Add permission message service and integrate with authorization

kelvink96 · kelvink96 · commit 7c49a0d3c7f6 · 2025-05-08T23:54:03.000+03:00
Introduce `PermissionMessageService` to handle custom permission messages per resource and HTTP method. Updated `CustomAuthorizationMiddlewareResultHandler` to use the new service for more specific error feedback. Registered the service in the application builder to streamline permission handling.
diff --git a/Program.cs b/Program.cs
@@ -6,6 +6,7 @@
 using AdminHubApi.Interfaces;
 using AdminHubApi.Repositories;
 using AdminHubApi.Security;
+using AdminHubApi.Security.Permissions;
 using AdminHubApi.Services;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
@@ -143,7 +144,10 @@ await tokenBlacklistRepository.IsTokenBlacklistedAsync(tokenId))
 // Register token cleanup background service
 builder.Services.AddHostedService<TokenCleanupService>();
 
-// Custom Authorization Handler
+// Add permission message service
+builder.Services.AddSingleton<IPermissionMessageService, PermissionMessageService>();
+
+// Register the custom authorization handler
 builder.Services.AddSingleton<IAuthorizationMiddlewareResultHandler, CustomAuthorizationMiddlewareResultHandler>();
 
 // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
@@ -186,12 +190,12 @@ await tokenBlacklistRepository.IsTokenBlacklistedAsync(tokenId))
             await NormalUserSeeder.SeedNormalUserAsync(app.Services);
             await ManagerUserSeeder.SeedManagerUserAsync(app.Services);
         }
-        
+
         // Always update permissions to ensure new permissions are added
         logger.LogInformation("Updating role permissions...");
         await PermissionUpdateSeeder.UpdateRolePermissionsAsync(app.Services);
         logger.LogInformation("Role permissions updated successfully");
-        
+
         logger.LogInformation("Updating user permissions...");
         await UserPermissionUpdateSeeder.UpdateUserPermissionsAsync(app.Services);
         logger.LogInformation("User permissions updated successfully");
diff --git a/Security/CustomAuthorizationMiddlewareResultHandler.cs b/Security/CustomAuthorizationMiddlewareResultHandler.cs
@@ -1,104 +1,87 @@
 ﻿using System.Text.Json;
 using AdminHubApi.Dtos.ApiResponse;
+using AdminHubApi.Security.Permissions;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authorization.Policy;
 
-namespace AdminHubApi.Security
+namespace AdminHubApi.Security;
+
+public class CustomAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
 {
-    public class CustomAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
+    private readonly AuthorizationMiddlewareResultHandler _defaultHandler =
+        new AuthorizationMiddlewareResultHandler();
+
+    private readonly IPermissionMessageService _permissionMessageService;
+
+    public CustomAuthorizationMiddlewareResultHandler(IPermissionMessageService permissionMessageService)
     {
-        private readonly AuthorizationMiddlewareResultHandler _defaultHandler =
-            new AuthorizationMiddlewareResultHandler();
-
-        public async Task HandleAsync(
-            RequestDelegate next,
-            HttpContext context,
-            AuthorizationPolicy policy,
-            PolicyAuthorizationResult authorizeResult)
+        _permissionMessageService = permissionMessageService;
+    }
+
+    public async Task HandleAsync(
+        RequestDelegate next,
+        HttpContext context,
+        AuthorizationPolicy policy,
+        PolicyAuthorizationResult authorizeResult)
+    {
+        // If the authorization was successful, continue down the pipeline
+        if (authorizeResult.Succeeded)
         {
-            // If the authorization was successful, continue down the pipeline
-            if (authorizeResult.Succeeded)
-            {
-                await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
+            await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
 
-                return;
-            }
+            return;
+        }
 
-            // Check if unauthorized or forbidden
-            if (context.User.Identity?.IsAuthenticated != true)
-            {
-                // Return a 401 Unauthorized with a descriptive message
-                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+        // Check if unauthorized or forbidden
+        if (context.User.Identity?.IsAuthenticated != true)
+        {
+            // Return a 401 Unauthorized with a descriptive message
+            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
 
-                var response = new ApiResponse<object>
-                {
-                    Succeeded = false,
-                    Message = "Authentication required",
-                    Errors = new List<string>()
-                    {
-                        "You need to authenticate to access this resource."
-                    }
-                };
-
-                await WriteJsonResponseAsync(context, response);
-            }
-            else
+            var response = new ApiResponse<object>
             {
-                // Return a 403 Forbidden with a descriptive message
-                context.Response.StatusCode = StatusCodes.Status403Forbidden;
-
-                // Check if it's related to project permissions
-                if (context.Request.Path.StartsWithSegments("/api/projects"))
+                Succeeded = false,
+                Message = "Authentication required",
+                Errors = new List<string>()
                 {
-                    // Customize message based on the HTTP method
-                    string errorMessage = context.Request.Method switch
-                    {
-                        "POST" => "You do not have sufficient permissions to create a project.",
-                        "PUT" => "You do not have sufficient permissions to edit a project.",
-                        "DELETE" => "You do not have sufficient permissions to delete a project.",
-                        _ => "You do not have sufficient permissions to perform this action on projects."
-                    };
-
-                    var response = new ApiResponse<object>
-                    {
-                        Succeeded = false,
-                        Message = "Permission denied",
-                        Errors = new List<string>()
-                        {
-                            errorMessage
-                        }
-                    };
-
-                    await WriteJsonResponseAsync(context, response);
+                    "You need to authenticate to access this resource."
                 }
-                else
-                {
-                    // Generic permission error
-                    var response = new ApiResponse<object>
-                    {
-                        Succeeded = false,
-                        Message = "Permission denied",
-                        Errors = new List<string>()
-                        {
-                            "You do not have sufficient permissions to perform this action."
-                        }
-                    };
-
-                    await WriteJsonResponseAsync(context, response);
-                }
-            }
-        }
+            };
 
-        private static async Task WriteJsonResponseAsync<T>(HttpContext context, ApiResponse<T> response)
+            await WriteJsonResponseAsync(context, response);
+        }
+        else
         {
-            context.Response.ContentType = "application/json";
+            // Return a 403 Forbidden with a descriptive message
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+
+            // Get the path and HTTP method
+            string path = context.Request.Path.Value ?? "";
+            string method = context.Request.Method;
+
+            // Get a specific error message for the resource and action
+            string errorMessage = _permissionMessageService.GetPermissionMessage(path, method);
 
-            var options = new JsonSerializerOptions
+            var response = new ApiResponse<object>
             {
-                PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+                Succeeded = false,
+                Message = "Permission denied",
+                Errors = new List<string>() { errorMessage }
             };
 
-            await JsonSerializer.SerializeAsync(context.Response.Body, response, options);
+            await WriteJsonResponseAsync(context, response);
         }
     }
+
+    private static async Task WriteJsonResponseAsync<T>(HttpContext context, ApiResponse<T> response)
+    {
+        context.Response.ContentType = "application/json";
+
+        var options = new JsonSerializerOptions
+        {
+            PropertyNamingPolicy = JsonNamingPolicy.CamelCase
+        };
+
+        await JsonSerializer.SerializeAsync(context.Response.Body, response, options);
+    }
 }
diff --git a/Security/Permissions/PermissionMessageService.cs b/Security/Permissions/PermissionMessageService.cs
@@ -0,0 +1,129 @@
+﻿namespace AdminHubApi.Security.Permissions;
+
+public interface IPermissionMessageService
+{
+    string GetPermissionMessage(string path, string httpMethod);
+}
+
+public class PermissionMessageService : IPermissionMessageService
+{
+    private readonly List<ResourcePermissionMessages> _resourcePermissions;
+
+    public PermissionMessageService()
+    {
+        _resourcePermissions = new List<ResourcePermissionMessages>
+        {
+            new()
+            {
+                Resource = "projects",
+                Prefix = "/api/projects",
+                Permissions = new Dictionary<string, HttpMethodPermissions>
+                {
+                    ["*"] = new HttpMethodPermissions
+                    {
+                        Get = "You do not have sufficient permissions to view projects.",
+                        Post = "You do not have sufficient permissions to create a project.",
+                        Put = "You do not have sufficient permissions to edit a project.",
+                        Delete = "You do not have sufficient permissions to delete a project.",
+                        Default = "You do not have sufficient permissions to perform this action on projects."
+                    }
+                }
+            },
+            new()
+            {
+                Resource = "products",
+                Prefix = "/api/products",
+                Permissions = new Dictionary<string, HttpMethodPermissions>
+                {
+                    ["*"] = new HttpMethodPermissions
+                    {
+                        Get = "You do not have sufficient permissions to view products.",
+                        Post = "You do not have sufficient permissions to create a product.",
+                        Put = "You do not have sufficient permissions to edit a product.",
+                        Delete = "You do not have sufficient permissions to delete a product.",
+                        Default = "You do not have sufficient permissions to perform this action on products."
+                    }
+                }
+            },
+            new()
+            {
+                Resource = "product-categories",
+                Prefix = "/api/product-categories",
+                Permissions = new Dictionary<string, HttpMethodPermissions>
+                {
+                    ["*"] = new HttpMethodPermissions
+                    {
+                        Get = "You do not have sufficient permissions to view product categories.",
+                        Post = "You do not have sufficient permissions to create a product category.",
+                        Put = "You do not have sufficient permissions to edit a product category.",
+                        Delete = "You do not have sufficient permissions to delete a product category.",
+                        Default = "You do not have sufficient permissions to perform this action on product categories."
+                    }
+                }
+            },
+            new()
+            {
+                Resource = "users",
+                Prefix = "/api/users",
+                Permissions = new Dictionary<string, HttpMethodPermissions>
+                {
+                    ["*"] = new HttpMethodPermissions
+                    {
+                        Get = "You do not have sufficient permissions to view user information.",
+                        Post = "You do not have sufficient permissions to create a user.",
+                        Put = "You do not have sufficient permissions to edit user information.",
+                        Delete = "You do not have sufficient permissions to delete a user.",
+                        Default = "You do not have sufficient permissions to perform this action on users."
+                    }
+                }
+            },
+            new()
+            {
+                Resource = "orders",
+                Prefix = "/api/orders",
+                Permissions = new Dictionary<string, HttpMethodPermissions>
+                {
+                    ["*"] = new HttpMethodPermissions
+                    {
+                        Get = "You do not have sufficient permissions to view orders.",
+                        Post = "You do not have sufficient permissions to create an order.",
+                        Put = "You do not have sufficient permissions to modify an order.",
+                        Delete = "You do not have sufficient permissions to cancel an order.",
+                        Default = "You do not have sufficient permissions to perform this action on orders."
+                    }
+                }
+            }
+            // Add more resources as needed
+        };
+    }
+
+    public string GetPermissionMessage(string path, string httpMethod)
+    {
+        // Find the matching resource configuration
+        var resourceConfig =
+            _resourcePermissions.FirstOrDefault(r => path.StartsWith(r.Prefix, StringComparison.OrdinalIgnoreCase));
+
+        if (resourceConfig == null)
+        {
+            return "You do not have sufficient permissions to perform this action.";
+        }
+
+        // Get the specific action configuration (default to "*" if not found)
+        var actionKey = "*"; // We can later extend this to match specific actions like "/api/projects/{id}"
+
+        if (!resourceConfig.Permissions.TryGetValue(actionKey, out var permissions))
+        {
+            return "You do not have sufficient permissions to perform this action.";
+        }
+
+        // Return the appropriate message based on HTTP method
+        return httpMethod.ToUpper() switch
+        {
+            "GET" => permissions.Get ?? permissions.Default,
+            "POST" => permissions.Post ?? permissions.Default,
+            "PUT" => permissions.Put ?? permissions.Default,
+            "DELETE" => permissions.Delete ?? permissions.Default,
+            _ => permissions.Default ?? "You do not have sufficient permissions to perform this action."
+        };
+    }
+}
diff --git a/Security/Permissions/ResourcePermissionMessages.cs b/Security/Permissions/ResourcePermissionMessages.cs
@@ -0,0 +1,17 @@
+﻿namespace AdminHubApi.Security.Permissions;
+
+public class ResourcePermissionMessages
+{
+    public string Resource { get; set; }
+    public string Prefix { get; set; }
+    public Dictionary<string, HttpMethodPermissions> Permissions { get; set; }
+}
+
+public class HttpMethodPermissions
+{
+    public string Get { get; set; }
+    public string Post { get; set; }
+    public string Put { get; set; }
+    public string Delete { get; set; }
+    public string Default { get; set; }
+}
