From b6fc351ce328c74b3da366b9f575487f7e314fc1 Mon Sep 17 00:00:00 2001 From: Kevin Hahn Date: Fri, 17 May 2024 10:55:57 -0600 Subject: [PATCH] lock down sync api in lexbox to only be available to admins for now --- backend/LexBoxApi/Program.cs | 2 +- backend/LexBoxApi/Services/CrdtSyncRoutes.cs | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/LexBoxApi/Program.cs b/backend/LexBoxApi/Program.cs index 598dcd25e..31a98c0df 100644 --- a/backend/LexBoxApi/Program.cs +++ b/backend/LexBoxApi/Program.cs @@ -162,7 +162,7 @@ app.MapQuartzUI("/api/quartz").RequireAuthorization(new AdminRequiredAttribute()); app.MapControllers(); app.MapLfClassicApi().RequireAuthorization(new AdminRequiredAttribute()).WithOpenApi(); -app.MapSyncApi().AllowAnonymous().WithOpenApi(); +app.MapSyncApi().WithOpenApi(); app.MapTus("/api/tus-test", async context => await context.RequestServices.GetRequiredService().GetTestConfig(context)) .RequireAuthorization(new AdminRequiredAttribute()); diff --git a/backend/LexBoxApi/Services/CrdtSyncRoutes.cs b/backend/LexBoxApi/Services/CrdtSyncRoutes.cs index 8604aba10..57f51859d 100644 --- a/backend/LexBoxApi/Services/CrdtSyncRoutes.cs +++ b/backend/LexBoxApi/Services/CrdtSyncRoutes.cs @@ -1,4 +1,5 @@ using Crdt.Core; +using LexBoxApi.Auth.Attributes; using LexData; using LexData.Entities; @@ -9,7 +10,8 @@ public static class CrdtSyncRoutes public static IEndpointConventionBuilder MapSyncApi(this IEndpointRouteBuilder endpoints, string path = "/api/sync/{id}") { - var group = endpoints.MapGroup(path); + //todo determine if the user has permission to access the project, for now lock down to admin only + var group = endpoints.MapGroup(path).RequireAuthorization(new AdminRequiredAttribute()); group.MapGet("/get", async (Guid id, LexBoxDbContext dbContext) => {