feat(auth): implement permission-based dashboard login

fulleni · fulleni · commit 384267ddc330 · 2025-07-13T16:15:10.000+01:00
- Added PermissionService to AuthService
- Created dashboard login permission
- Updated login logic to use PermissionService
- Improved logging for permission checks
- Refactored role-based checks to permission checks
diff --git a/lib/src/config/app_dependencies.dart b/lib/src/config/app_dependencies.dart
@@ -178,10 +178,12 @@ class AppDependencies {
       );
       verificationCodeStorageService =
           InMemoryVerificationCodeStorageService();
+      permissionService = const PermissionService();
       authService = AuthService(
         userRepository: userRepository,
         authTokenService: authTokenService,
         verificationCodeStorageService: verificationCodeStorageService,
+        permissionService: permissionService,
         emailRepository: emailRepository,
         userAppSettingsRepository: userAppSettingsRepository,
         userContentPreferencesRepository: userContentPreferencesRepository,
@@ -193,7 +195,6 @@ class AppDependencies {
         topicRepository: topicRepository,
         sourceRepository: sourceRepository,
       );
-      permissionService = const PermissionService();
       userPreferenceLimitService = DefaultUserPreferenceLimitService(
         remoteConfigRepository: remoteConfigRepository,
         log: Logger('DefaultUserPreferenceLimitService'),
diff --git a/lib/src/rbac/permissions.dart b/lib/src/rbac/permissions.dart
@@ -54,4 +54,7 @@ abstract class Permissions {
   static const String remoteConfigRead = 'remote_config.read';
   static const String remoteConfigUpdate = 'remote_config.update';
   static const String remoteConfigDelete = 'remote_config.delete';
+
+  // Dashboard Permissions
+  static const String dashboardLogin = 'dashboard.login';
 }
diff --git a/lib/src/rbac/role_permissions.dart b/lib/src/rbac/role_permissions.dart
@@ -33,6 +33,7 @@ final Set<String> _dashboardPublisherPermissions = {
   Permissions.headlineCreate,
   Permissions.headlineUpdate,
   Permissions.headlineDelete,
+  Permissions.dashboardLogin,
 };
 
 final Set<String> _dashboardAdminPermissions = {
diff --git a/lib/src/services/auth_service.dart b/lib/src/services/auth_service.dart
@@ -1,3 +1,5 @@
+import 'package:ht_api/src/rbac/permission_service.dart';
+import 'package:ht_api/src/rbac/permissions.dart';
 import 'package:ht_api/src/services/auth_token_service.dart';
 import 'package:ht_api/src/services/verification_code_storage_service.dart';
 import 'package:ht_data_repository/ht_data_repository.dart';
@@ -21,12 +23,14 @@ class AuthService {
     required HtEmailRepository emailRepository,
     required HtDataRepository<UserAppSettings> userAppSettingsRepository,
     required HtDataRepository<UserContentPreferences>
-    userContentPreferencesRepository,
+        userContentPreferencesRepository,
+    required PermissionService permissionService,
     required Uuid uuidGenerator,
     required Logger log,
   }) : _userRepository = userRepository,
        _authTokenService = authTokenService,
        _verificationCodeStorageService = verificationCodeStorageService,
+        _permissionService = permissionService,
        _emailRepository = emailRepository,
        _userAppSettingsRepository = userAppSettingsRepository,
        _userContentPreferencesRepository = userContentPreferencesRepository,
@@ -39,7 +43,8 @@ class AuthService {
   final HtEmailRepository _emailRepository;
   final HtDataRepository<UserAppSettings> _userAppSettingsRepository;
   final HtDataRepository<UserContentPreferences>
-  _userContentPreferencesRepository;
+      _userContentPreferencesRepository;
+  final PermissionService _permissionService;
   final Logger _log;
   final Uuid _uuid;
 
@@ -77,13 +82,13 @@ class AuthService {
           );
         }
 
-        final hasRequiredRole =
-            user.dashboardRole == DashboardUserRole.admin ||
-            user.dashboardRole == DashboardUserRole.publisher;
-
-        if (!hasRequiredRole) {
+        // Use the PermissionService to check for the specific dashboard login permission.
+        if (!_permissionService.hasPermission(
+          user,
+          Permissions.dashboardLogin,
+        )) {
           _log.warning(
-            'Dashboard login failed: User ${user.id} lacks required roles.',
+            'Dashboard login failed: User ${user.id} lacks required permission (${Permissions.dashboardLogin}).',
           );
           throw const ForbiddenException(
             'Your account does not have the required permissions to sign in.',
@@ -161,13 +166,12 @@ class AuthService {
         // This closes the loophole where a non-admin user could request a code
         // via the app flow and then use it to log into the dashboard.
         if (isDashboardLogin) {
-          final hasRequiredRole =
-              user.dashboardRole == DashboardUserRole.admin ||
-              user.dashboardRole == DashboardUserRole.publisher;
-
-          if (!hasRequiredRole) {
+          if (!_permissionService.hasPermission(
+            user,
+            Permissions.dashboardLogin,
+          )) {
             _log.warning(
-              'Dashboard login failed: User ${user.id} lacks required roles '
+              'Dashboard login failed: User ${user.id} lacks required permission '
               'during code verification.',
             );
             throw const ForbiddenException(

Original file line number	Diff line number	Diff line change
`@@ -54,4 +54,7 @@ abstract class Permissions {`
`54`	`54`	`static const String remoteConfigRead = 'remote_config.read';`
`55`	`55`	`static const String remoteConfigUpdate = 'remote_config.update';`
`56`	`56`	`static const String remoteConfigDelete = 'remote_config.delete';`
	`57`	`+`
	`58`	`+ // Dashboard Permissions`
	`59`	`+ static const String dashboardLogin = 'dashboard.login';`
`57`	`60`	`}`