DD.WellWorkover.Cloud/AsbCloudWebApi/Middlewares/PermissionsMiddlware.cs

using AsbCloudApp.Services;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using System;
using System.Threading.Tasks;

namespace AsbCloudWebApi.Middlewares
{
    public class PermissionsMiddlware
    {
        private readonly RequestDelegate next;

        public PermissionsMiddlware(RequestDelegate next)
        {
            this.next = next;
        }

        public async Task InvokeAsync(HttpContext context)
        {
            var endpoint = context.GetEndpoint();
            var permission = endpoint?.Metadata.GetMetadata<PermissionAttribute>();
            if (permission is null)
            {
                await next(context);
                return;
            }

            var idUser = context.User.GetUserId();
            if (idUser is null)
            {
                context.User = null;
                await context.ForbidAsync();
                return;
            }

            var permissionName = permission.Name;
            if (string.IsNullOrEmpty(permissionName))
            {
                var controller = endpoint.Metadata
                    .GetMetadata<Microsoft.AspNetCore.Mvc.Controllers.ControllerActionDescriptor>()
                    ?.ControllerName;

                var httpMethod = endpoint.Metadata
                    .GetMetadata<Microsoft.AspNetCore.Routing.HttpMethodMetadata>()
                    .HttpMethods[0]
                    .ToLower();

                permissionName = httpMethod switch
                {
                    "get" or "delete" => $"{controller}.{httpMethod}",
                    "post" or "put" or "patch" => $"{controller}.edit",
                    _ => throw new NotImplementedException(),
                };
                PermissionAttribute.Registered.Add(permissionName);
            }
            else if(permissionName.Contains("[controller]"))
            {
                var controller = endpoint.Metadata
                    .GetMetadata<Microsoft.AspNetCore.Mvc.Controllers.ControllerActionDescriptor>()
                    ?.ControllerName;
                permissionName = permissionName.Replace("[controller]", controller);
                PermissionAttribute.Registered.Add(permissionName);
            }

            var userService = context.RequestServices.GetRequiredService<IUserService>();
            var isAuthorized = userService.HasPermission((int)idUser, permissionName);

            if(isAuthorized)
                await next?.Invoke(context);
            else
                await context.ForbidAsync();
        }
    }
}