Enforces dedicated visualiser scopes.

samgibsonmoj · samgibsonmoj · commit 8a586262dcbf · 2025-12-18T16:52:11.000Z
Updates the API to use dedicated scopes for the visualiser application.

This change improves security by isolating the permissions required for visualiser functionality from the core data management system (DMS).
diff --git a/src/API/Endpoints/VisualisationEndpoints.cs b/src/API/Endpoints/VisualisationEndpoints.cs
@@ -22,9 +22,9 @@ public static IEndpointRouteBuilder RegisterVisualisationEndpoints(this IEndpoin
 
         group.MapPost("/Save", SaveNetworkAsync)
             .ProducesProblem(StatusCodes.Status500InternalServerError)
-            .RequireAuthorization("write");
+            .RequireAuthorization("visualisation-write");
 
-        group.RequireAuthorization("read");
+        group.RequireAuthorization("visualisation-read");
 
         return routes;
     }
diff --git a/src/API/Program.cs b/src/API/Program.cs
@@ -73,6 +73,17 @@
 {
     options.AddPolicy("read", policy => policy.RequireScope("dms.read"));
     options.AddPolicy("write", policy => policy.RequireScope("dms.write"));
+
+    options.AddPolicy("visualisation-read", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.read")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
+    options.AddPolicy("visualisation-write", policy => 
+        policy.RequireAuthenticatedUser()
+              .RequireScope("visualiser.write")
+              .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
+
     options.FallbackPolicy = options.DefaultPolicy;
 });
 
diff --git a/src/Visualiser/appsettings.Development.json b/src/Visualiser/appsettings.Development.json
@@ -11,8 +11,8 @@
   },
   "API": {
     "Scopes": [
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.read",
-      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.write"
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.read",
+      "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.write"
     ]
   }
 }
diff --git a/src/Visualiser/appsettings.json b/src/Visualiser/appsettings.json
@@ -17,7 +17,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
   "API": {
     "BaseUrl": "https://localhost:7013",
     "Scopes": [
-      // E.g. "api://{api_client_id}/dms.read" and "api://{api_client_id}/dms.write"
+      // E.g. "api://{api_client_id}/visualiser.read" and "api://{api_client_id}/visualiser.write"
     ]
   },
   "Serilog": {

Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,9 @@ public static IEndpointRouteBuilder RegisterVisualisationEndpoints(this IEndpoin`
`22`	`22`
`23`	`23`	`group.MapPost("/Save", SaveNetworkAsync)`
`24`	`24`	`.ProducesProblem(StatusCodes.Status500InternalServerError)`
`25`		`- .RequireAuthorization("write");`
	`25`	`+ .RequireAuthorization("visualisation-write");`
`26`	`26`
`27`		`- group.RequireAuthorization("read");`
	`27`	`+ group.RequireAuthorization("visualisation-read");`
`28`	`28`
`29`	`29`	`return routes;`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@`
`11`	`11`	`},`
`12`	`12`	`"API": {`
`13`	`13`	`"Scopes": [`
`14`		`- "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.read",`
`15`		`- "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/dms.write"`
	`14`	`+ "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.read",`
	`15`	`+ "api://916ace49-a3db-4b11-84c5-6c4bd20260ef/visualiser.write"`
`16`	`16`	`]`
`17`	`17`	`}`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform`
`17`	`17`	`"API": {`
`18`	`18`	`"BaseUrl": "https://localhost:7013",`
`19`	`19`	`"Scopes": [`
`20`		`- // E.g. "api://{api_client_id}/dms.read" and "api://{api_client_id}/dms.write"`
	`20`	`+ // E.g. "api://{api_client_id}/visualiser.read" and "api://{api_client_id}/visualiser.write"`
`21`	`21`	`]`
`22`	`22`	`},`
`23`	`23`	`"Serilog": {`