Merge pull request #260 from meysamhadeli/fix/fix-scope-validation-in-apis

fix: Fix scope validation in claims for all endpoints
2026-04-11 02:20:20 +08:00 · 2023-05-19 02:44:50 +03:30 · 2023-05-19 02:44:50 +03:30 · f6639d772f
commit f6639d772f
parent 993c44a890 0cd22aebd2
22 changed files with 52 additions and 25 deletions
--- a/src/BuildingBlocks/Swagger/ServiceCollectionExtensions.cs
+++ b/src/BuildingBlocks/Swagger/ServiceCollectionExtensions.cs
@ -20,9 +20,6 @@ public static class ServiceCollectionExtensions
        IConfiguration configuration,
        params Assembly[] assemblies)
    {
-         // https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/openapi
-        services.AddEndpointsApiExplorer();
-
        services.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerOptions>();
        services.AddOptions<SwaggerOptions>().Bind(configuration.GetSection(nameof(SwaggerOptions)))
            .ValidateDataAnnotations();
@ -41,20 +38,30 @@ public static class ServiceCollectionExtensions

                options.AddEnumsWithValuesFixFilters();

+                options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
+                {
+                    BearerFormat = "JWT",
+                    Scheme = "oauth2",
+                    Name = "Bearer",
+                    In = ParameterLocation.Header
+                });
+
                options.AddSecurityRequirement(new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
-                            Reference = new OpenApiReference {Type = ReferenceType.SecurityScheme, Id = "Bearer"},
-                            Scheme = "oauth2",
-                            Name = "Bearer",
-                            In = ParameterLocation.Header
+                            Reference = new OpenApiReference
+                            {
+                                Type=ReferenceType.SecurityScheme,
+                                Id="Bearer"
+                            }
                        },
-                        new List<string>()
+                        new string[]{}
                    }
                });

+
                options.ResolveConflictingActions(apiDescriptions => apiDescriptions.First());

                ////https://github.com/domaindrivendev/Swashbuckle.AspNetCore/issues/467
@ -65,7 +72,7 @@ public static class ServiceCollectionExtensions
                // options.EnableAnnotations();
            });

-        services.Configure<SwaggerGeneratorOptions>(o => o.InferSecuritySchemes = true);
+        // services.Configure<SwaggerGeneratorOptions>(o => o.InferSecuritySchemes = true);

        static string XmlCommentsFilePath(Assembly assembly)
        {
--- a/src/BuildingBlocks/TestBase/TestBase.cs
+++ b/src/BuildingBlocks/TestBase/TestBase.cs
@ -60,7 +60,9 @@ public class TestFixture<TEntryPoint> : IAsyncLifetime
            var claims =
                new Dictionary<string, object>
                {
-                    { ClaimTypes.Name, "test@sample.com" }, { ClaimTypes.Role, "admin" },
+                    { ClaimTypes.Name, "test@sample.com" },
+                    { ClaimTypes.Role, "admin" },
+                    {"scope", "flight-api"}
                };
            var httpClient = _factory?.CreateClient();
            httpClient.SetFakeBearerToken(claims);
--- a/src/Services/Booking/src/Booking/Booking/Features/CreatingBook/Commands/V1/CreateBooking.cs
+++ b/src/Services/Booking/src/Booking/Booking/Features/CreatingBook/Commands/V1/CreateBooking.cs
@ -7,6 +7,7 @@ using BuildingBlocks.Core.Event;
 using BuildingBlocks.Core.Model;
 using BuildingBlocks.EventStoreDB.Repository;
 using BuildingBlocks.Web;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Elasticsearch.Net;
 using Exceptions;
 using Flight;
@ -50,7 +51,7 @@ public class CreateBookingEndpoint : IMinimalEndpoint

                return Results.Ok(response);
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CreateBooking")
            .WithApiVersionSet(builder.NewApiVersionSet("Booking").Build())
            .Produces<CreateBookingResponseDto>()
--- a/src/Services/Booking/src/Booking/Extensions/Infrastructure/InfrastructureExtensions.cs
+++ b/src/Services/Booking/src/Booking/Extensions/Infrastructure/InfrastructureExtensions.cs
@ -60,6 +60,7 @@ public static class InfrastructureExtensions
        builder.Services.AddPersistMessageProcessor(env);
        builder.Services.AddMongoDbContext<BookingReadDbContext>(configuration);

+        builder.Services.AddEndpointsApiExplorer();
        builder.AddCustomSerilog(env);
        builder.Services.AddJwt();
        builder.Services.AddHttpContextAccessor();
--- a/src/Services/Flight/src/Flight/Aircrafts/Features/CreatingAircraft/V1/CreateAircraft.cs
+++ b/src/Services/Flight/src/Flight/Aircrafts/Features/CreatingAircraft/V1/CreateAircraft.cs
@ -10,6 +10,7 @@ using BuildingBlocks.Web;
 using Exceptions;
 using Models;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using FluentValidation;
 using MapsterMapper;
 using MassTransit;
@ -50,7 +51,7 @@ public class CreateAircraftEndpoint : IMinimalEndpoint

                return Results.Ok(response);
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CreateAircraft")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<CreateAircraftResponseDto>()
--- a/src/Services/Flight/src/Flight/Airports/Features/CreatingAirport/V1/CreateAirport.cs
+++ b/src/Services/Flight/src/Flight/Airports/Features/CreatingAirport/V1/CreateAirport.cs
@ -9,6 +9,7 @@ using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
 using Exceptions;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using FluentValidation;
 using MapsterMapper;
 using MassTransit;
@ -48,7 +49,7 @@ public class CreateAirportEndpoint : IMinimalEndpoint

                return Results.Ok(response);
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CreateAirport")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<CreateAirportResponseDto>()
--- a/src/Services/Flight/src/Flight/Extensions/Infrastructure/InfrastructureExtensions.cs
+++ b/src/Services/Flight/src/Flight/Extensions/Infrastructure/InfrastructureExtensions.cs
@ -67,6 +67,7 @@ public static class InfrastructureExtensions
        builder.Services.AddMongoDbContext<FlightReadDbContext>(configuration);
        builder.Services.AddPersistMessageProcessor(env);

+        builder.Services.AddEndpointsApiExplorer();
        builder.AddCustomSerilog(env);
        builder.Services.AddJwt();
        builder.Services.AddCustomSwagger(configuration, typeof(FlightRoot).Assembly);
--- a/src/Services/Flight/src/Flight/Flights/Features/CreatingFlight/V1/CreateFlight.cs
+++ b/src/Services/Flight/src/Flight/Flights/Features/CreatingFlight/V1/CreateFlight.cs
@ -8,6 +8,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MapsterMapper;
@ -54,7 +55,7 @@ public class CreateFlightEndpoint : IMinimalEndpoint

                return Results.CreatedAtRoute("GetFlightById", new { id = result.Id }, response);
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CreateFlight")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<CreateFlightResponseDto>(StatusCodes.Status201Created)
--- a/src/Services/Flight/src/Flight/Flights/Features/DeletingFlight/V1/DeleteFlight.cs
+++ b/src/Services/Flight/src/Flight/Flights/Features/DeletingFlight/V1/DeleteFlight.cs
@ -8,6 +8,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MediatR;
@ -35,7 +36,7 @@ public class DeleteFlightEndpoint : IMinimalEndpoint

                    return Results.NoContent();
                })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("DeleteFlight")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces(StatusCodes.Status204NoContent)
--- a/src/Services/Flight/src/Flight/Flights/Features/GettingAvailableFlights/V1/GetAvailableFlights.cs
+++ b/src/Services/Flight/src/Flight/Flights/Features/GettingAvailableFlights/V1/GetAvailableFlights.cs
@ -11,6 +11,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Web;
 using Data;
 using Dtos;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using MapsterMapper;
 using MediatR;
@ -42,8 +43,7 @@ public class GetAvailableFlightsEndpoint : IMinimalEndpoint

                    return Results.Ok(response);
                })
-            .WithOpenApi()
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("GetAvailableFlights")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<GetAvailableFlightsResponseDto>()
--- a/src/Services/Flight/src/Flight/Flights/Features/GettingFlightById/V1/GetFlightById.cs
+++ b/src/Services/Flight/src/Flight/Flights/Features/GettingFlightById/V1/GetFlightById.cs
@ -8,6 +8,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Web;
 using Data;
 using Dtos;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MapsterMapper;
@ -37,7 +38,7 @@ public class GetFlightByIdEndpoint : IMinimalEndpoint

                    return Results.Ok(response);
                })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("GetFlightById")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<GetFlightByIdResponseDto>()
--- a/src/Services/Flight/src/Flight/Flights/Features/UpdatingFlight/V1/UpdateFlight.cs
+++ b/src/Services/Flight/src/Flight/Flights/Features/UpdatingFlight/V1/UpdateFlight.cs
@ -9,6 +9,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using Flight.Flights.Features.CreatingFlight.V1;
 using FluentValidation;
@ -52,7 +53,7 @@ public class UpdateFlightEndpoint : IMinimalEndpoint

                return Results.NoContent();
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("UpdateFlight")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces(StatusCodes.Status204NoContent)
--- a/src/Services/Flight/src/Flight/Identity/Consumers/RegisterNewUser/V1/RegisterNewUserConsumerHandler.cs
+++ b/src/Services/Flight/src/Flight/Identity/Consumers/RegisterNewUser/V1/RegisterNewUserConsumerHandler.cs
@ -23,6 +23,7 @@ public class RegisterNewUserConsumerHandler : IConsumer<UserCreated>
    public Task Consume(ConsumeContext<UserCreated> context)
    {
        _logger.LogInformation($"this is a test consumer for {nameof(UserCreated).Underscore()} in {_options.Name}");
+        _logger.LogInformation($"we got this message: {context?.Message}");
        return Task.CompletedTask;
    }
 }
--- a/src/Services/Flight/src/Flight/Seats/Features/CreatingSeat/V1/CreateSeat.cs
+++ b/src/Services/Flight/src/Flight/Seats/Features/CreatingSeat/V1/CreateSeat.cs
@ -7,6 +7,7 @@ using Ardalis.GuardClauses;
 using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Flight.Data;
 using Flight.Seats.Exceptions;
 using Flight.Seats.Models;
@ -40,7 +41,7 @@ public class CreateSeatEndpoint : IMinimalEndpoint
    public IEndpointRouteBuilder MapEndpoint(IEndpointRouteBuilder builder)
    {
        builder.MapPost($"{EndpointConfig.BaseApiPath}/flight/seat", CreateSeat)
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CreateSeat")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<CreateSeatResponseDto>()
--- a/src/Services/Flight/src/Flight/Seats/Features/GettingAvailableSeats/V1/GetAvailableSeats.cs
+++ b/src/Services/Flight/src/Flight/Seats/Features/GettingAvailableSeats/V1/GetAvailableSeats.cs
@ -10,6 +10,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Web;
 using Data;
 using Dtos;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MapsterMapper;
@ -30,7 +31,7 @@ public class GetAvailableSeatsEndpoint : IMinimalEndpoint
    public IEndpointRouteBuilder MapEndpoint(IEndpointRouteBuilder builder)
    {
        builder.MapGet($"{EndpointConfig.BaseApiPath}/flight/get-available-seats/{{id}}", GetAvailableSeats)
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("GetAvailableSeats")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<GetAvailableSeatsResponseDto>()
--- a/src/Services/Flight/src/Flight/Seats/Features/ReservingSeat/Commands/V1/ReserveSeat.cs
+++ b/src/Services/Flight/src/Flight/Seats/Features/ReservingSeat/Commands/V1/ReserveSeat.cs
@ -8,6 +8,7 @@ using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Core.Event;
 using BuildingBlocks.Web;
 using Data;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MapsterMapper;
@ -33,7 +34,7 @@ public class ReserveSeatEndpoint : IMinimalEndpoint
    public IEndpointRouteBuilder MapEndpoint(IEndpointRouteBuilder builder)
    {
        builder.MapPost($"{EndpointConfig.BaseApiPath}/flight/reserve-seat", ReserveSeat)
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("ReserveSeat")
            .WithApiVersionSet(builder.NewApiVersionSet("Flight").Build())
            .Produces<ReserveSeatResponseDto>()
--- a/src/Services/Identity/src/Identity/Configurations/Config.cs
+++ b/src/Services/Identity/src/Identity/Configurations/Config.cs
@ -59,7 +59,7 @@ public static class Config
                    Constants.StandardScopes.FlightApi,
                    Constants.StandardScopes.PassengerApi,
                    Constants.StandardScopes.BookingApi,
-                    new(Constants.StandardScopes.IdentityApi)
+                    Constants.StandardScopes.IdentityApi
                }
            }
        };
--- a/src/Services/Identity/src/Identity/Extensions/Infrastructure/InfrastructureExtensions.cs
+++ b/src/Services/Identity/src/Identity/Extensions/Infrastructure/InfrastructureExtensions.cs
@ -58,6 +58,7 @@ public static class InfrastructureExtensions
                    }));
        });

+        builder.Services.AddEndpointsApiExplorer();
        builder.Services.AddControllers();
        builder.Services.AddPersistMessageProcessor(env);
        builder.Services.AddCustomDbContext<IdentityContext>();
--- a/src/Services/Identity/src/Identity/Identity/Features/RegisteringNewUser/V1/RegisterNewUser.cs
+++ b/src/Services/Identity/src/Identity/Identity/Features/RegisteringNewUser/V1/RegisterNewUser.cs
@ -9,6 +9,7 @@ using BuildingBlocks.Contracts.EventBus.Messages;
 using BuildingBlocks.Core;
 using BuildingBlocks.Core.CQRS;
 using BuildingBlocks.Web;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using FluentValidation;
 using MapsterMapper;
--- a/src/Services/Passenger/src/Passenger/Extensions/Infrastructure/InfrastructureExtensions.cs
+++ b/src/Services/Passenger/src/Passenger/Extensions/Infrastructure/InfrastructureExtensions.cs
@ -64,6 +64,7 @@ public static class InfrastructureExtensions

        builder.AddCustomSerilog(env);
        builder.Services.AddJwt();
+        builder.Services.AddEndpointsApiExplorer();
        builder.Services.AddCustomSwagger(configuration, typeof(PassengerRoot).Assembly);
        builder.Services.AddCustomVersioning();
        builder.Services.AddCustomMediatR();
--- a/src/Services/Passenger/src/Passenger/Passengers/Features/CompletingRegisterPassenger/V1/CompleteRegisterPassenger.cs
+++ b/src/Services/Passenger/src/Passenger/Passengers/Features/CompletingRegisterPassenger/V1/CompleteRegisterPassenger.cs
@ -10,6 +10,7 @@ using MapsterMapper;
 using Microsoft.EntityFrameworkCore;
 using Data;
 using Dtos;
+using Duende.IdentityServer.EntityFramework.Entities;
 using MassTransit;
 using MediatR;
 using Microsoft.AspNetCore.Builder;
@ -48,7 +49,7 @@ public class CompleteRegisterPassengerEndpoint : IMinimalEndpoint

                return Results.Ok(response);
            })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("CompleteRegisterPassenger")
            .WithApiVersionSet(builder.NewApiVersionSet("Passenger").Build())
            .Produces<CompleteRegisterPassengerResponseDto>()
--- a/src/Services/Passenger/src/Passenger/Passengers/Features/GettingPassengerById/Queries/V1/GetPassengerById.cs
+++ b/src/Services/Passenger/src/Passenger/Passengers/Features/GettingPassengerById/Queries/V1/GetPassengerById.cs
@ -7,6 +7,7 @@ using FluentValidation;
 using MapsterMapper;
 using Ardalis.GuardClauses;
 using BuildingBlocks.Web;
+using Duende.IdentityServer.EntityFramework.Entities;
 using Exceptions;
 using MediatR;
 using Microsoft.AspNetCore.Builder;
@ -34,7 +35,7 @@ public class GetPassengerByIdEndpoint : IMinimalEndpoint

                    return Results.Ok(response);
                })
-            .RequireAuthorization()
+            .RequireAuthorization(nameof(ApiScope))
            .WithName("GetPassengerById")
            .WithApiVersionSet(builder.NewApiVersionSet("Passenger").Build())
            .Produces<GetPassengerByIdResponseDto>()