2 files changed, 46 insertions, 7 deletions

diff --git a/src/server/Utilities/BasicAuthenticationAttribute.cs b/src/server/Utilities/BasicAuthenticationAttribute.cs
new file mode 100644
index 0000000..81467cd
--- /dev/null
+++ b/src/server/Utilities/BasicAuthenticationAttribute.cs
@@ -0,0 +1,39 @@
+using System.Net.Http.Headers;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace IOL.BookmarkThing.Server.Utilities;
+
+public class BasicAuthenticationAttribute : TypeFilterAttribute
+{
+	public BasicAuthenticationAttribute(string claimPermission) : base(typeof(BasicAuthenticationFilter)) {
+		Arguments = new object[] {
+				new Claim(claimPermission, "True")
+		};
+	}
+}
+
+public class BasicAuthenticationFilter : IAuthorizationFilter
+{
+	private readonly Claim _claim;
+
+	public BasicAuthenticationFilter(Claim claim) {
+		_claim = claim;
+	}
+
+	public void OnAuthorization(AuthorizationFilterContext context) {
+		if (!context.HttpContext.Request.Headers.ContainsKey("Authorization")) return;
+		try {
+			var authHeader = AuthenticationHeaderValue.Parse(context.HttpContext.Request.Headers["Authorization"]);
+			if (authHeader.Parameter is null) {
+				context.Result = new ForbidResult(AppConstants.BASIC_AUTH_SCHEME);
+			}
+
+			var hasClaim = context.HttpContext.User.Claims.Any(c => c.Type == _claim.Type && c.Value == _claim.Value);
+			if (!hasClaim) {
+				context.Result = new ForbidResult(AppConstants.BASIC_AUTH_SCHEME);
+			}
+		} catch {
+			// ignore
+		}
+	}
+}
diff --git a/src/server/Utilities/BasicAuthenticationHandler.cs b/src/server/Utilities/BasicAuthenticationHandler.cs
index c4124e8..fada122 100644
--- a/src/server/Utilities/BasicAuthenticationHandler.cs
+++ b/src/server/Utilities/BasicAuthenticationHandler.cs
@@ -60,19 +60,19 @@ public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSc
 			}
 
 			var permissions = new List<Claim>() {
-					new(Constants.TOKEN_ALLOW_READ, token.AllowRead.ToString()),
-					new(Constants.TOKEN_ALLOW_UPDATE, token.AllowUpdate.ToString()),
-					new(Constants.TOKEN_ALLOW_CREATE, token.AllowCreate.ToString()),
-					new(Constants.TOKEN_ALLOW_DELETE, token.AllowDelete.ToString()),
+					new(AppConstants.TOKEN_ALLOW_READ, token.AllowRead.ToString()),
+					new(AppConstants.TOKEN_ALLOW_UPDATE, token.AllowUpdate.ToString()),
+					new(AppConstants.TOKEN_ALLOW_CREATE, token.AllowCreate.ToString()),
+					new(AppConstants.TOKEN_ALLOW_DELETE, token.AllowDelete.ToString()),
 			};
 			var claims = token.User.DefaultClaims().Concat(permissions);
-			var identity = new ClaimsIdentity(claims, Constants.BASIC_AUTH_SCHEME);
+			var identity = new ClaimsIdentity(claims, AppConstants.BASIC_AUTH_SCHEME);
 			var principal = new ClaimsPrincipal(identity);
-			var ticket = new AuthenticationTicket(principal, Constants.BASIC_AUTH_SCHEME);
+			var ticket = new AuthenticationTicket(principal, AppConstants.BASIC_AUTH_SCHEME);
 
 			return Task.FromResult(AuthenticateResult.Success(ticket));
 		} catch (Exception e) {
-			_logger.LogError(e, $"An exception occured when challenging {Constants.BASIC_AUTH_SCHEME}");
+			_logger.LogError(e, $"An exception occured when challenging {AppConstants.BASIC_AUTH_SCHEME}");
 			return Task.FromResult(AuthenticateResult.Fail("Invalid Authorization Header"));
 		}
 	}