Add SuperAdmin authorization policy and JWT claims

nickprotop · nickprotop · commit 7e1df4c79c0b · 2025-12-20T18:05:41.000+02:00
diff --git a/cloud/src/LrmCloud.Api/Helpers/JwtTokenGenerator.cs b/cloud/src/LrmCloud.Api/Helpers/JwtTokenGenerator.cs
@@ -25,7 +25,8 @@ public static (string Token, DateTime ExpiresAt) GenerateToken(
             new(ClaimTypes.Name, user.Username ?? user.Email!),
             new("auth_type", user.AuthType),
             new("plan", user.Plan),
-            new("email_verified", user.EmailVerified.ToString())
+            new("email_verified", user.EmailVerified.ToString()),
+            new("is_superadmin", user.IsSuperAdmin.ToString().ToLowerInvariant())
         };
 
         var tokenDescriptor = new SecurityTokenDescriptor
diff --git a/cloud/src/LrmCloud.Api/Program.cs b/cloud/src/LrmCloud.Api/Program.cs
@@ -174,6 +174,9 @@ public static int Main(string[] args)
             // Authorization Service
             builder.Services.AddScoped<ILrmAuthorizationService, LrmAuthorizationService>();
 
+            // Admin Service
+            builder.Services.AddScoped<IAdminService, AdminService>();
+
             // Background Jobs
             builder.Services.AddHostedService<UsageResetService>();
 
@@ -270,7 +273,11 @@ public static int Main(string[] args)
                 };
             });
 
-            builder.Services.AddAuthorization();
+            builder.Services.AddAuthorization(options =>
+            {
+                options.AddPolicy("SuperAdmin", policy =>
+                    policy.RequireClaim("is_superadmin", "true"));
+            });
 
             builder.Services.AddControllers()
                 .AddJsonOptions(options =>
@@ -408,6 +415,36 @@ await context.HttpContext.Response.WriteAsJsonAsync(new
                     Log.Error(ex, "Database migration failed");
                     throw;
                 }
+
+                // Seed superadmins from configuration
+                var superAdminEmails = config.SuperAdmin?.Emails ?? new List<string>();
+                if (superAdminEmails.Count > 0)
+                {
+                    Log.Information("Checking superadmin configuration for {Count} email(s)", superAdminEmails.Count);
+                    foreach (var email in superAdminEmails)
+                    {
+                        var normalizedEmail = email.ToLowerInvariant().Trim();
+                        var user = db.Users.FirstOrDefault(u => u.Email == normalizedEmail);
+                        if (user != null)
+                        {
+                            if (!user.IsSuperAdmin)
+                            {
+                                user.IsSuperAdmin = true;
+                                user.UpdatedAt = DateTime.UtcNow;
+                                db.SaveChanges();
+                                Log.Information("User {Email} set as superadmin", normalizedEmail);
+                            }
+                            else
+                            {
+                                Log.Debug("User {Email} is already a superadmin", normalizedEmail);
+                            }
+                        }
+                        else
+                        {
+                            Log.Warning("Superadmin user {Email} not found in database (will be set when user registers)", normalizedEmail);
+                        }
+                    }
+                }
             }
 
             // =============================================================================
diff --git a/cloud/src/LrmCloud.Api/Services/AuthService.cs b/cloud/src/LrmCloud.Api/Services/AuthService.cs
@@ -418,6 +418,7 @@ await _mailService.TrySendEmailAsync(_logger,
                 AvatarUrl = user.AvatarUrl,
                 EmailVerified = user.EmailVerified,
                 Plan = user.Plan,
+                IsSuperAdmin = user.IsSuperAdmin,
                 CreatedAt = user.CreatedAt
             },
             Token = token,
@@ -543,6 +544,7 @@ await _mailService.TrySendEmailAsync(_logger,
                 AvatarUrl = user.AvatarUrl,
                 EmailVerified = user.EmailVerified,
                 Plan = user.Plan,
+                IsSuperAdmin = user.IsSuperAdmin,
                 CreatedAt = user.CreatedAt
             },
             Token = token,
@@ -608,6 +610,7 @@ public async Task<bool> RevokeRefreshTokenAsync(string refreshToken, string? ipA
             Plan = user.Plan,
             PaymentCustomerId = user.PaymentCustomerId,
             PaymentProvider = user.PaymentProvider,
+            IsSuperAdmin = user.IsSuperAdmin,
             TranslationCharsUsed = user.TranslationCharsUsed,
             TranslationCharsLimit = user.TranslationCharsLimit,
             TranslationCharsResetAt = user.TranslationCharsResetAt,
@@ -669,6 +672,7 @@ public async Task<bool> RevokeRefreshTokenAsync(string refreshToken, string? ipA
             Plan = user.Plan,
             PaymentCustomerId = user.PaymentCustomerId,
             PaymentProvider = user.PaymentProvider,
+            IsSuperAdmin = user.IsSuperAdmin,
             TranslationCharsUsed = user.TranslationCharsUsed,
             TranslationCharsLimit = user.TranslationCharsLimit,
             TranslationCharsResetAt = user.TranslationCharsResetAt,
diff --git a/cloud/src/LrmCloud.Shared/DTOs/Auth/UserDto.cs b/cloud/src/LrmCloud.Shared/DTOs/Auth/UserDto.cs
@@ -9,5 +9,6 @@ public class UserDto
     public string? AvatarUrl { get; set; }
     public bool EmailVerified { get; set; }
     public string Plan { get; set; } = "free";
+    public bool IsSuperAdmin { get; set; }
     public DateTime CreatedAt { get; set; }
 }
diff --git a/cloud/src/LrmCloud.Shared/DTOs/Auth/UserProfileDto.cs b/cloud/src/LrmCloud.Shared/DTOs/Auth/UserProfileDto.cs
@@ -22,6 +22,9 @@ public class UserProfileDto
     public string? PaymentCustomerId { get; set; }
     public string? PaymentProvider { get; set; }
 
+    // Admin
+    public bool IsSuperAdmin { get; set; }
+
     // LRM Translation Usage & Limits (counts against plan)
     public int TranslationCharsUsed { get; set; }
     public int TranslationCharsLimit { get; set; }

Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@ public class UserDto`
`9`	`9`	`public string? AvatarUrl { get; set; }`
`10`	`10`	`public bool EmailVerified { get; set; }`
`11`	`11`	`public string Plan { get; set; } = "free";`
	`12`	`+ public bool IsSuperAdmin { get; set; }`
`12`	`13`	`public DateTime CreatedAt { get; set; }`
`13`	`14`	`}`