From 6f07849e1d02dc9614d686b1ffe118196502fd62 Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Fri, 11 May 2018 17:16:18 +0900
Subject: [PATCH] Use policies security for controlling access to bitpay api

---
 BTCPayServer/Controllers/InvoiceController.API.cs | 4 ++++
 BTCPayServer/Security/BitpayClaimsFilter.cs       | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/BTCPayServer/Controllers/InvoiceController.API.cs b/BTCPayServer/Controllers/InvoiceController.API.cs
index 37dfcb85e..aac4ee764 100644
--- a/BTCPayServer/Controllers/InvoiceController.API.cs
+++ b/BTCPayServer/Controllers/InvoiceController.API.cs
@@ -13,11 +13,14 @@ using BTCPayServer.Data;
 using BTCPayServer.Services.Invoices;
 using Microsoft.AspNetCore.Cors;
 using BTCPayServer.Services.Stores;
+using Microsoft.AspNetCore.Authorization;
+using BTCPayServer.Security;
 
 namespace BTCPayServer.Controllers
 {
     [EnableCors("BitpayAPI")]
     [BitpayAPIConstraint]
+    [Authorize(Policies.CanUseStore.Key)]
     public class InvoiceControllerAPI : Controller
     {
         private InvoiceController _InvoiceController;
@@ -43,6 +46,7 @@ namespace BTCPayServer.Controllers
 
         [HttpGet]
         [Route("invoices/{id}")]
+        [AllowAnonymous]
         public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id, string token)
         {
             var invoice = await _InvoiceRepository.GetInvoice(null, id);
diff --git a/BTCPayServer/Security/BitpayClaimsFilter.cs b/BTCPayServer/Security/BitpayClaimsFilter.cs
index c9c4ea489..463ab57cf 100644
--- a/BTCPayServer/Security/BitpayClaimsFilter.cs
+++ b/BTCPayServer/Security/BitpayClaimsFilter.cs
@@ -79,13 +79,13 @@ namespace BTCPayServer.Security
                 if (storeId != null)
                 {
                     var identity = ((ClaimsIdentity)context.HttpContext.User.Identity);
-                    identity.AddClaim(new Claim(Claims.OwnStore, storeId));
+                    identity.AddClaim(new Claim(Policies.CanUseStore.Key, storeId));
                     var store = await _StoreRepository.FindStore(storeId);
                     context.HttpContext.SetStoreData(store);
                 }
                 else if (failedAuth)
                 {
-                    throw new BitpayHttpException(401, "Can't access to store");
+                    throw new BitpayHttpException(401, "Invalid credentials");
                 }
             }
         }