way too much stuff for a single commit

Author: retailcoder

rubberduckvba.Server/Api/Admin/AdminController.cs

@@ -16,7 +16,7 @@ public class AdminController(ConfigurationOptions options, HangfireLauncherServi
     /// Enqueues a job that updates xmldoc content from the latest release/pre-release tags.
     /// </summary>
     /// <returns>The unique identifier of the enqueued job.</returns>
-    [Authorize("github", Roles = RDConstants.AdminRole)]
+    [Authorize("github", Roles = RDConstants.Roles.AdminRole)]
     [HttpPost("admin/update/xmldoc")]
     public IActionResult UpdateXmldocContent()
     {
@@ -28,43 +28,96 @@ public IActionResult UpdateXmldocContent()
     /// Enqueues a job that gets the latest release/pre-release tags and their respective assets, and updates the installer download stats.
     /// </summary>
     /// <returns>The unique identifier of the enqueued job.</returns>
-    [Authorize("github", Roles = RDConstants.AdminRole)]
+    [Authorize("github", Roles = RDConstants.Roles.AdminRole)]
     [HttpPost("admin/update/tags")]
     public IActionResult UpdateTagMetadata()
     {
         var jobId = hangfire.UpdateTagMetadata();
         return Ok(jobId);
     }
 
-    [Authorize("github", Roles = RDConstants.AdminRole)]
+    [Authorize("github", Roles = RDConstants.Roles.AdminRole)]
     [HttpPost("admin/cache/clear")]
     public IActionResult ClearCache()
     {
         cache.Clear();
         return Ok();
     }
 
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole},{RDConstants.Roles.WriterRole}")]
     [HttpGet("admin/audits/pending")]
     public async Task<IActionResult> GetPendingAudits()
     {
-        var edits = await audits.GetPendingItems<FeatureEditEntity>();
-        var ops = await audits.GetPendingItems<FeatureOpEntity>();
+        var edits = await audits.GetPendingItems<FeatureEditViewEntity>(User.Identity);
+        var ops = await audits.GetPendingItems<FeatureOpEntity>(User.Identity);
 
         return Ok(new { edits = edits.ToArray(), other = ops.ToArray() });
     }
 
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole}")]
-    [HttpGet("admin/audits/{featureId}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole},{RDConstants.Roles.WriterRole}")]
+    [HttpGet("profile/activity")]
+    public async Task<IActionResult> GetUserActivity()
+    {
+        if (User.Identity is not IIdentity identity)
+        {
+            // this is arguably a bug in the authentication middleware, but we can handle it gracefully here
+            return Unauthorized("User identity is not available.");
+        }
+
+        var activity = await audits.GetAllActivity(identity);
+        return Ok(activity);
+    }
+
+    private static readonly AuditActivityType[] EditActivityTypes = [
+        AuditActivityType.SubmitEdit,
+        AuditActivityType.ApproveEdit,
+        AuditActivityType.RejectEdit
+    ];
+
+    private static readonly AuditActivityType[] OpActivityTypes = [
+        AuditActivityType.SubmitCreate,
+        AuditActivityType.ApproveCreate,
+        AuditActivityType.RejectCreate,
+        AuditActivityType.SubmitDelete,
+        AuditActivityType.ApproveDelete,
+        AuditActivityType.RejectDelete
+    ];
+
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
+    [HttpGet("admin/audits/{id}")]
+    public async Task<IActionResult> GetAudit([FromRoute] int id, [FromQuery] string type)
+    {
+        if (!Enum.TryParse<AuditActivityType>(type, ignoreCase: true, out var validType))
+        {
+            return BadRequest("Invalid activity type.");
+        }
+
+        var edit = (FeatureEditViewEntity?)null;
+        var op = (FeatureOpEntity?)null;
+
+        if (EditActivityTypes.Contains(validType))
+        {
+            edit = await audits.GetItem<FeatureEditViewEntity>(id);
+        }
+        else if (OpActivityTypes.Contains(validType))
+        {
+            op = await audits.GetItem<FeatureOpEntity>(id);
+        }
+
+        return Ok(new { edits = new[] { edit }, other = op is null ? [] : new[] { op } });
+    }
+
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
+    [HttpGet("admin/audits/feature/{featureId}")]
     public async Task<IActionResult> GetPendingAudits([FromRoute] int featureId)
     {
-        var edits = await audits.GetPendingItems<FeatureEditEntity>(featureId);
-        var ops = await audits.GetPendingItems<FeatureOpEntity>(featureId);
+        var edits = await audits.GetPendingItems<FeatureEditEntity>(User.Identity, featureId);
+        var ops = await audits.GetPendingItems<FeatureOpEntity>(User.Identity, featureId);
 
         return Ok(new { edits = edits.ToArray(), other = ops.ToArray() });
     }
 
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     [HttpPost("admin/audits/approve/{id}")]
     public async Task<IActionResult> ApprovePendingAudit([FromRoute] int id)
     {
@@ -74,13 +127,13 @@ public async Task<IActionResult> ApprovePendingAudit([FromRoute] int id)
             return Unauthorized("User identity is not available.");
         }
 
-        var edits = await audits.GetPendingItems<FeatureEditEntity>();
+        var edits = await audits.GetPendingItems<FeatureEditEntity>(User.Identity);
         AuditEntity? audit;
 
         audit = edits.SingleOrDefault(e => e.Id == id);
         if (audit is null)
         {
-            var ops = await audits.GetPendingItems<FeatureOpEntity>();
+            var ops = await audits.GetPendingItems<FeatureOpEntity>(User.Identity);
             audit = ops.SingleOrDefault(e => e.Id == id);
         }
 
@@ -100,7 +153,7 @@ public async Task<IActionResult> ApprovePendingAudit([FromRoute] int id)
         return Ok("Operation was approved successfully.");
     }
 
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     [HttpPost("admin/audits/reject/{id}")]
     public async Task<IActionResult> RejectPendingAudit([FromRoute] int id)
     {
@@ -110,13 +163,13 @@ public async Task<IActionResult> RejectPendingAudit([FromRoute] int id)
             return Unauthorized("User identity is not available.");
         }
 
-        var edits = await audits.GetPendingItems<FeatureEditEntity>();
+        var edits = await audits.GetPendingItems<FeatureEditEntity>(User.Identity);
         AuditEntity? audit;
 
         audit = edits.SingleOrDefault(e => e.Id == id);
         if (audit is null)
         {
-            var ops = await audits.GetPendingItems<FeatureOpEntity>();
+            var ops = await audits.GetPendingItems<FeatureOpEntity>(User.Identity);
             audit = ops.SingleOrDefault(e => e.Id == id);
         }
 

rubberduckvba.Server/Api/Auth/AuthController.cs

@@ -61,9 +61,9 @@ public IActionResult Index()
                 {
                     Name = name,
                     IsAuthenticated = isAuthenticated,
-                    IsAdmin = role == RDConstants.AdminRole,
-                    IsReviewer = role == RDConstants.AdminRole || role == RDConstants.ReviewerRole,
-                    IsWriter = role == RDConstants.WriterRole || role == RDConstants.AdminRole || role == RDConstants.ReviewerRole,
+                    IsAdmin = role == RDConstants.Roles.AdminRole,
+                    IsReviewer = role == RDConstants.Roles.AdminRole || role == RDConstants.Roles.ReviewerRole,
+                    IsWriter = role == RDConstants.Roles.WriterRole || role == RDConstants.Roles.AdminRole || role == RDConstants.Roles.ReviewerRole,
                 };
 
                 return Ok(model);

rubberduckvba.Server/Api/Auth/ClaimsPrincipalExtensions.cs

@@ -1,6 +1,7 @@
 using Microsoft.IdentityModel.Tokens;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
+using System.Security.Principal;
 using System.Text;
 
 namespace rubberduckvba.Server.Api.Auth;
@@ -18,4 +19,54 @@ public static string AsJWT(this ClaimsPrincipal principal, string secret, string
 
         return new JwtSecurityTokenHandler().WriteToken(token);
     }
+
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsAdmin(this ClaimsPrincipal principal)
+    {
+        return principal.IsInRole(RDConstants.Roles.AdminRole);
+    }
+
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-reviewer</c> or <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsReviewer(this ClaimsPrincipal principal)
+    {
+        return principal.IsInRole(RDConstants.Roles.ReviewerRole);
+    }
 }
+
+public static class ClaimsIdentityExtensions
+{
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsAdmin(this IIdentity identity)
+    {
+        return identity is ClaimsIdentity claimsIdentity && claimsIdentity.IsAdmin();
+    }
+
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-reviewer</c> or <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsReviewer(this IIdentity identity)
+    {
+        return identity is ClaimsIdentity claimsIdentity && claimsIdentity.IsReviewer();
+    }
+
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsAdmin(this ClaimsIdentity identity)
+    {
+        return identity.IsAuthenticated && identity.HasClaim(ClaimTypes.Role, RDConstants.Roles.AdminRole);
+    }
+    /// <summary>
+    /// <c>true</c> if the user is authenticated and has the <c>rd-reviewer</c> or <c>rd-admin</c> role.
+    /// </summary>
+    public static bool IsReviewer(this ClaimsIdentity identity)
+    {
+        return identity != null && identity.IsAuthenticated && (identity.HasClaim(ClaimTypes.Role, RDConstants.Roles.AdminRole) || identity.HasClaim(ClaimTypes.Role, RDConstants.Roles.ReviewerRole));
+    }
+}

rubberduckvba.Server/Api/Features/FeatureViewModel.cs

@@ -242,7 +242,6 @@ public class InspectionsFeatureViewModel : FeatureViewModel
     public InspectionsFeatureViewModel(FeatureGraph model, IEnumerable<QuickFixViewModel> quickFixes, IDictionary<int, Tag> tagsByAssetId, bool summaryOnly = false)
         : base(model, summaryOnly)
     {
-
         Inspections = model.Inspections.OrderBy(e => e.Name).Select(e => new InspectionViewModel(e, quickFixes, tagsByAssetId)).ToArray();
     }
 

rubberduckvba.Server/Api/Features/FeaturesController.cs

@@ -152,7 +152,7 @@ public IActionResult QuickFix([FromRoute] string name)
     }
 
     [HttpGet("features/create")]
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole},{RDConstants.WriterRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     public async Task<ActionResult<FeatureEditViewModel>> Create([FromQuery] RepositoryId repository = RepositoryId.Rubberduck, [FromQuery] int? parentId = default)
     {
         var features = await GetFeatureOptions(repository);
@@ -163,7 +163,7 @@ public async Task<ActionResult<FeatureEditViewModel>> Create([FromQuery] Reposit
     }
 
     [HttpPost("features/create")]
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole},{RDConstants.WriterRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     public async Task<ActionResult<FeatureEditViewModel>> Create([FromBody] FeatureEditViewModel model)
     {
         if (model.Id.HasValue || string.IsNullOrWhiteSpace(model.Name) || model.Name.Trim().Length < 3)
@@ -190,7 +190,7 @@ public async Task<ActionResult<FeatureEditViewModel>> Create([FromBody] FeatureE
     }
 
     [HttpPost("features/update")]
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole},{RDConstants.WriterRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     public async Task<ActionResult<FeatureEditViewModel>> Update([FromBody] FeatureEditViewModel model)
     {
         if (model.Id.GetValueOrDefault() == default)
@@ -217,7 +217,7 @@ public async Task<ActionResult<FeatureEditViewModel>> Update([FromBody] FeatureE
     }
 
     [HttpPost("features/delete")]
-    [Authorize("github", Roles = $"{RDConstants.AdminRole},{RDConstants.ReviewerRole},{RDConstants.WriterRole}")]
+    [Authorize("github", Roles = $"{RDConstants.Roles.AdminRole},{RDConstants.Roles.ReviewerRole}")]
     public async Task Delete([FromBody] Feature model)
     {
         if (model.Id == default)

rubberduckvba.Server/GitHubAuthenticationHandler.cs

@@ -2,6 +2,7 @@
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
 using rubberduckvba.Server.Services;
+using System.Collections.Concurrent;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 
@@ -11,8 +12,6 @@ public class GitHubAuthenticationHandler : AuthenticationHandler<AuthenticationS
 {
     public static readonly string AuthCookie = "x-access-token";
 
-    private static readonly object _lock = new object();
-
     private readonly IGitHubClientService _github;
     private readonly IMemoryCache _cache;
 
@@ -29,6 +28,8 @@ public GitHubAuthenticationHandler(IGitHubClientService github, IMemoryCache cac
         _cache = cache;
     }
 
+    private static readonly ConcurrentDictionary<string, Task<AuthenticateResult?>> _authApiTask = new();
+
     protected override Task<AuthenticateResult> HandleAuthenticateAsync()
     {
         try
@@ -46,20 +47,17 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
                 return Task.FromResult(cachedResult)!;
             }
 
-            lock (_lock)
+            if (TryAuthenticateGitHubToken(token, out var result)
+                && result is AuthenticateResult
+                && result.Ticket is AuthenticationTicket ticket)
             {
-                if (TryAuthenticateGitHubToken(token, out var result)
-                    && result is AuthenticateResult
-                    && result.Ticket is AuthenticationTicket ticket)
-                {
-                    CacheAuthenticatedTicket(token, ticket);
-                    return Task.FromResult(result!);
-                }
-
-                if (TryAuthenticateFromCache(token, out cachedResult))
-                {
-                    return Task.FromResult(cachedResult!);
-                }
+                CacheAuthenticatedTicket(token, ticket);
+                return Task.FromResult(result!);
+            }
+
+            if (TryAuthenticateFromCache(token, out cachedResult))
+            {
+                return Task.FromResult(cachedResult!);
             }
 
             return Task.FromResult(AuthenticateResult.Fail("Missing or invalid access token"));
@@ -99,16 +97,30 @@ private bool TryAuthenticateFromCache(string token, out AuthenticateResult? resu
     private bool TryAuthenticateGitHubToken(string token, out AuthenticateResult? result)
     {
         result = null;
-        var principal = _github.ValidateTokenAsync(token).GetAwaiter().GetResult();
+        if (_authApiTask.TryGetValue(token, out var task) && task is not null)
+        {
+            result = task.GetAwaiter().GetResult();
+            return result is not null;
+        }
+
+        _authApiTask[token] = AuthenticateGitHubAsync(token);
+        result = _authApiTask[token].GetAwaiter().GetResult();
+
+        _authApiTask[token] = null!;
+        return result is not null;
+    }
+
+    private async Task<AuthenticateResult?> AuthenticateGitHubAsync(string token)
+    {
+        var principal = await _github.ValidateTokenAsync(token);
         if (principal is ClaimsPrincipal)
         {
             Context.User = principal;
             Thread.CurrentPrincipal = principal;
 
             var ticket = new AuthenticationTicket(principal, "github");
-            result = AuthenticateResult.Success(ticket);
-            return true;
+            return AuthenticateResult.Success(ticket);
         }
-        return false;
+        return null;
     }
 }