Commit deb906e

authored

Merge pull request #16 from headlines-toolkit/fix_authentication

Fix authentication

2 parents b7f1a22 + 9e89851 commit deb906eCopy full SHA for deb906e

File tree

5 files changed

+58

-13

lines changed

lib/src
- config
  - app_dependencies.dart
- rbac
  - permissions.dart
  - role_permissions.dart
- services
  - auth_service.dart
  - default_user_preference_limit_service.dart

5 files changed

+58

-13

lines changed

`‎lib/src/config/app_dependencies.dart‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -178,10 +178,12 @@ class AppDependencies {`
`178`	`178`	`);`
`179`	`179`	`verificationCodeStorageService =`
`180`	`180`	`InMemoryVerificationCodeStorageService();`
	`181`	`+ permissionService = const PermissionService();`
`181`	`182`	`authService = AuthService(`
`182`	`183`	`userRepository: userRepository,`
`183`	`184`	`authTokenService: authTokenService,`
`184`	`185`	`verificationCodeStorageService: verificationCodeStorageService,`
	`186`	`+ permissionService: permissionService,`
`185`	`187`	`emailRepository: emailRepository,`
`186`	`188`	`userAppSettingsRepository: userAppSettingsRepository,`
`187`	`189`	`userContentPreferencesRepository: userContentPreferencesRepository,`
`@@ -193,9 +195,9 @@ class AppDependencies {`
`193`	`195`	`topicRepository: topicRepository,`
`194`	`196`	`sourceRepository: sourceRepository,`
`195`	`197`	`);`
`196`		`- permissionService = const PermissionService();`
`197`	`198`	`userPreferenceLimitService = DefaultUserPreferenceLimitService(`
`198`	`199`	`remoteConfigRepository: remoteConfigRepository,`
	`200`	`+ permissionService: permissionService,`
`199`	`201`	`log: Logger('DefaultUserPreferenceLimitService'),`
`200`	`202`	`);`
`201`	`203`

`‎lib/src/rbac/permissions.dart‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,4 +54,11 @@ abstract class Permissions {`
`54`	`54`	`static const String remoteConfigRead = 'remote_config.read';`
`55`	`55`	`static const String remoteConfigUpdate = 'remote_config.update';`
`56`	`56`	`static const String remoteConfigDelete = 'remote_config.delete';`
	`57`	`+`
	`58`	`+ // Dashboard Permissions`
	`59`	`+ static const String dashboardLogin = 'dashboard.login';`
	`60`	`+`
	`61`	`+ // User Preference Permissions`
	`62`	`+ static const String userPreferenceBypassLimits =`
	`63`	`+ 'user_preference.bypass_limits';`
`57`	`64`	`}`

`‎lib/src/rbac/role_permissions.dart‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ final Set<String> _dashboardPublisherPermissions = {`
`33`	`33`	`Permissions.headlineCreate,`
`34`	`34`	`Permissions.headlineUpdate,`
`35`	`35`	`Permissions.headlineDelete,`
	`36`	`+ Permissions.dashboardLogin,`
`36`	`37`	`};`
`37`	`38`
`38`	`39`	`final Set<String> _dashboardAdminPermissions = {`
`@@ -50,6 +51,7 @@ final Set<String> _dashboardAdminPermissions = {`
`50`	`51`	`Permissions.remoteConfigCreate,`
`51`	`52`	`Permissions.remoteConfigUpdate,`
`52`	`53`	`Permissions.remoteConfigDelete,`
	`54`	`+ Permissions.userPreferenceBypassLimits,`
`53`	`55`	`};`
`54`	`56`
`55`	`57`	`/// Defines the mapping between user roles (both app and dashboard) and the`

`‎lib/src/services/auth_service.dart‎`

Lines changed: 31 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+import 'package:ht_api/src/rbac/permission_service.dart';`
	`2`	`+import 'package:ht_api/src/rbac/permissions.dart';`
`1`	`3`	`import 'package:ht_api/src/services/auth_token_service.dart';`
`2`	`4`	`import 'package:ht_api/src/services/verification_code_storage_service.dart';`
`3`	`5`	`import 'package:ht_data_repository/ht_data_repository.dart';`
`@@ -21,12 +23,14 @@ class AuthService {`
`21`	`23`	`required HtEmailRepository emailRepository,`
`22`	`24`	`required HtDataRepository<UserAppSettings> userAppSettingsRepository,`
`23`	`25`	`required HtDataRepository<UserContentPreferences>`
`24`		`- userContentPreferencesRepository,`
	`26`	`+ userContentPreferencesRepository,`
	`27`	`+ required PermissionService permissionService,`
`25`	`28`	`required Uuid uuidGenerator,`
`26`	`29`	`required Logger log,`
`27`	`30`	`}) : _userRepository = userRepository,`
`28`	`31`	`_authTokenService = authTokenService,`
`29`	`32`	`_verificationCodeStorageService = verificationCodeStorageService,`
	`33`	`+ _permissionService = permissionService,`
`30`	`34`	`_emailRepository = emailRepository,`
`31`	`35`	`_userAppSettingsRepository = userAppSettingsRepository,`
`32`	`36`	`_userContentPreferencesRepository = userContentPreferencesRepository,`
`@@ -39,7 +43,8 @@ class AuthService {`
`39`	`43`	`final HtEmailRepository _emailRepository;`
`40`	`44`	`final HtDataRepository<UserAppSettings> _userAppSettingsRepository;`
`41`	`45`	`final HtDataRepository<UserContentPreferences>`
`42`		`- _userContentPreferencesRepository;`
	`46`	`+ _userContentPreferencesRepository;`
	`47`	`+ final PermissionService _permissionService;`
`43`	`48`	`final Logger _log;`
`44`	`49`	`final Uuid _uuid;`
`45`	`50`
`@@ -77,13 +82,13 @@ class AuthService {`
`77`	`82`	`);`
`78`	`83`	`}`
`79`	`84`
`80`		`- final hasRequiredRole =`
`81`		`- user.dashboardRole ==DashboardUserRole.admin \|\|`
`82`		`- user.dashboardRole ==DashboardUserRole.publisher;`
`83`		`-`
`84`		`- if (!hasRequiredRole) {`
	`85`	`+ // Use the PermissionService to check for the specific dashboard login permission.`
	`86`	`+ if (!_permissionService.hasPermission(`
	`87`	`+ user,`
	`88`	`+Permissions.dashboardLogin,`
	`89`	`+ )) {`
`85`	`90`	`_log.warning(`
`86`		`- 'Dashboard login failed: User ${user.id} lacks required roles.',`
	`91`	`+ 'Dashboard login failed: User ${user.id} lacks required permission (${Permissions.dashboardLogin}).',`
`87`	`92`	`);`
`88`	`93`	`throw const ForbiddenException(`
`89`	`94`	`'Your account does not have the required permissions to sign in.',`
`@@ -157,6 +162,24 @@ class AuthService {`
`157`	`162`	`final existingUser = await _findUserByEmail(email);`
`158`	`163`	`if (existingUser != null) {`
`159`	`164`	`user = existingUser;`
	`165`	`+ // If this is a dashboard login, re-verify the user's dashboard role.`
	`166`	`+ // This closes the loophole where a non-admin user could request a code`
	`167`	`+ // via the app flow and then use it to log into the dashboard.`
	`168`	`+ if (isDashboardLogin) {`
	`169`	`+ if (!_permissionService.hasPermission(`
	`170`	`+ user,`
	`171`	`+ Permissions.dashboardLogin,`
	`172`	`+ )) {`
	`173`	`+ _log.warning(`
	`174`	`+ 'Dashboard login failed: User ${user.id} lacks required permission '`
	`175`	`+ 'during code verification.',`
	`176`	`+ );`
	`177`	`+ throw const ForbiddenException(`
	`178`	`+ 'Your account does not have the required permissions to sign in.',`
	`179`	`+ );`
	`180`	`+ }`
	`181`	`+ _log.info('Dashboard user ${user.id} re-verified successfully.');`
	`182`	`+ }`
`160`	`183`	`} else {`
`161`	`184`	`// User not found.`
`162`	`185`	`if (isDashboardLogin) {`

`‎lib/src/services/default_user_preference_limit_service.dart‎`

Lines changed: 15 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+import 'package:ht_api/src/rbac/permission_service.dart';`
	`2`	`+import 'package:ht_api/src/rbac/permissions.dart';`
`1`	`3`	`import 'package:ht_api/src/services/user_preference_limit_service.dart';`
`2`	`4`	`import 'package:ht_data_repository/ht_data_repository.dart';`
`3`	`5`	`import 'package:ht_shared/ht_shared.dart';`
`@@ -11,11 +13,14 @@ class DefaultUserPreferenceLimitService implements UserPreferenceLimitService {`
`11`	`13`	`/// {@macro default_user_preference_limit_service}`
`12`	`14`	`const DefaultUserPreferenceLimitService({`
`13`	`15`	`required HtDataRepository<RemoteConfig> remoteConfigRepository,`
	`16`	`+ required PermissionService permissionService,`
`14`	`17`	`required Logger log,`
`15`	`18`	`}) : _remoteConfigRepository = remoteConfigRepository,`
	`19`	`+ _permissionService = permissionService,`
`16`	`20`	`_log = log;`
`17`	`21`
`18`	`22`	`final HtDataRepository<RemoteConfig> _remoteConfigRepository;`
	`23`	`+ final PermissionService _permissionService;`
`19`	`24`	`final Logger _log;`
`20`	`25`
`21`	`26`	`// Assuming a fixed ID for the RemoteConfig document`
`@@ -34,8 +39,11 @@ class DefaultUserPreferenceLimitService implements UserPreferenceLimitService {`
`34`	`39`	`);`
`35`	`40`	`final limits = remoteConfig.userPreferenceConfig;`
`36`	`41`
`37`		`- // Admins have no limits.`
`38`		`- if (user.dashboardRole == DashboardUserRole.admin) {`
	`42`	`+ // Users with the bypass permission (e.g., admins) have no limits.`
	`43`	`+ if (_permissionService.hasPermission(`
	`44`	`+ user,`
	`45`	`+ Permissions.userPreferenceBypassLimits,`
	`46`	`+ )) {`
`39`	`47`	`return;`
`40`	`48`	`}`
`41`	`49`
`@@ -94,8 +102,11 @@ class DefaultUserPreferenceLimitService implements UserPreferenceLimitService {`
`94`	`102`	`);`
`95`	`103`	`final limits = remoteConfig.userPreferenceConfig;`
`96`	`104`
`97`		`- // Admins have no limits.`
`98`		`- if (user.dashboardRole == DashboardUserRole.admin) {`
	`105`	`+ // Users with the bypass permission (e.g., admins) have no limits.`
	`106`	`+ if (_permissionService.hasPermission(`
	`107`	`+ user,`
	`108`	`+ Permissions.userPreferenceBypassLimits,`
	`109`	`+ )) {`
`99`	`110`	`return;`
`100`	`111`	`}`
`101`	`112`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit deb906e

File tree

5 files changed

5 files changed

`‎lib/src/config/app_dependencies.dart‎`

`‎lib/src/rbac/permissions.dart‎`

`‎lib/src/rbac/role_permissions.dart‎`

`‎lib/src/services/auth_service.dart‎`

`‎lib/src/services/default_user_preference_limit_service.dart‎`

0 commit comments