Improved token validation

Author: niemyjski

src/Exceptionless.Web/Controllers/Base/ExceptionlessApiController.cs

@@ -181,6 +181,9 @@ protected bool ShouldApplySystemFilter(AppFilter sf, string? filter)
 
     protected ObjectResult Permission(PermissionResult permission)
     {
+        if (permission.StatusCode is StatusCodes.Status422UnprocessableEntity)
+            return (ObjectResult)ValidationProblem(ModelState);
+
         if (String.IsNullOrEmpty(permission.Message))
             return Problem(statusCode: permission.StatusCode);
 

src/Exceptionless.Web/Controllers/Base/PermissionResult.cs

@@ -1,4 +1,4 @@
-namespace Exceptionless.Web.Controllers;
+namespace Exceptionless.Web.Controllers;
 
 public record PermissionResult
 {
@@ -56,4 +56,13 @@ public static PermissionResult DenyWithPlanLimitReached(string message, string?
             StatusCode = StatusCodes.Status426UpgradeRequired
         };
     }
+
+    public static PermissionResult DenyWithValidationProblem()
+    {
+        return new PermissionResult
+        {
+            Allowed = false,
+            StatusCode = StatusCodes.Status422UnprocessableEntity
+        };
+    }
 }

src/Exceptionless.Web/Controllers/TokenController.cs

@@ -10,6 +10,7 @@
 using Foundatio.Repositories;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
 
 namespace Exceptionless.App.Controllers.API;
 
@@ -279,26 +280,41 @@ protected override async Task<PermissionResult> CanAddAsync(Token value)
             }
 
             if (!AuthorizationRoles.AllScopes.Contains(lowerCaseScoped))
-                return PermissionResult.DenyWithMessage("Invalid token scope requested.");
+            {
+                ModelState.AddModelError<Token>(m => m.Scopes, "Invalid token scope requested.");
+                return PermissionResult.DenyWithValidationProblem();
+            }
         }
 
         if (value.Scopes.Count == 0)
             value.Scopes.Add(AuthorizationRoles.Client);
 
         if (value.Scopes.Contains(AuthorizationRoles.Client) && !hasUserRole)
-            return PermissionResult.Deny;
+        {
+            ModelState.AddModelError<Token>(m => m.Scopes, "Invalid token scope requested.");
+            return PermissionResult.DenyWithValidationProblem();
+        }
 
         if (value.Scopes.Contains(AuthorizationRoles.User) && !hasUserRole)
-            return PermissionResult.Deny;
+        {
+            ModelState.AddModelError<Token>(m => m.Scopes, "Invalid token scope requested.");
+            return PermissionResult.DenyWithValidationProblem();
+        }
 
         if (value.Scopes.Contains(AuthorizationRoles.GlobalAdmin) && !hasGlobalAdminRole)
-            return PermissionResult.Deny;
+        {
+            ModelState.AddModelError<Token>(m => m.Scopes, "Invalid token scope requested.");
+            return PermissionResult.DenyWithValidationProblem();
+        }
 
         if (!String.IsNullOrEmpty(value.ProjectId))
         {
             var project = await GetProjectAsync(value.ProjectId);
             if (project is null)
-                return PermissionResult.Deny;
+            {
+                ModelState.AddModelError<Token>(m => m.ProjectId, "Please specify a valid project id.");
+                return PermissionResult.DenyWithValidationProblem();
+            }
 
             value.OrganizationId = project.OrganizationId;
             value.DefaultProjectId = null;
@@ -308,7 +324,10 @@ protected override async Task<PermissionResult> CanAddAsync(Token value)
         {
             var project = await GetProjectAsync(value.DefaultProjectId);
             if (project is null)
-                return PermissionResult.Deny;
+            {
+                ModelState.AddModelError<Token>(m => m.DefaultProjectId, "Please specify a valid default project id.");
+                return PermissionResult.DenyWithValidationProblem();
+            }
         }
 
         return await base.CanAddAsync(value);

tests/Exceptionless.Tests/Controllers/TokenControllerTests.cs

@@ -201,7 +201,7 @@ public async Task ShouldPreventAddingUserScopeToTokenWithoutElevatedRole()
                ProjectId = SampleDataService.TEST_PROJECT_ID,
                Scopes = [AuthorizationRoles.Client, AuthorizationRoles.User, AuthorizationRoles.GlobalAdmin]
            })
-           .StatusCodeShouldBeBadRequest() // NOTE: This status code could be better.
+           .StatusCodeShouldBeUnprocessableEntity()
         );
 
         Assert.NotNull(problemDetails);