From caa8f07b507bdbe44fc7c54b3f783381806a3c6d Mon Sep 17 00:00:00 2001
From: James Gunn <james@gunn.io>
Date: Wed, 10 Apr 2024 12:23:47 +0100
Subject: [PATCH] Add teaching_record scope to Authorize access & require it

---
 .../Controllers/OAuth2Controller.cs                  | 12 ++++++++++++
 .../CustomScopes.cs                                  |  6 ++++++
 .../TeachingRecordSystem.AuthorizeAccess/Program.cs  |  3 +--
 .../TestAppConfiguration.cs                          |  1 +
 .../DataStore/Postgres/Models/User.cs                |  3 ++-
 5 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs
index 8add1d424..3c04ff7b1 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OAuth2Controller.cs
@@ -25,6 +25,18 @@ public async Task<IActionResult> Authorize()
         var request = HttpContext.GetOpenIddictServerRequest() ??
             throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
 
+        if (!request.HasScope(CustomScopes.TeachingRecord))
+        {
+            return Forbid(
+                authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+                properties: new AuthenticationProperties(new Dictionary<string, string?>()
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidRequest,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
+                        $"Requests must include the {CustomScopes.TeachingRecord} scope."
+                }));
+        }
+
         var clientId = request.ClientId!;
         var client = await dbContext.ApplicationUsers.SingleAsync(u => u.ClientId == clientId);
 
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs
new file mode 100644
index 000000000..d950fdfe6
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/CustomScopes.cs
@@ -0,0 +1,6 @@
+namespace TeachingRecordSystem.AuthorizeAccess;
+
+public static class CustomScopes
+{
+    public const string TeachingRecord = "teaching_record";
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
index 4590bfc8c..1ed8a3193 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
@@ -81,8 +81,7 @@
             .SetTokenEndpointUris("oauth2/token")
             .SetUserinfoEndpointUris("oauth2/userinfo");
 
-        // TODO - add teaching record scopes
-        options.RegisterScopes(Scopes.Email, Scopes.Profile);
+        options.RegisterScopes(Scopes.Email, Scopes.Profile, CustomScopes.TeachingRecord);
 
         options.AllowAuthorizationCodeFlow();
 
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
index bebc0e312..b209a90d7 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
@@ -35,6 +35,7 @@ public static WebApplicationBuilder AddTestApp(this WebApplicationBuilder builde
                     options.Scope.Add("openid");
                     options.Scope.Add("email");
                     options.Scope.Add("profile");
+                    options.Scope.Add(CustomScopes.TeachingRecord);
                 });
         }
         else
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
index 457aa4c97..bca7b21ef 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
@@ -105,7 +105,8 @@ public void EnsureConfiguredForOneLogin()
                 Permissions.GrantTypes.AuthorizationCode,
                 Permissions.ResponseTypes.Code,
                 Permissions.Scopes.Email,
-                Permissions.Scopes.Profile),
+                Permissions.Scopes.Profile,
+                $"{Permissions.Prefixes.Scope}teaching_record"),
             RedirectUris = CreateJsonArray(RedirectUris!.ToArray()),
             PostLogoutRedirectUris = CreateJsonArray(PostLogoutRedirectUris!.ToArray()),
             Requirements = CreateJsonArray(Requirements.Features.ProofKeyForCodeExchange)