RE1-T117 Working on chatbot permission and security.

Author: ucswift

.gitignore

@@ -273,5 +273,7 @@ Web/Resgrid.WebCore/wwwroot/lib/*
 /Web/Resgrid.Web/wwwroot/lib
 .dual-graph/
 .claude/settings.local.json
-.claude/settings.local.json
 /Web/Resgrid.Web/wwwroot/js/ng/chunks
+opencode.json
+/.dual-graph-pro
+.mcp.json

Core/Resgrid.Chatbot.NLU/Providers/KeywordIntentClassifier.cs

@@ -135,7 +135,7 @@ public class KeywordIntentClassifier : INLUProvider
 				"list_departments", null),
 		};
 
-		public Task<NLUResult> ClassifyAsync(string text, string context = null)
+		public Task<NLUResult> ClassifyAsync(string text, string context = null, int departmentId = 0)
 		{
 			if (string.IsNullOrWhiteSpace(text))
 				return Task.FromResult(new NLUResult { IntentName = "unknown", Confidence = 0, ProviderName = ProviderName });

Core/Resgrid.Chatbot.NLU/Providers/MLNetNluProvider.cs

@@ -14,7 +14,7 @@ public MLNetNluProvider()
 		{
 		}
 
-		public Task<NLUResult> ClassifyAsync(string text, string context = null)
+		public Task<NLUResult> ClassifyAsync(string text, string context = null, int departmentId = 0)
 		{
 			if (string.IsNullOrWhiteSpace(text))
 				return Task.FromResult(new NLUResult { IntentName = "unknown", Confidence = 0, ProviderName = ProviderName });

Core/Resgrid.Chatbot.NLU/Providers/OpenAiCompatibleNluProvider.cs

@@ -37,6 +37,7 @@ public class OpenAiCompatibleNluProvider : INLUProvider
 		public int Priority => 100;
 
 		private readonly HttpClient _httpClient;
+		private readonly IChatbotDepartmentConfigService _configService;
 
 		private static readonly string IntentSystemPrompt = @"You are a classification engine for emergency service chatbot commands.
 Classify the user's message into exactly one of these intent categories:
@@ -97,8 +98,9 @@ public class OpenAiCompatibleNluProvider : INLUProvider
 Confidence should be between 0.0 and 1.0 based on how certain you are.
 If the user's message doesn't clearly match any intent, set intent to ""unknown"" with confidence 0.0.";
 
-		public OpenAiCompatibleNluProvider()
+		public OpenAiCompatibleNluProvider(IChatbotDepartmentConfigService configService)
 		{
+			_configService = configService;
 			_httpClient = new HttpClient
 			{
 				Timeout = TimeSpan.FromSeconds(ChatbotConfig.CloudNluTimeoutSeconds > 0
@@ -107,7 +109,7 @@ public OpenAiCompatibleNluProvider()
 			};
 		}
 
-		public async Task<NLUResult> ClassifyAsync(string text, string context = null)
+		public async Task<NLUResult> ClassifyAsync(string text, string context = null, int departmentId = 0)
 		{
 			if (string.IsNullOrWhiteSpace(text))
 				return new NLUResult { IntentName = "unknown", Confidence = 0, ProviderName = ProviderName };
@@ -116,9 +118,17 @@ public async Task<NLUResult> ClassifyAsync(string text, string context = null)
 
 			try
 			{
-				var endpoint = ResolveEndpoint();
-				var apiKey = ResolveApiKey();
-				var model = ResolveModel();
+				// A department may supply its own LLM provider so its processing stays with that
+				// provider; otherwise fall back to the Resgrid system-level configuration.
+				DepartmentLlmOverride departmentLlm = null;
+				if (departmentId > 0 && _configService != null)
+					departmentLlm = await _configService.GetLlmOverrideAsync(departmentId);
+
+				var endpoint = departmentLlm != null ? departmentLlm.Endpoint : ResolveEndpoint();
+				var apiKey = departmentLlm != null ? departmentLlm.ApiKey : ResolveApiKey();
+				var model = departmentLlm != null && !string.IsNullOrWhiteSpace(departmentLlm.Model)
+					? departmentLlm.Model
+					: ResolveModel();
 
 				if (string.IsNullOrWhiteSpace(apiKey))
 				{
@@ -166,8 +176,9 @@ public async Task<NLUResult> ClassifyAsync(string text, string context = null)
 				};
 				request.Headers.Add("Authorization", $"Bearer {apiKey}");
 
-				// Azure OpenAI uses api-key header instead
-				if (ChatbotConfig.CloudNluProvider == CloudNluProviderType.AzureOpenAI)
+				// Azure OpenAI uses api-key header instead (system config only; a department override
+				// is assumed OpenAI-compatible with Bearer auth).
+				if (departmentLlm == null && ChatbotConfig.CloudNluProvider == CloudNluProviderType.AzureOpenAI)
 				{
 					request.Headers.Remove("Authorization");
 					request.Headers.Add("api-key", apiKey);

Core/Resgrid.Chatbot/ChatbotModule.cs

@@ -22,9 +22,11 @@ protected override void Load(ContainerBuilder builder)
 				.As<IChatbotSessionManager>()
 				.SingleInstance();
 
+			// InstancePerLifetimeScope (not SingleInstance) because it now depends on the
+			// per-scope IChatbotIdentityRepository (a singleton would capture a scoped DB connection).
 			builder.RegisterType<ChatbotUserIdentityService>()
 				.As<IChatbotUserIdentityService>()
-				.SingleInstance();
+				.InstancePerLifetimeScope();
 
 			// Phase 2: New services
 			builder.RegisterType<IntentMapper>()
@@ -39,6 +41,14 @@ protected override void Load(ContainerBuilder builder)
 				.As<IChatbotTemplateRenderer>()
 				.SingleInstance();
 
+			builder.RegisterType<ChatbotDepartmentConfigService>()
+				.As<IChatbotDepartmentConfigService>()
+				.InstancePerLifetimeScope();
+
+			builder.RegisterType<ChatbotRateLimiter>()
+				.As<IChatbotRateLimiter>()
+				.SingleInstance();
+
 			builder.RegisterType<OAuthLinkingService>()
 				.AsSelf()
 				.InstancePerLifetimeScope();

Core/Resgrid.Chatbot/Config/ChatbotConfig.cs

@@ -37,8 +37,19 @@ public static class ChatbotConfig
 		public static string SlackBotToken = "";
 		public static string SlackAppToken = "";
 		public static string TelegramBotToken = "";
+		// Secret token sent by Telegram in the X-Telegram-Bot-Api-Secret-Token header
+		// (configured via setWebhook). When set, inbound webhooks lacking a matching token are rejected.
+		public static string TelegramWebhookSecretToken = "";
 		public static string LinkingBaseUrl = "";
 
+		// OAuth2 app credentials for Discord/Slack account linking (server-side code exchange).
+		public static string DiscordClientId = "";
+		public static string DiscordClientSecret = "";
+		public static string SlackClientId = "";
+		public static string SlackClientSecret = "";
+		// Redirect URI registered with the OAuth apps; the platform returns the code here.
+		public static string OAuthRedirectUri = "";
+
 		// Message Logging
 		public static int MessageLogRetentionDays = 90;
 		public static bool LogMessageContent = true;

Core/Resgrid.Chatbot/Handlers/CallDetailActionHandler.cs

@@ -13,11 +13,13 @@ public class CallDetailActionHandler : IChatbotActionHandler
 	{
 		private readonly ICallsService _callsService;
 		private readonly IDepartmentsService _departmentsService;
+		private readonly IAuthorizationService _authorizationService;
 
-		public CallDetailActionHandler(ICallsService callsService, IDepartmentsService departmentsService)
+		public CallDetailActionHandler(ICallsService callsService, IDepartmentsService departmentsService, IAuthorizationService authorizationService)
 		{
 			_callsService = callsService;
 			_departmentsService = departmentsService;
+			_authorizationService = authorizationService;
 		}
 
 		public ChatbotIntentType IntentType => ChatbotIntentType.GetCallDetail;
@@ -32,11 +34,20 @@ public async Task<ChatbotResponse> HandleAsync(ChatbotMessage message, ChatbotIn
 				}
 
 				var call = await _callsService.GetCallByIdAsync(callId);
-				if (call == null)
+
+				// Tenant isolation (anti-IDOR): a call that doesn't exist OR belongs to another
+				// department must be indistinguishable so call ids can't be enumerated across tenants.
+				if (call == null || call.DepartmentId != session.DepartmentId)
 				{
 					return new ChatbotResponse { Text = $"Call #{callId} not found.", Processed = true };
 				}
 
+				// Authorization: the call is in the user's department, but they still need view permission.
+				if (!await _authorizationService.CanUserViewCallAsync(session.UserId, call.CallId))
+				{
+					return new ChatbotResponse { Text = "You don't have permission to view this call.", Processed = false };
+				}
+
 				var department = await _departmentsService.GetDepartmentByIdAsync(session.DepartmentId);
 				var sb = new StringBuilder();
 				sb.AppendLine($"Call #{call.CallId}: {call.Name}");

Core/Resgrid.Chatbot/Handlers/PersonnelActionHandler.cs

@@ -15,19 +15,22 @@ public class PersonnelActionHandler : IChatbotActionHandler
 		private readonly IActionLogsService _actionLogsService;
 		private readonly IUserStateService _userStateService;
 		private readonly ICustomStateService _customStateService;
+		private readonly IAuthorizationService _authorizationService;
 
 		public PersonnelActionHandler(
 			IDepartmentsService departmentsService,
 			IUsersService usersService,
 			IActionLogsService actionLogsService,
 			IUserStateService userStateService,
-			ICustomStateService customStateService)
+			ICustomStateService customStateService,
+			IAuthorizationService authorizationService)
 		{
 			_departmentsService = departmentsService;
 			_usersService = usersService;
 			_actionLogsService = actionLogsService;
 			_userStateService = userStateService;
 			_customStateService = customStateService;
+			_authorizationService = authorizationService;
 		}
 
 		public ChatbotIntentType IntentType => ChatbotIntentType.PersonnelLookup;
@@ -36,6 +39,12 @@ public async Task<ChatbotResponse> HandleAsync(ChatbotMessage message, ChatbotIn
 		{
 			try
 			{
+				// Authorization: only users permitted to view the roster may list personnel.
+				if (!await _authorizationService.CanUserViewAllPeopleAsync(session.UserId, session.DepartmentId))
+				{
+					return new ChatbotResponse { Text = "You don't have permission to view personnel for your department.", Processed = false };
+				}
+
 				var allUsers = await _usersService.GetUserGroupAndRolesByDepartmentIdInLimitAsync(session.DepartmentId, false, false, false);
 				var lastActionLogs = await _actionLogsService.GetLastActionLogsForDepartmentAsync(session.DepartmentId);
 				var userStates = await _userStateService.GetLatestStatesForDepartmentAsync(session.DepartmentId);

Core/Resgrid.Chatbot/Interfaces/IChatbotDepartmentConfigService.cs

@@ -0,0 +1,31 @@
+using System.Threading.Tasks;
+using Resgrid.Chatbot.Models;
+using Resgrid.Model;
+
+namespace Resgrid.Chatbot.Interfaces
+{
+	/// <summary>
+	/// Loads and persists per-department chatbot configuration (cache-aside), and resolves a
+	/// department's own LLM override (decrypted). The system-level <c>ChatbotConfig</c> remains the
+	/// default for departments without a row or without an LLM override.
+	/// </summary>
+	public interface IChatbotDepartmentConfigService
+	{
+		/// <summary>Gets the department's config (or null if none). The LlmApiKey remains encrypted.</summary>
+		Task<ChatbotDepartmentConfig> GetConfigAsync(int departmentId, bool bypassCache = false);
+
+		/// <summary>
+		/// Returns the department's own LLM endpoint/key(decrypted)/model when both endpoint and key
+		/// are configured; otherwise null (caller falls back to the system provider).
+		/// </summary>
+		Task<DepartmentLlmOverride> GetLlmOverrideAsync(int departmentId);
+
+		/// <summary>
+		/// Inserts or updates the department's config. <paramref name="newPlaintextLlmKey"/>:
+		/// null = keep existing key, "" = clear it, non-empty = encrypt and store it.
+		/// </summary>
+		Task<ChatbotDepartmentConfig> SaveConfigAsync(ChatbotDepartmentConfig config, string newPlaintextLlmKey = null);
+
+		Task InvalidateCacheAsync(int departmentId);
+	}
+}

Core/Resgrid.Chatbot/Interfaces/IChatbotRateLimiter.cs

@@ -0,0 +1,17 @@
+using System.Threading.Tasks;
+
+namespace Resgrid.Chatbot.Interfaces
+{
+	/// <summary>
+	/// Per-minute rate limiting for inbound chatbot messages, enforced per user and per department.
+	/// Uses Redis for cross-instance counting when available, falling back to in-memory otherwise.
+	/// </summary>
+	public interface IChatbotRateLimiter
+	{
+		/// <summary>
+		/// Records an inbound message and returns false if it would exceed either the per-user or
+		/// per-department limit for the current minute. A limit &lt;= 0 means unlimited.
+		/// </summary>
+		Task<bool> TryAcquireAsync(string userId, int departmentId, int perUserPerMinute, int perDepartmentPerMinute);
+	}
+}