Reorganized folder structure

src/HopFrame.Security/Authorization/AuthorizedAttribute.cs

@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace HopFrame.Security.Authorization;
+
+public class AuthorizedAttribute : TypeFilterAttribute {
+    
+    /// <summary>
+    /// If this decorator is present, the endpoint is only accessible if the user provided a valid access token (is logged in)
+    /// permission system:<br/>
+    /// - "*" -> all rights<br/>
+    /// - "group.[name]" -> group member<br/>
+    /// - "[namespace].[name]" -> single permission<br/>
+    /// - "[namespace].*" -> all permissions in the namespace
+    /// </summary>
+    /// <param name="permissions">specifies the permissions the user needs to have in order to access this endpoint</param>
+    public AuthorizedAttribute(params string[] permissions) : base(typeof(AuthorizedFilter)) {
+        Arguments = [permissions];
+    }
+}

src/HopFrame.Security/Authorization/AuthorizedFilter.cs

@@ -0,0 +1,32 @@
+using HopFrame.Security.Claims;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace HopFrame.Security.Authorization;
+
+public class AuthorizedFilter : IAuthorizationFilter {
+    private readonly string[] _permissions;
+
+    public AuthorizedFilter(params string[] permissions) {
+        _permissions = permissions;
+    }
+    
+    public void OnAuthorization(AuthorizationFilterContext context) {
+        if (context.Filters.Any(item => item is IAllowAnonymousFilter)) return;
+
+        if (string.IsNullOrEmpty(context.HttpContext.User.GetAccessTokenId())) {
+            context.Result = new UnauthorizedResult();
+            return;
+        }
+        
+        if (_permissions.Length == 0) return;
+
+        var permissions = context.HttpContext.User.GetPermissions();
+
+        if (!_permissions.All(permission => PermissionValidator.IncludesPermission(permission, permissions))) {
+            context.Result = new UnauthorizedResult();
+            return;
+        }
+    }
+}

src/HopFrame.Security/Authorization/PermissionValidator.cs

@@ -0,0 +1,25 @@
+namespace HopFrame.Security.Authorization;
+
+public static class PermissionValidator {
+    
+    public static bool IncludesPermission(string permission, string[] permissions) {
+        var permLow = permission.ToLower();
+        var permsLow = permissions.Select(perm => perm.ToLower()).ToArray();
+        
+        if (permsLow.Any(perm => 
+                perm == permLow ||
+                (perm.Length > permLow.Length && perm.StartsWith(permLow) && perm.ToCharArray()[permLow.Length] == '.') ||
+                perm == "*")) 
+            return true;
+        
+        foreach (var perm in permsLow) {
+            if (!perm.EndsWith(".*")) continue;
+
+            var permissionGroup = perm.Substring(0, perm.Length - 1);
+            if (permLow.StartsWith(permissionGroup)) return true;
+        }
+
+        return false;
+    }
+    
+}