identity: fix user subscription claim value incorrect for legacy pro users

thecodrr · thecodrr · commit d1421d640fcb · 2025-10-13T11:27:07.000+05:00
diff --git a/Notesnook.API/Controllers/MonographsController.cs b/Notesnook.API/Controllers/MonographsController.cs
@@ -105,7 +105,7 @@ public async Task<IActionResult> PublishAsync([FromQuery] string? deviceId, [Fro
                 if (existingMonograph != null && !existingMonograph.Deleted) return await UpdateAsync(deviceId, monograph);
 
                 if (monograph.EncryptedContent == null)
-                    monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
+                    monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
                 monograph.UserId = userId;
                 monograph.DatePublished = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds();
 
@@ -157,7 +157,7 @@ public async Task<IActionResult> UpdateAsync([FromQuery] string? deviceId, [From
                     return base.BadRequest("Monograph is too big. Max allowed size is 15mb.");
 
                 if (monograph.EncryptedContent == null)
-                    monograph.CompressedContent = (await CleanupContentAsync(monograph.Content)).CompressBrotli();
+                    monograph.CompressedContent = (await CleanupContentAsync(User, monograph.Content)).CompressBrotli();
                 else
                     monograph.Content = null;
 
@@ -309,34 +309,40 @@ private static async Task SendTriggerSyncEventAsync(string userId, string? jti =
             });
         }
 
-        private async Task<string> CleanupContentAsync(string content)
+        private async Task<string> CleanupContentAsync(ClaimsPrincipal user, string content)
         {
+            if (Constants.IS_SELF_HOSTED) return content;
             try
             {
                 var json = JsonSerializer.Deserialize<MonographContent>(content);
                 var html = json.Data;
-                if (!Constants.IS_SELF_HOSTED && !User.IsUserSubscribed())
+
+                if (user.IsUserSubscribed())
                 {
                     var config = Configuration.Default.WithDefaultLoader();
                     var context = BrowsingContext.New(config);
                     var document = await context.OpenAsync(r => r.Content(html));
-                    foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
+                    foreach (var element in document.QuerySelectorAll("a"))
                     {
-                        element.Remove();
+                        var href = element.GetAttribute("href");
+                        if (string.IsNullOrEmpty(href)) continue;
+                        if (!await analyzer.IsURLSafeAsync(href))
+                        {
+                            await Slogger<MonographsController>.Info("CleanupContentAsync", "Malicious URL detected: " + href);
+                            element.RemoveAttribute("href");
+                        }
                     }
                     html = document.ToHtml();
                 }
-
-                if (User.IsUserSubscribed())
+                else
                 {
                     var config = Configuration.Default.WithDefaultLoader();
                     var context = BrowsingContext.New(config);
                     var document = await context.OpenAsync(r => r.Content(html));
-                    foreach (var element in document.QuerySelectorAll("a"))
+                    foreach (var element in document.QuerySelectorAll("a,iframe,img,object,svg,button,link"))
                     {
-                        var href = element.GetAttribute("href");
-                        if (string.IsNullOrEmpty(href)) continue;
-                        if (!await analyzer.IsURLSafeAsync(href)) element.RemoveAttribute("href");
+                        foreach (var attr in element.Attributes)
+                            element.RemoveAttribute(attr.Name);
                     }
                     html = document.ToHtml();
                 }
diff --git a/Notesnook.API/Extensions/ClaimsPrincipalExtensions.cs b/Notesnook.API/Extensions/ClaimsPrincipalExtensions.cs
@@ -7,7 +7,7 @@ namespace System.Security.Claims
 {
     public static class ClaimsPrincipalExtensions
     {
-        private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "premium", "premium_canceled"];
+        private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "legacy_pro"];
         public static bool IsUserSubscribed(this ClaimsPrincipal user)
          => user.Claims.Any((c) => c.Type == "notesnook:status" && SUBSCRIBED_CLAIMS.Contains(c.Value));
     }
diff --git a/Streetwriters.Common/Interfaces/IUserSubscriptionService.cs b/Streetwriters.Common/Interfaces/IUserSubscriptionService.cs
@@ -9,5 +9,6 @@ public interface IUserSubscriptionService
     {
         [WampProcedure("co.streetwriters.subscriptions.subscriptions.get_user_subscription")]
         Task<Subscription> GetUserSubscriptionAsync(string clientId, string userId);
+        Subscription TransformUserSubscription(Subscription subscription);
     }
 }
diff --git a/Streetwriters.Identity/Controllers/SignupController.cs b/Streetwriters.Identity/Controllers/SignupController.cs
@@ -109,7 +109,7 @@ public async Task<IActionResult> Signup([FromForm] SignupForm form)
                     await UserManager.AddToRoleAsync(user, client.Id);
                     if (Constants.IS_SELF_HOSTED)
                     {
-                        await UserManager.AddClaimAsync(user, UserService.SubscriptionPlanToClaim(client.Id, SubscriptionPlan.BELIEVER));
+                        await UserManager.AddClaimAsync(user, new Claim(UserService.GetClaimKey(client.Id), "believer"));
                     }
                     else
                     {
diff --git a/Streetwriters.Identity/MessageHandlers/CreateSubscription.cs b/Streetwriters.Identity/MessageHandlers/CreateSubscription.cs
@@ -30,20 +30,19 @@ namespace Streetwriters.Identity.MessageHandlers
 {
     public class CreateSubscription
     {
-        public static async Task Process(CreateSubscriptionMessage message, UserManager<User> userManager)
+        public static async Task Process(Subscription subscription, UserManager<User> userManager)
         {
-            var user = await userManager.FindByIdAsync(message.UserId);
-            var client = Clients.FindClientByAppId(message.AppId);
+            var user = await userManager.FindByIdAsync(subscription.UserId);
+            var client = Clients.FindClientByAppId(subscription.AppId);
             if (client == null || user == null) return;
 
             IdentityUserClaim<string> statusClaim = user.Claims.FirstOrDefault((c) => c.ClaimType == UserService.GetClaimKey(client.Id));
-            Claim subscriptionClaim = UserService.SubscriptionTypeToClaim(client.Id, message.Type);
+            Claim subscriptionClaim = UserService.SubscriptionPlanToClaim(client.Id, subscription);
             if (statusClaim?.ClaimValue == subscriptionClaim.Value) return;
             if (statusClaim != null)
                 await userManager.ReplaceClaimAsync(user, statusClaim.ToClaim(), subscriptionClaim);
-            // we no longer accept legacy subscriptions.
-            // else
-            //     await userManager.AddClaimAsync(user, subscriptionClaim);
+            else
+                await userManager.AddClaimAsync(user, subscriptionClaim);
         }
 
     }
diff --git a/Streetwriters.Identity/MessageHandlers/CreateSubscriptionV2.cs b/Streetwriters.Identity/MessageHandlers/CreateSubscriptionV2.cs
diff --git a/Streetwriters.Identity/Services/UserService.cs b/Streetwriters.Identity/Services/UserService.cs
@@ -17,6 +17,7 @@ You should have received a copy of the Affero GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+using System;
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
@@ -28,27 +29,6 @@ namespace Streetwriters.Identity.Services
 {
     public class UserService
     {
-        private static SubscriptionType? GetUserSubscriptionStatus(string clientId, User user)
-        {
-            var claimKey = GetClaimKey(clientId);
-            var status = user.Claims.FirstOrDefault((c) => c.ClaimType == claimKey).ClaimValue;
-            switch (status)
-            {
-                case "basic":
-                    return SubscriptionType.BASIC;
-                case "trial":
-                    return SubscriptionType.TRIAL;
-                case "premium":
-                    return SubscriptionType.PREMIUM;
-                case "premium_canceled":
-                    return SubscriptionType.PREMIUM_CANCELED;
-                case "premium_expired":
-                    return SubscriptionType.PREMIUM_EXPIRED;
-                default:
-                    return null;
-            }
-        }
-
         private static SubscriptionPlan? GetUserSubscriptionPlan(string clientId, User user)
         {
             var claimKey = GetClaimKey(clientId);
@@ -72,39 +52,23 @@ public class UserService
 
         public static bool IsSMSMFAAllowed(string clientId, User user)
         {
-            var legacyStatus = GetUserSubscriptionStatus(clientId, user);
             var status = GetUserSubscriptionPlan(clientId, user);
-            if (legacyStatus == null && status == null) return false;
-            return legacyStatus == SubscriptionType.PREMIUM ||
-                    legacyStatus == SubscriptionType.PREMIUM_CANCELED ||
+            if (status == null) return false;
+            return status == SubscriptionPlan.LEGACY_PRO ||
                     status == SubscriptionPlan.PRO ||
                     status == SubscriptionPlan.EDUCATION ||
                     status == SubscriptionPlan.BELIEVER;
         }
 
-        public static Claim SubscriptionTypeToClaim(string clientId, SubscriptionType type)
+        public static Claim SubscriptionPlanToClaim(string clientId, Subscription subscription)
         {
             var claimKey = GetClaimKey(clientId);
-            switch (type)
-            {
-                case SubscriptionType.BASIC:
-                    return new Claim(claimKey, "basic");
-                case SubscriptionType.TRIAL:
-                    return new Claim(claimKey, "trial");
-                case SubscriptionType.PREMIUM:
-                    return new Claim(claimKey, "premium");
-                case SubscriptionType.PREMIUM_CANCELED:
-                    return new Claim(claimKey, "premium_canceled");
-                case SubscriptionType.PREMIUM_EXPIRED:
-                    return new Claim(claimKey, "premium_expired");
-            }
-            return null;
-        }
 
-        public static Claim SubscriptionPlanToClaim(string clientId, SubscriptionPlan plan)
-        {
-            var claimKey = GetClaimKey(clientId);
-            switch (plan)
+            // just in case
+            if (subscription.ExpiryDate <= DateTimeOffset.UtcNow.ToUnixTimeMilliseconds())
+                return new Claim(claimKey, "free");
+
+            switch (subscription.Plan)
             {
                 case SubscriptionPlan.FREE:
                     return new Claim(claimKey, "free");
@@ -116,6 +80,8 @@ public static Claim SubscriptionPlanToClaim(string clientId, SubscriptionPlan pl
                     return new Claim(claimKey, "essential");
                 case SubscriptionPlan.PRO:
                     return new Claim(claimKey, "pro");
+                case SubscriptionPlan.LEGACY_PRO:
+                    return new Claim(claimKey, "legacy_pro");
             }
             return null;
         }
diff --git a/Streetwriters.Identity/Startup.cs b/Streetwriters.Identity/Startup.cs
@@ -235,26 +235,16 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             {
                 realm.Services.RegisterCallee(() => app.ApplicationServices.CreateScope().ServiceProvider.GetRequiredService<IUserAccountService>());
 
-                realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (CreateSubscriptionMessage message) =>
+                realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (Subscription subscription) =>
                 {
                     using (var serviceScope = app.ApplicationServices.CreateScope())
                     {
                         var services = serviceScope.ServiceProvider;
                         var userManager = services.GetRequiredService<UserManager<User>>();
-                        await MessageHandlers.CreateSubscription.Process(message, userManager);
+                        await MessageHandlers.CreateSubscription.Process(subscription, userManager);
                     }
                 });
 
-                realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionV2Topic, async (CreateSubscriptionMessageV2 message) =>
-               {
-                   using (var serviceScope = app.ApplicationServices.CreateScope())
-                   {
-                       var services = serviceScope.ServiceProvider;
-                       var userManager = services.GetRequiredService<UserManager<User>>();
-                       await MessageHandlers.CreateSubscriptionV2.Process(message, userManager);
-                   }
-               });
-
                 realm.Subscribe(SubscriptionServerTopics.DeleteSubscriptionTopic, async (DeleteSubscriptionMessage message) =>
                 {
                     using (var serviceScope = app.ApplicationServices.CreateScope())

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ namespace System.Security.Claims`
`7`	`7`	`{`
`8`	`8`	`public static class ClaimsPrincipalExtensions`
`9`	`9`	`{`
`10`		`- private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "premium", "premium_canceled"];`
	`10`	`+ private readonly static string[] SUBSCRIBED_CLAIMS = ["believer", "education", "essential", "pro", "legacy_pro"];`
`11`	`11`	`public static bool IsUserSubscribed(this ClaimsPrincipal user)`
`12`	`12`	`=> user.Claims.Any((c) => c.Type == "notesnook:status" && SUBSCRIBED_CLAIMS.Contains(c.Value));`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@ public interface IUserSubscriptionService`
`9`	`9`	`{`
`10`	`10`	`[WampProcedure("co.streetwriters.subscriptions.subscriptions.get_user_subscription")]`
`11`	`11`	`Task<Subscription> GetUserSubscriptionAsync(string clientId, string userId);`
	`12`	`+ Subscription TransformUserSubscription(Subscription subscription);`
`12`	`13`	`}`
`13`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ public async Task<IActionResult> Signup([FromForm] SignupForm form)`
`109`	`109`	`await UserManager.AddToRoleAsync(user, client.Id);`
`110`	`110`	`if (Constants.IS_SELF_HOSTED)`
`111`	`111`	`{`
`112`		`- await UserManager.AddClaimAsync(user, UserService.SubscriptionPlanToClaim(client.Id, SubscriptionPlan.BELIEVER));`
	`112`	`+ await UserManager.AddClaimAsync(user, new Claim(UserService.GetClaimKey(client.Id), "believer"));`
`113`	`113`	`}`
`114`	`114`	`else`
`115`	`115`	`{`
Original file line number	Diff line number	Diff line change
`@@ -30,20 +30,19 @@ namespace Streetwriters.Identity.MessageHandlers`
`30`	`30`	`{`
`31`	`31`	`public class CreateSubscription`
`32`	`32`	`{`
`33`		`- public static async Task Process(CreateSubscriptionMessage message, UserManager<User> userManager)`
	`33`	`+ public static async Task Process(Subscription subscription, UserManager<User> userManager)`
`34`	`34`	`{`
`35`		`- var user = await userManager.FindByIdAsync(message.UserId);`
`36`		`- var client = Clients.FindClientByAppId(message.AppId);`
	`35`	`+ var user = await userManager.FindByIdAsync(subscription.UserId);`
	`36`	`+ var client = Clients.FindClientByAppId(subscription.AppId);`
`37`	`37`	`if (client == null \|\| user == null) return;`
`38`	`38`
`39`	`39`	`IdentityUserClaim<string> statusClaim = user.Claims.FirstOrDefault((c) => c.ClaimType == UserService.GetClaimKey(client.Id));`
`40`		`- Claim subscriptionClaim = UserService.SubscriptionTypeToClaim(client.Id, message.Type);`
	`40`	`+ Claim subscriptionClaim = UserService.SubscriptionPlanToClaim(client.Id, subscription);`
`41`	`41`	`if (statusClaim?.ClaimValue == subscriptionClaim.Value) return;`
`42`	`42`	`if (statusClaim != null)`
`43`	`43`	`await userManager.ReplaceClaimAsync(user, statusClaim.ToClaim(), subscriptionClaim);`
`44`		`- // we no longer accept legacy subscriptions.`
`45`		`- // else`
`46`		`- // await userManager.AddClaimAsync(user, subscriptionClaim);`
	`44`	`+ else`
	`45`	`+ await userManager.AddClaimAsync(user, subscriptionClaim);`
`47`	`46`	`}`
`48`	`47`
`49`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -235,26 +235,16 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)`
`235`	`235`	`{`
`236`	`236`	`realm.Services.RegisterCallee(() => app.ApplicationServices.CreateScope().ServiceProvider.GetRequiredService<IUserAccountService>());`
`237`	`237`
`238`		`- realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (CreateSubscriptionMessage message) =>`
	`238`	`+ realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionTopic, async (Subscription subscription) =>`
`239`	`239`	`{`
`240`	`240`	`using (var serviceScope = app.ApplicationServices.CreateScope())`
`241`	`241`	`{`
`242`	`242`	`var services = serviceScope.ServiceProvider;`
`243`	`243`	`var userManager = services.GetRequiredService<UserManager<User>>();`
`244`		`- await MessageHandlers.CreateSubscription.Process(message, userManager);`
	`244`	`+ await MessageHandlers.CreateSubscription.Process(subscription, userManager);`
`245`	`245`	`}`
`246`	`246`	`});`
`247`	`247`
`248`		`- realm.Subscribe(SubscriptionServerTopics.CreateSubscriptionV2Topic, async (CreateSubscriptionMessageV2 message) =>`
`249`		`- {`
`250`		`- using (var serviceScope = app.ApplicationServices.CreateScope())`
`251`		`- {`
`252`		`- var services = serviceScope.ServiceProvider;`
`253`		`- var userManager = services.GetRequiredService<UserManager<User>>();`
`254`		`- await MessageHandlers.CreateSubscriptionV2.Process(message, userManager);`
`255`		`- }`
`256`		`- });`
`257`		`-`
`258`	`248`	`realm.Subscribe(SubscriptionServerTopics.DeleteSubscriptionTopic, async (DeleteSubscriptionMessage message) =>`
`259`	`249`	`{`
`260`	`250`	`using (var serviceScope = app.ApplicationServices.CreateScope())`