Made user JWT more secure by checking the validity of the attached information and the given user (id)

2 files changed, 59 insertions, 4 deletions

diff --git a/src/DevHive.Services/Services/UserService.cs b/src/DevHive.Services/Services/UserService.cs
index d3c0d0d..b2d5aee 100644
--- a/src/DevHive.Services/Services/UserService.cs
+++ b/src/DevHive.Services/Services/UserService.cs
@@ -105,6 +105,42 @@ namespace DevHive.Services.Services
 				throw new InvalidOperationException("Unable to delete user!");
 		}
 
+		/// <summary>
+		/// Checks wether the given token's UserName and Roles are the same as these of the user with the given id.
+		/// </summary>
+		public async Task<bool> ValidJWT(Guid id, string rawTokenData)
+		{
+			// There is authorization name in the beginning, i.e. "Bearer eyJh..."
+			var jwt = new JwtSecurityTokenHandler().ReadJwtToken(rawTokenData.Remove(0, 7));
+			
+			User user = await this._userRepository.GetByIdAsync(id)
+				?? throw new ArgumentException("User does not exist!");
+			
+			/* Check username */
+			string jwtUserName = this.GetClaimTypeValues("unique_name", jwt.Claims)[0];
+
+			if (jwtUserName != user.UserName)
+				return false;
+
+			/* Check roles */
+			List<string> jwtRoleNames = this.GetClaimTypeValues("role", jwt.Claims);
+
+			// Check if jwt contains all user roles (if it doesn't, jwt is either old or tampered with)
+			foreach(var role in user.Roles)
+			{
+				if (!jwtRoleNames.Contains(role.Name))
+					return false;
+
+				jwtRoleNames.Remove(role.Name);
+			}
+
+			// Check if jwt contains only roles of user
+			if (jwtRoleNames.Count > 0)
+				return false;
+
+			return true;
+		}
+
 		private string GeneratePasswordHash(string password)
 		{
 			return string.Join(string.Empty, SHA512.HashData(Encoding.ASCII.GetBytes(password)));
@@ -137,5 +173,16 @@ namespace DevHive.Services.Services
 			SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
 			return tokenHandler.WriteToken(token);
 		}
+
+		private List<string> GetClaimTypeValues(string type, IEnumerable<Claim> claims)
+		{
+			List<string> toReturn = new();
+			
+			foreach(var claim in claims)
+				if (claim.Type == type)
+					toReturn.Add(claim.Value);
+
+			return toReturn;
+		}
 	}
 }
diff --git a/src/DevHive.Web/Controllers/UserController.cs b/src/DevHive.Web/Controllers/UserController.cs
index e339f70..35c39df 100644
--- a/src/DevHive.Web/Controllers/UserController.cs
+++ b/src/DevHive.Web/Controllers/UserController.cs
@@ -9,7 +9,6 @@ using DevHive.Web.Models.Identity.User;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using DevHive.Common.Models.Identity;
-using DevHive.Common.Models;
 
 namespace DevHive.Web.Controllers
 {
@@ -56,8 +55,11 @@ namespace DevHive.Web.Controllers
 
 		//Read
 		[HttpGet]
-		public async Task<IActionResult> GetById(Guid id)
+		public async Task<IActionResult> GetById(Guid id, [FromHeader] string authorization)
 		{
+			if (!await this._userService.ValidJWT(id, authorization))
+				return new UnauthorizedResult();
+
 			UserServiceModel userServiceModel = await this._userService.GetUserById(id);
 			UserWebModel userWebModel = this._userMapper.Map<UserWebModel>(userServiceModel);
 
@@ -66,8 +68,11 @@ namespace DevHive.Web.Controllers
 
 		//Update
 		[HttpPut]
-		public async Task<IActionResult> Update(Guid id, [FromBody] UpdateUserWebModel updateModel)
+		public async Task<IActionResult> Update(Guid id, [FromBody] UpdateUserWebModel updateModel, [FromHeader] string authorization)
 		{
+			if (!await this._userService.ValidJWT(id, authorization))
+				return new UnauthorizedResult();
+
 			UpdateUserServiceModel updateUserServiceModel = this._userMapper.Map<UpdateUserServiceModel>(updateModel);
 			updateUserServiceModel.Id = id;
 
@@ -80,8 +85,11 @@ namespace DevHive.Web.Controllers
 
 		//Delete
 		[HttpDelete]
-		public async Task<IActionResult> Delete(Guid id)
+		public async Task<IActionResult> Delete(Guid id, [FromHeader] string authorization)
 		{
+			if (!await this._userService.ValidJWT(id, authorization))
+				return new UnauthorizedResult();
+
 			await this._userService.DeleteUser(id);
 			return new OkResult();
 		}