make GameAuthorizationRule high priority to make sure it isn't overshadowed by normal auth

bristermitten · bristermitten · commit aa5ad19ad564 · 2025-10-14T11:21:45.000+01:00
diff --git a/src/main/java/org/developerden/codosseum/auth/GameAuthorizationRule.java b/src/main/java/org/developerden/codosseum/auth/GameAuthorizationRule.java
@@ -35,6 +35,11 @@ protected GameAuthorizationRule(RolesFinder rolesFinder) {
     super(rolesFinder);
   }
 
+  @Override
+  public int getOrder() {
+    return Integer.MIN_VALUE + 100;
+  }
+
   @Override
   public Publisher<SecurityRuleResult> check(@Nullable HttpRequest<?> request,
                                              @Nullable Authentication authentication) {
@@ -64,6 +69,8 @@ public Publisher<SecurityRuleResult> check(@Nullable HttpRequest<?> request,
   }
 
   private boolean matchesGameId(Authentication authentication, String gameId) {
-    return gameId.equals(authentication.getAttributes().get("activeGameId"));
+    return gameId.equals(
+        String.valueOf(authentication.getAttributes().get(PlayerAuthentication.ACTIVE_GAME_ID))
+    );
   }
 }
diff --git a/src/main/java/org/developerden/codosseum/auth/GameAuthorized.java b/src/main/java/org/developerden/codosseum/auth/GameAuthorized.java
@@ -19,6 +19,11 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+/**
+ * Annotation to specify that a route requires the user to have one of the specified roles in a game.
+ * If the user does not have one of the specified roles, a 403 Forbidden response will be returned.
+ *
+ */
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.METHOD)
 public @interface GameAuthorized {
diff --git a/src/main/java/org/developerden/codosseum/controller/UserController.java b/src/main/java/org/developerden/codosseum/controller/UserController.java
@@ -22,8 +22,6 @@
 import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.validation.Validated;
 import jakarta.inject.Inject;
-import org.developerden.codosseum.auth.GameAuthorized;
-import org.developerden.codosseum.auth.GameRole;
 import org.developerden.codosseum.dto.PlayersMapper;
 import org.developerden.codosseum.dto.user.User;
 import org.developerden.codosseum.model.player.UserMapper;
@@ -50,7 +48,6 @@ public class UserController {
   }
 
   @Get("/@self")
-  @GameAuthorized(GameRole.PLAYER)
   public HttpResponse<User> getSelf(Authentication principal) {
     return authService.getUserInfoFromAuth(principal)
         .map(userMapper::toDto)

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,11 @@ protected GameAuthorizationRule(RolesFinder rolesFinder) {`
`35`	`35`	`super(rolesFinder);`
`36`	`36`	`}`
`37`	`37`
	`38`	`+ @Override`
	`39`	`+ public int getOrder() {`
	`40`	`+ return Integer.MIN_VALUE + 100;`
	`41`	`+ }`
	`42`	`+`
`38`	`43`	`@Override`
`39`	`44`	`public Publisher<SecurityRuleResult> check(@Nullable HttpRequest<?> request,`
`40`	`45`	`@Nullable Authentication authentication) {`
`@@ -64,6 +69,8 @@ public Publisher<SecurityRuleResult> check(@Nullable HttpRequest<?> request,`
`64`	`69`	`}`
`65`	`70`
`66`	`71`	`private boolean matchesGameId(Authentication authentication, String gameId) {`
`67`		`- return gameId.equals(authentication.getAttributes().get("activeGameId"));`
	`72`	`+ return gameId.equals(`
	`73`	`+ String.valueOf(authentication.getAttributes().get(PlayerAuthentication.ACTIVE_GAME_ID))`
	`74`	`+ );`
`68`	`75`	`}`
`69`	`76`	`}`