Enforce dedicated scopes for Visualiser (#69)

samgibsonmoj · web-flow · commit b98aa281f90d · 2025-12-19T06:57:57.000Z
Enforces dedicated visualiser scopes.

Updates the API to use dedicated scopes for the visualiser application.

This change improves security by isolating the permissions required for visualiser functionality from the core data management system (DMS).
diff --git a/src/API/Endpoints/VisualisationEndpoints.cs b/src/API/Endpoints/VisualisationEndpoints.cs
@@ -22,9 +22,9 @@ public static IEndpointRouteBuilder RegisterVisualisationEndpoints(this IEndpoin
 
         group.MapPost("/Save", SaveNetworkAsync)
             .ProducesProblem(StatusCodes.Status500InternalServerError)
-            .RequireAuthorization("write");
+            .RequireAuthorization("visualisation-write");
 
-        group.RequireAuthorization("read");
+        group.RequireAuthorization("visualisation-read");
 
         return routes;
     }
diff --git a/src/API/Program.cs b/src/API/Program.cs
@@ -73,6 +73,17 @@
 {
     options.AddPolicy("read", policy => policy.RequireScope("dms.read"));
     options.AddPolicy("write", policy => policy.RequireScope("dms.write"));
+
+    options.AddPolicy("visualisation-read", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.read")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
+    options.AddPolicy("visualisation-write", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.write")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
     options.FallbackPolicy = options.DefaultPolicy;
 });
 
diff --git a/src/Visualiser/appsettings.Development.json b/src/Visualiser/appsettings.Development.json
@@ -11,8 +11,8 @@
   },
   "API": {
     "Scopes": [
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.read",
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.write"
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.read",
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.write"
     ]
   }
 }
diff --git a/src/Visualiser/appsettings.json b/src/Visualiser/appsettings.json
@@ -17,7 +17,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
   "API": {
     "BaseUrl": "https://localhost:7013",
     "Scopes": [
-      // E.g. "api://{api_client_id}/dms.read" and "api://{api_client_id}/dms.write"
+      // E.g. "api://{api_client_id}/visualiser.read" and "api://{api_client_id}/visualiser.write"
     ]
   },
   "Serilog": {

Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,9 @@ public static IEndpointRouteBuilder RegisterVisualisationEndpoints(this IEndpoin`
`22`	`22`
`23`	`23`	`group.MapPost("/Save", SaveNetworkAsync)`
`24`	`24`	`.ProducesProblem(StatusCodes.Status500InternalServerError)`
`25`		`- .RequireAuthorization("write");`
	`25`	`+ .RequireAuthorization("visualisation-write");`
`26`	`26`
`27`		`- group.RequireAuthorization("read");`
	`27`	`+ group.RequireAuthorization("visualisation-read");`
`28`	`28`
`29`	`29`	`return routes;`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@`
`11`	`11`	`},`
`12`	`12`	`"API": {`
`13`	`13`	`"Scopes": [`
`14`		`- "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.read",`
`15`		`- "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.write"`
	`14`	`+ "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.read",`
	`15`	`+ "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.write"`
`16`	`16`	`]`
`17`	`17`	`}`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform`
`17`	`17`	`"API": {`
`18`	`18`	`"BaseUrl": "https://localhost:7013",`
`19`	`19`	`"Scopes": [`
`20`		`- // E.g. "api://{api_client_id}/dms.read" and "api://{api_client_id}/dms.write"`
	`20`	`+ // E.g. "api://{api_client_id}/visualiser.read" and "api://{api_client_id}/visualiser.write"`
`21`	`21`	`]`
`22`	`22`	`},`
`23`	`23`	`"Serilog": {`