RE1-T116 PR#351 fixes

Author: ucswift

Web/Resgrid.Web.Services/Controllers/v4/CallFilesController.cs

@@ -26,6 +26,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class CallFilesController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors

Web/Resgrid.Web.Services/Controllers/v4/CallsController.cs

@@ -32,6 +32,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class CallsController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors
@@ -560,6 +561,10 @@ public async Task<ActionResult<SaveCallResult>> SaveCall([FromBody] NewCallInput
 				return BadRequest();
 
 			var department = await _departmentsService.GetDepartmentByIdAsync(effectiveDepartmentId);
+
+			if (department == null)
+				return BadRequest($"Department not found: {effectiveDepartmentId}");
+
 			var activeUsers = await _departmentsService.GetAllMembersForDepartmentAsync(effectiveDepartmentId);
 			var groups = await _departmentGroupsService.GetAllGroupsForDepartmentAsync(effectiveDepartmentId);
 			var roles = await _personnelRolesService.GetAllRolesForDepartmentAsync(effectiveDepartmentId);

Web/Resgrid.Web.Services/Controllers/v4/ConnectController.cs

@@ -17,6 +17,8 @@
 using System.Security.Claims;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Text;
+using System.Security.Cryptography;
 using Resgrid.Providers.Claims;
 using static OpenIddict.Abstractions.OpenIddictConstants;
 
@@ -252,9 +254,9 @@ public async Task<IActionResult> Token()
 					return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
 				}
 
-				// First, check system-level credentials
+				// First, check system-level credentials (timing-safe comparison)
 				if (Config.SecurityConfig.SystemLoginCredentials.ContainsKey(request.ClientId) &&
-					Config.SecurityConfig.SystemLoginCredentials[request.ClientId] == request.ClientSecret)
+					FixedTimeSecretEquals(Config.SecurityConfig.SystemLoginCredentials[request.ClientId], request.ClientSecret))
 				{
 					audit.Successful = true;
 					await _systemAuditsService.SaveSystemAuditAsync(audit);
@@ -305,7 +307,7 @@ public async Task<IActionResult> Token()
 				}
 
 				if (string.IsNullOrWhiteSpace(department.SharedSecret) ||
-					department.SharedSecret != request.ClientSecret)
+					!FixedTimeSecretEquals(department.SharedSecret, request.ClientSecret))
 				{
 					await _systemAuditsService.SaveSystemAuditAsync(audit);
 
@@ -913,5 +915,18 @@ private static void AddAllResourceClaims(ClaimsIdentity identity)
 				}
 			}
 		}
+		/// <summary>
+		/// Performs a timing-safe comparison of two secret strings to prevent timing attacks.
+		/// </summary>
+		private static bool FixedTimeSecretEquals(string stored, string provided)
+		{
+			if (stored == null || provided == null)
+				return false;
+
+			var storedBytes = Encoding.UTF8.GetBytes(stored);
+			var providedBytes = Encoding.UTF8.GetBytes(provided);
+
+			return CryptographicOperations.FixedTimeEquals(storedBytes, providedBytes);
+		}
 	}
 }

Web/Resgrid.Web.Services/Controllers/v4/DepartmentsController.cs

@@ -17,6 +17,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class DepartmentsController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors

Web/Resgrid.Web.Services/Controllers/v4/GroupsController.cs

@@ -17,6 +17,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class GroupsController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors
@@ -138,8 +139,14 @@ public async Task<ActionResult<GroupResult>> GetGroupByDispatchCode(string code,
 				if (group.DepartmentId != DepartmentId)
 					return Unauthorized();
 			}
-			else if (!string.IsNullOrWhiteSpace(departmentId) && int.TryParse(departmentId, out var deptId) && deptId > 0)
+			else if (!string.IsNullOrWhiteSpace(departmentId))
 			{
+				// DepartmentId was provided explicitly — must be valid and match
+				if (!int.TryParse(departmentId, out var deptId) || deptId <= 0)
+				{
+					ResponseHelper.PopulateV4ResponseNotFound(result);
+					return result;
+				}
 				if (group.DepartmentId != deptId)
 				{
 					ResponseHelper.PopulateV4ResponseNotFound(result);
@@ -193,8 +200,14 @@ public async Task<ActionResult<GroupResult>> GetGroupByMessageCode(string code,
 				if (group.DepartmentId != DepartmentId)
 					return Unauthorized();
 			}
-			else if (!string.IsNullOrWhiteSpace(departmentId) && int.TryParse(departmentId, out var deptId) && deptId > 0)
+			else if (!string.IsNullOrWhiteSpace(departmentId))
 			{
+				// DepartmentId was provided explicitly — must be valid and match
+				if (!int.TryParse(departmentId, out var deptId) || deptId <= 0)
+				{
+					ResponseHelper.PopulateV4ResponseNotFound(result);
+					return result;
+				}
 				if (group.DepartmentId != deptId)
 				{
 					ResponseHelper.PopulateV4ResponseNotFound(result);

Web/Resgrid.Web.Services/Controllers/v4/RolesController.cs

@@ -18,6 +18,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class RolesController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors

Web/Resgrid.Web.Services/Controllers/v4/UnitsController.cs

@@ -24,6 +24,7 @@ namespace Resgrid.Web.Services.Controllers.v4
 	[Route("api/v{VersionId:apiVersion}/[controller]")]
 	[ApiVersion("4.0")]
 	[ApiExplorerSettings(GroupName = "v4")]
+	[Authorize(AuthenticationSchemes = "BasicAuthentication,SystemApiKey")]
 	public class UnitsController : V4AuthenticatedApiControllerbaseSystemAuth
 	{
 		#region Members and Constructors
@@ -276,6 +277,12 @@ public async Task<ActionResult<UnitResult>> GetUnitByName(string name, [FromQuer
 				return result;
 			}
 
+			if (!await _authorizationService.CanUserViewUnitViaMatrixAsync(unit.UnitId, UserId, DepartmentId))
+			{
+				ResponseHelper.PopulateV4ResponseNotFound(result);
+				return result;
+			}
+
 			result.Data = ConvertUnitsData(unit, null, null, TimeZone);
 			result.PageSize = 1;
 			result.Status = ResponseHelper.Success;

Web/Resgrid.Web.Services/Controllers/v4/V4AuthenticatedApiControllerbaseSystemAuth.cs

@@ -1,6 +1,4 @@
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-using OpenIddict.Server.AspNetCore;
+using Microsoft.AspNetCore.Mvc;
 using System.Linq;
 using Resgrid.Web.ServicesCore.Helpers;
 
@@ -17,14 +15,13 @@ namespace Resgrid.Web.Services.Controllers.v4
 	/// </summary>
 	[ApiController]
 	[Produces("application/json")]
-	[Authorize(AuthenticationSchemes = OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme + ",SystemApiKey")]
 	public class V4AuthenticatedApiControllerbaseSystemAuth : ControllerBase
 	{
 		/// <summary>
 		/// Returns the current user ID. In SystemApiKey mode returns a synthetic identifier.
 		/// </summary>
 		protected string UserId => IsSystemApiKeyRequest
-			? "smpt_relay_system"
+			? "smtp_relay_system"
 			: ClaimsAuthorizationHelper.GetUserId();
 
 		/// <summary>

Web/Resgrid.Web.Services/Middleware/SystemApiKeyAuthHandler.cs

@@ -1,6 +1,8 @@
 using System;
 using System.Collections.Generic;
 using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
@@ -45,9 +47,9 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 			if (string.IsNullOrWhiteSpace(apiKey))
 				return Task.FromResult(AuthenticateResult.NoResult());
 
-			// Validate the API key against the configured system API key
+			// Validate the API key against the configured system API key (timing-safe comparison)
 			if (string.IsNullOrWhiteSpace(Config.SecurityConfig.SystemApiKey) ||
-				!string.Equals(apiKey, Config.SecurityConfig.SystemApiKey, StringComparison.Ordinal))
+				!FixedTimeApiKeyEquals(Config.SecurityConfig.SystemApiKey, apiKey))
 			{
 				return Task.FromResult(AuthenticateResult.Fail("Invalid System API Key"));
 			}
@@ -56,14 +58,14 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 			var claims = new List<Claim>
 			{
 				new Claim(ClaimTypes.Name, "SMTP Relay System"),
-				new Claim(ClaimTypes.PrimarySid, "smpt_relay_system"),
+				new Claim(ClaimTypes.PrimarySid, "smtp_relay_system"),
 				new Claim(ClaimTypes.PrimaryGroupSid, "0"),
 				new Claim(ClaimTypes.GivenName, "SMTP Relay"),
 				new Claim(ClaimTypes.Email, "smtp-relay@resgrid.local"),
 				// Data claims
 				new Claim(ResgridClaimTypes.Data.TimeZone, "UTC"),
 				new Claim(ResgridClaimTypes.Data.DisplayName, "SMTP Relay"),
-				new Claim(ResgridClaimTypes.Data.UserId, "smpt_relay_system")
+				new Claim(ResgridClaimTypes.Data.UserId, "smtp_relay_system")
 			};
 
 			// Add all resource claims for full cross-department access
@@ -130,5 +132,21 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 
 			return Task.FromResult(AuthenticateResult.Success(ticket));
 		}
+
+		/// <summary>
+		/// Performs a timing-safe comparison of two API key strings to prevent timing attacks.
+		/// Unlike string.Equals with Ordinal, this compares every byte regardless of where
+		/// the first mismatch occurs.
+		/// </summary>
+		private static bool FixedTimeApiKeyEquals(string stored, string provided)
+		{
+			if (stored == null || provided == null)
+				return false;
+
+			var storedBytes = Encoding.UTF8.GetBytes(stored);
+			var providedBytes = Encoding.UTF8.GetBytes(provided);
+
+			return CryptographicOperations.FixedTimeEquals(storedBytes, providedBytes);
+		}
 	}
 }