthenticateUser authenticateUser)
         {
             Result<User> result = await _authService.CreateUser(authenticateUser);
-                if (result.Success)
+            if (result.Success)
                 return Ok(Models.Auth.User.ToDto(result.Value ?? new User()));
             return BadRequest(new ApiResult(result.Message, ApiResults.Error));
         }
 
         [HttpGet("user")]
+        [SessionAuthorize("auth:user:get")]
         public async Task<ActionResult<ApiListResult<IEnumerable<UserDto>>>> GetUsers(int take, int skip)
         {
             var usersAuth = await _authService.GetUsers(take, skip);

SharpRSS.API/Net/SwaggerSessionHeader.cs

@@ -0,0 +1,19 @@
+using Microsoft.OpenApi.Models;
+using Swashbuckle.AspNetCore.SwaggerGen;
+
+namespace SharpRSS.API.Net
+{
+    public class SwaggerSessionHeader : IOperationFilter
+    {
+        public void Apply(OpenApiOperation operation, OperationFilterContext context)
+        {
+            operation.Parameters.Add(new OpenApiParameter()
+            {
+                Name = "SRSS-Session",
+                In = ParameterLocation.Header,
+                Required = false,
+                Schema = new OpenApiSchema() { Type = "string" }
+            });
+        }
+    }
+}

SharpRSS.API/Program.cs

@@ -3,9 +3,11 @@ using System.IO;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.OpenApi.Models;
 using Serilog;
 using Serilog.Formatting.Compact;
 using SharpRSS.API.Data;
+using SharpRSS.API.Net;
 using ToolQit;
 using ToolQit.Logging.Serilog;
 
@@ -18,7 +20,11 @@ builder.Logging.AddSerilog();
 builder.Services.AddControllers();
 // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
 builder.Services.AddEndpointsApiExplorer();
-builder.Services.AddSwaggerGen();
+builder.Services.AddSwaggerGen(con =>
+{
+    con.SwaggerDoc("v1", new OpenApiInfo() { Title = "SharRSS API", Version = "v1"});
+    con.OperationFilter<SwaggerSessionHeader>();
+});
 builder.Services.AddScoped<AuthService>();
 builder.Services.AddScoped<SharpRssService>();