src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs

using System.IdentityModel.Tokens.Jwt;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using SIGCM2.Application.Abstractions.Persistence;
using SIGCM2.Application.Common;

namespace SIGCM2.Api.Authorization;

/// <summary>
/// Authorization handler for <see cref="RequirePermissionAttribute"/>.
/// UDT-009: Reads "rol" + "sub" claims, queries both IRolPermisoRepository
/// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
/// and succeeds if at least one required permission matches (OR semantics).
/// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
/// </summary>
public sealed class PermissionAuthorizationHandler
    : AuthorizationHandler<RequirePermissionAttribute>
{
    private readonly IRolPermisoRepository _rolPermisoRepo;
    private readonly IUsuarioRepository _usuarioRepo;
    private readonly ILogger<PermissionAuthorizationHandler> _logger;

    public PermissionAuthorizationHandler(
        IRolPermisoRepository rolPermisoRepo,
        IUsuarioRepository usuarioRepo,
        ILogger<PermissionAuthorizationHandler> logger)
    {
        _rolPermisoRepo = rolPermisoRepo;
        _usuarioRepo = usuarioRepo;
        _logger = logger;
    }

    protected override async Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        RequirePermissionAttribute requirement)
    {
        // 1. Must be authenticated — defense-in-depth
        if (context.User?.Identity?.IsAuthenticated != true)
            return; // implicit Fail

        // 2. Extract "rol" claim
        var rolCodigo = context.User.FindFirst("rol")?.Value;
        if (string.IsNullOrWhiteSpace(rolCodigo))
        {
            _logger.LogWarning(
                "Authorization failed — token missing 'rol' claim for user {User}",
                context.User.Identity?.Name);
            context.Fail(new AuthorizationFailureReason(this, "missing_rol_claim"));
            return;
        }

        // 3. Extract "sub" claim — MapInboundClaims=false so it stays as "sub" (NOT NameIdentifier)
        var subClaim = context.User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value
                    ?? context.User.FindFirst("sub")?.Value;

        if (string.IsNullOrWhiteSpace(subClaim) || !int.TryParse(subClaim, out var userId))
        {
            _logger.LogWarning(
                "Authorization failed — token missing or non-numeric 'sub' claim for user {User}",
                context.User.Identity?.Name);
            context.Fail(new AuthorizationFailureReason(this, "missing_sub_claim"));
            return;
        }

        // 4. Load role permissions — no cache (UDT-006 D1)
        var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);
        var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);

        // 5. Load user overrides — no cache (UDT-009 D3); null usuario → no overrides
        var usuario = await _usuarioRepo.GetByIdAsync(userId);
        var overrides = PermisosOverride.FromJson(usuario?.PermisosJson);

        // 6. Resolve effective permissions
        var effective = PermisoResolver.Resolve(rolPermisos, overrides);

        // 7. OR semantics — any single match is enough
        var matched = requirement.PermissionCodes.FirstOrDefault(effective.Contains);

        if (matched is not null)
        {
            context.Succeed(requirement);
            return;
        }

        // 8. Stash required permission for ForbiddenProblemDetailsHandler
        if (context.Resource is HttpContext httpContext)
            httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];

        context.Fail(new AuthorizationFailureReason(this,
            $"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));
    }
}
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`using System.IdentityModel.Tokens.Jwt;`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`using Microsoft.AspNetCore.Authorization;`
			`using Microsoft.AspNetCore.Http;`
			`using SIGCM2.Application.Abstractions.Persistence;`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`using SIGCM2.Application.Common;`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00
			`namespace SIGCM2.Api.Authorization;`

			`/// <summary>`
			`/// Authorization handler for <see cref="RequirePermissionAttribute"/>.`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`/// UDT-009: Reads "rol" + "sub" claims, queries both IRolPermisoRepository`
			`/// and IUsuarioRepository, resolves effective permissions via PermisoResolver,`
			`/// and succeeds if at least one required permission matches (OR semantics).`
			`/// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`/// </summary>`
			`public sealed class PermissionAuthorizationHandler`
			`: AuthorizationHandler<RequirePermissionAttribute>`
			`{`
			`private readonly IRolPermisoRepository _rolPermisoRepo;`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`private readonly IUsuarioRepository _usuarioRepo;`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`private readonly ILogger<PermissionAuthorizationHandler> _logger;`

			`public PermissionAuthorizationHandler(`
			`IRolPermisoRepository rolPermisoRepo,`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`IUsuarioRepository usuarioRepo,`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`ILogger<PermissionAuthorizationHandler> logger)`
			`{`
			`_rolPermisoRepo = rolPermisoRepo;`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`_usuarioRepo = usuarioRepo;`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`_logger = logger;`
			`}`

			`protected override async Task HandleRequirementAsync(`
			`AuthorizationHandlerContext context,`
			`RequirePermissionAttribute requirement)`
			`{`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`// 1. Must be authenticated — defense-in-depth`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`if (context.User?.Identity?.IsAuthenticated != true)`
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`return; // implicit Fail`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`// 2. Extract "rol" claim`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`var rolCodigo = context.User.FindFirst("rol")?.Value;`
			`if (string.IsNullOrWhiteSpace(rolCodigo))`
			`{`
			`_logger.LogWarning(`
			`"Authorization failed — token missing 'rol' claim for user {User}",`
			`context.User.Identity?.Name);`
			`context.Fail(new AuthorizationFailureReason(this, "missing_rol_claim"));`
			`return;`
			`}`

feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`// 3. Extract "sub" claim — MapInboundClaims=false so it stays as "sub" (NOT NameIdentifier)`
			`var subClaim = context.User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value`
			`?? context.User.FindFirst("sub")?.Value;`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00
feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`if (string.IsNullOrWhiteSpace(subClaim) \|\| !int.TryParse(subClaim, out var userId))`
			`{`
			`_logger.LogWarning(`
			`"Authorization failed — token missing or non-numeric 'sub' claim for user {User}",`
			`context.User.Identity?.Name);`
			`context.Fail(new AuthorizationFailureReason(this, "missing_sub_claim"));`
			`return;`
			`}`

			`// 4. Load role permissions — no cache (UDT-006 D1)`
			`var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);`
			`var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);`

			`// 5. Load user overrides — no cache (UDT-009 D3); null usuario → no overrides`
			`var usuario = await _usuarioRepo.GetByIdAsync(userId);`
			`var overrides = PermisosOverride.FromJson(usuario?.PermisosJson);`

			`// 6. Resolve effective permissions`
			`var effective = PermisoResolver.Resolve(rolPermisos, overrides);`

			`// 7. OR semantics — any single match is enough`
			`var matched = requirement.PermissionCodes.FirstOrDefault(effective.Contains);`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00
			`if (matched is not null)`
			`{`
			`context.Succeed(requirement);`
			`return;`
			`}`

feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009] 2026-04-15 21:32:35 -03:00			`// 8. Stash required permission for ForbiddenProblemDetailsHandler`
feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006] 2026-04-15 16:26:30 -03:00			`if (context.Resource is HttpContext httpContext)`
			`httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];`

			`context.Fail(new AuthorizationFailureReason(this,`
			`$"missing_permission:{string.Join('\|', requirement.PermissionCodes)}"));`
			`}`
			`}`