SharpRSS/SharpRSS.API/Auth/SessionAuthorizeAttribute.cs

using System;
using System.Linq;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Primitives;
using SharpRSS.API.Contracts.Models;
using SharpRSS.API.Data;
using ToolQit;
using ToolQit.Extensions;
using ToolQit.Logging;

namespace SharpRSS.API.Auth
{
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
    public class SessionAuthorizeAttribute : Attribute, IAuthorizationFilter
    {
        public SessionAuthorizeAttribute(bool admin = true)
        {
            _admin = admin;
            _log = LogManager.CreateLogger(typeof(SessionAuthorizeAttribute));
        }
        
        private readonly ILog _log;
        private readonly bool _admin;

        public async void OnAuthorization(AuthorizationFilterContext context)
        {
            if (context.ActionDescriptor.EndpointMetadata.Any(obj => obj.GetType() == typeof(AllowAnonymousAttribute)))
                return;
            var authService = context.HttpContext.RequestServices.GetService(typeof(AuthService)) as AuthService;
            if (authService == null)
            {
                context.Result = new UnauthorizedObjectResult(new Result("Failed to initialize service!", ResultStatus.InternalFail));
                return;
            }

            if (context.HttpContext.Request.Headers.TryGetValue("SRSS-Session", out var val))
            {
                string? headerVal = val.ToString();
                if (headerVal == null || headerVal.IsNullEmptyWhiteSpace())
                {
                    context.Result = new UnauthorizedObjectResult(new Result("Invalid session ID"));
                    return;
                }
                var authSet = await authService.ValidateSession(headerVal);
                if (!authSet.Success || authSet.Value == null)
                {
                    context.Result = new UnauthorizedResult();
                    return;
                }
                if (authSet.Value.Session is { Expired: true })
                {
                    context.Result = new UnauthorizedObjectResult(new Result("Session expired", ResultStatus.Failed));
                    return;
                }
                authSet.Value.AdminRequired = _admin;
                context.HttpContext.Items["auth"] = authSet.Value;
                return;
            }
            context.Result = new UnauthorizedResult();
        }
    }
}