From be9c9e7721610536259f1ea997c259956c894bbd Mon Sep 17 00:00:00 2001 From: Danail Dimitrov Date: Sun, 3 Jan 2021 21:49:47 +0200 Subject: added user validation for deleting and updating comments --- src/DevHive.Services/Services/PostService.cs | 43 ++++++++++++++++++++++++++- src/DevHive.Web/Controllers/PostController.cs | 10 +++++-- 2 files changed, 50 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/DevHive.Services/Services/PostService.cs b/src/DevHive.Services/Services/PostService.cs index 0c0fd5c..b2ea694 100644 --- a/src/DevHive.Services/Services/PostService.cs +++ b/src/DevHive.Services/Services/PostService.cs @@ -1,21 +1,26 @@ using System; +using System.Collections.Generic; using System.Threading.Tasks; using AutoMapper; using DevHive.Data.Models; using DevHive.Data.Repositories; using DevHive.Services.Models.Post.Comment; using DevHive.Services.Models.Post.Post; +using System.IdentityModel.Tokens.Jwt; +using System.Security.Claims; namespace DevHive.Services.Services { public class PostService { private readonly PostRepository _postRepository; + private readonly UserRepository _userRepository; private readonly IMapper _postMapper; - public PostService(PostRepository postRepository, IMapper postMapper) + public PostService(PostRepository postRepository, UserRepository userRepository , IMapper postMapper) { this._postRepository = postRepository; + this._userRepository = userRepository; this._postMapper = postMapper; } @@ -94,5 +99,41 @@ namespace DevHive.Services.Services return result; } + + //Validate + public async Task ValidateJwtForComment(Guid commentId, string rawTokenData) + { + Comment comment = await this._postRepository.GetCommentByIdAsync(commentId); + User user = await this.GetUserForValidation(rawTokenData); + + if (comment.IssuerId != user.Id) + return false; + + return true; + } + + private async Task GetUserForValidation(string rawTokenData) + { + var jwt = new JwtSecurityTokenHandler().ReadJwtToken(rawTokenData.Remove(0, 7)); + + string jwtUserName = this.GetClaimTypeValues("unique_name", jwt.Claims)[0]; + //List jwtRoleNames = this.GetClaimTypeValues("role", jwt.Claims); + + User user = await this._userRepository.GetByUsername(jwtUserName) + ?? throw new ArgumentException("User does not exist!"); + + return user; + } + + private List GetClaimTypeValues(string type, IEnumerable claims) + { + List toReturn = new(); + + foreach(var claim in claims) + if (claim.Type == type) + toReturn.Add(claim.Value); + + return toReturn; + } } } \ No newline at end of file diff --git a/src/DevHive.Web/Controllers/PostController.cs b/src/DevHive.Web/Controllers/PostController.cs index 397ddbc..60c3935 100644 --- a/src/DevHive.Web/Controllers/PostController.cs +++ b/src/DevHive.Web/Controllers/PostController.cs @@ -92,8 +92,11 @@ namespace DevHive.Web.Controllers [HttpPut] [Route("Comment")] - public async Task UpdateComment(Guid id, [FromBody] CommentWebModel commentWebModel) + public async Task UpdateComment(Guid id, [FromBody] CommentWebModel commentWebModel, [FromHeader] string authorization) { + if (!await this._postService.ValidateJwtForComment(id, authorization)) + return new UnauthorizedResult(); + UpdateCommentServiceModel updateCommentServiceModel = this._postMapper.Map(commentWebModel); updateCommentServiceModel.Id = id; @@ -119,8 +122,11 @@ namespace DevHive.Web.Controllers [HttpDelete] [Route("Comment")] - public async Task DeleteComment(Guid id) + public async Task DeleteComment(Guid id, [FromHeader] string authorization) { + if (!await this._postService.ValidateJwtForComment(id, authorization)) + return new UnauthorizedResult(); + bool result = await this._postService.DeleteComment(id); if (!result) -- cgit v1.2.3