Commit Graph

120 Commits

Author SHA1 Message Date
d11n
d3315c2fa6
Integrate mobile-working-branch part 1 (#6428) 2024-11-26 14:17:40 +09:00
Andrew Camilleri
e497903bf4
Support Admin being able to view stores (#5782)
* Support Admin being able to view stores

* fix null check

* Delete obsolete empty view

* Add test

* Apply CanViewStoreSettings policy changes

Taken from #5719

* Fix Selenium tests

* Update dashboard permission requirement

---------

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
2024-03-14 10:25:40 +01:00
d11n
e43b4ed540
Onboarding: Invite new users (#5714)
* Server Users: More precise message when inviting users

This lets the admin who invited a new user know whether or not an email has been sent. If the SMTP server hasn't been set up, they need to share the invite link with the user.

* Onboarding: Invite new users

- Separates the user self-registration and invite cases
- Adds invitation email for users created by the admin
- Adds invitation tokens to verify user was invited
- Adds handler action for invite links
- Refactors `UserEventHostedService`

* Remove duplicate status message from views that use the wizard layout

* Auto-approve users created by an admin

* Notify admins via email if a new account requires approval

* Update wording

* Fix update user error

* Fix redirect to email confirmation in invite action

* Fix precondition checks after signup

* Improve admin notification

Send notification only if the user does not require email confirmation or when they confirmed their email address. Rationale: We want to inform admins only about qualified users and not annoy them with bot registrations.

* Allow approval alongside resending confirm email

* Use user email in log messages instead of ID

* Prevent unnecessary notification after email confirmation

* Use ApplicationUser type explicitly

* Fix after rebase

* Refactoring: Do not subclass UserRegisteredEvent
2024-02-28 20:43:18 +09:00
d11n
d55770cc16
Admin overview of the stores on the instance (#5745)
* Admin overview of the stores on the instance

POC/Draft for #5674.

* Enable admin to access foreign stores

* Remove stores list link

* UI updates

* Grant admins guest access to foreign stores

* Optimize cookie auth handler

* Test fix

* Revert changes related to StoreRepository.FindStore with isAdmin
2024-02-23 09:51:41 +01:00
d11n
6290b0f3bf
Admins can approve registered users (#5647)
* Users list: Cleanups

* Policies: Flip registration settings

* Policies: Add RequireUserApproval setting

* Add approval to user

* Require approval on login and for API key

* API handling

* AccountController cleanups

* Test fix

* Apply suggestions from code review

Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>

* Add missing imports

* Communicate login requirements to user on account creation

* Add login requirements to basic auth handler

* Cleanups and test fix

* Encapsulate approval logic in user service and log approval changes

* Send follow up "Account approved" email

Closes #5656.

* Add notification for admins

* Fix creating a user via the admin view

* Update list: Unify flags into status column, add approve action

* Adjust "Resend email" wording

* Incorporate feedback from code review

* Remove duplicate test server policy reset

---------

Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
2024-01-31 14:45:54 +09:00
d11n
b96cfcd14d
Apps: Allow authenticated, non-owner users permissioned access (#5702)
Fixes #5698. Before this, the app lookup was constrained by the user having at least `CanModifyStoreSettings` permissions. This changes it to require the user being associated with a store, leaving the fine-grained authorization checks up to the individual actions.
2024-01-25 21:00:33 +09:00
Nicolas Dorier
1081eab9db
Fix warnings (#5517)
Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
2023-11-28 15:20:03 +01:00
Nicolas Dorier
1956919886
Do not crash when an invoice have an amount that is too big (#5070) 2023-06-16 10:47:58 +09:00
Andrew Camilleri
783e4ccb35
Store Custom Roles (#4940) 2023-05-26 23:49:32 +09:00
Andrew Camilleri
fae1dc8dbb
Adapt cookie auth to work with same API permission system (#4595)
* Adapt cookie auth to work with same API permission system

* Handle unscoped store permission case

* Do not consider Unscoped as a valid policy

* Add tests

* Refactor permissions scopes

---------

Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2023-03-20 10:46:46 +09:00
Nicolas Dorier
98d62e826b
Do not through missing-permission error when no store on /api/v1/stores (Close #4735) (#4748) 2023-03-08 21:36:51 +09:00
Nicolas Dorier
4ae05272c3
Greenfield: Admins can create/delete API keys of any user (#4680)
* Greenfield: Admins can create/delete API keys of any user

* Greenfield: Improve doc for scoped apikey (Close #4673)

* Fix permissions hierarchy

* Update BTCPayServer.Client/Permissions.cs

* Fix tests

---------

Co-authored-by: Andrew Camilleri <evilkukka@gmail.com>
2023-02-24 16:19:03 +09:00
Nicolas Dorier
2bd8227e20
Start using JSONB column instead of app side compressed data (#4574) 2023-02-21 15:06:34 +09:00
d11n
d5d0be5824
Code formatting updates (#4502)
* Editorconfig: Add space_before_self_closing setting

This was a difference between the way dotnet-format and Rider format code. See https://www.jetbrains.com/help/rider/EditorConfig_Index.html

* Editorconfig: Keep 4 spaces indentation for Swagger JSON files

They are all formatted that way, let's keep it like that.

* Apply dotnet-format, mostly white-space related changes
2023-01-06 22:18:07 +09:00
Andrew Camilleri
434298cba6
Greenfield: Store Rates Config (#3931)
* Greenfield: Store Rates Config

* FIX SWAGGER

* rebase fix

* Apply suggestions from code review

Co-authored-by: d11n <mail@dennisreimann.de>

* Update BTCPayServer/wwwroot/swagger/v1/swagger.template.stores-rates-config.json

Co-authored-by: d11n <mail@dennisreimann.de>

* Fix: Spread isn't converted from/to percentage, rename some fields, and move some routes

* Fix error handling

Co-authored-by: d11n <mail@dennisreimann.de>
Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2022-10-12 22:19:33 +09:00
d11n
1e378dd986
Plugins: Add authorization hook (#3977)
* Plugins: Add authorization hook

Makes the `PolicyRequirement` available to plugins.
Adds a filter hook to the authorization handlers, so that plugins can extend and leverage the existing authorization policies and permissions.

* Update to pass back and forth handle class
2022-08-02 14:20:16 +09:00
Andrew Camilleri
273bc78db3
Allow Users to be disabled/enabled (#3639)
* Allow Users to be disabled/enabled

* rebrand to locked for api

* Update BTCPayServer/Views/UIAccount/Lockout.cshtml

Co-authored-by: d11n <mail@dennisreimann.de>

* fix docker compose and an uneeded check in api handler

* fix

* Add enabled user test

Co-authored-by: d11n <mail@dennisreimann.de>
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
2022-04-26 21:27:35 +09:00
Andrew Camilleri
c07fcc171c
Fix Plugin Local Client authorization when user is provided (#3401)
* Fix Plugin Local Client authorization when user is provided

* 1337 hax
2022-02-02 20:09:08 +09:00
Nicolas Dorier
11d6588249
Add suggestion list for currency inputs (#3347)
* Move tagHelpers in their own directory

* Add suggestion list for currency inputs
2022-01-24 20:00:13 +09:00
nicolas.dorier
50d4b55f73
Warning if not using 'simple using' 2022-01-14 17:50:29 +09:00
nicolas.dorier
c6a7e90c1a
Warning if not using 'is not null' 2022-01-14 17:48:15 +09:00
nicolas.dorier
23a96c07ae
Rename GreenField -> Greenfield 2022-01-14 13:46:04 +09:00
Nicolas Dorier
f67fa6a5d6
Remove right to admins to bypass permissions to modify/view invoices or stores (#3297) 2022-01-13 17:42:32 +09:00
nicolas.dorier
b71a04943b
CookieAuthHandler shouldn't set store context if appId/payReqId/invoiceId is not found 2022-01-07 18:10:31 +09:00
Nicolas Dorier
04b8eafacb
Run dotnet format (#3244) 2021-12-31 16:59:02 +09:00
d11n
e2d0b7c5f7
Store centric UI: Part 3 (#3224)
* Set store context in cookie

* Fix page id usages in view

* Move Pay Button to nav

* Move integrations to plugins nav

* Store switch links to wallet if present

* Test fixes

* Nav fixes

* Fix altcoin view

* Main nav updates

* Wallet setttings nav update

* Move storeId cookie fallback to cookie auth handler

* View fixes

* Test fixes

* Fix profile check

* Rename integrations nav extension point to store-integrations-nav-list

* Allow strings for Active page/category for plugins

* Make invoice list filter based on store context

* Do not set context if we are running authorizer through tag helper

* Fix test and unfiltered invoices

* Add permission helper for wallet links

* Add sanity checks for payment requests and invoices

* Store context in home controller

* Fix PayjoinViaUI test

* Store context for notifications

* Minor UI improvements

* Store context for userstores and vault controller

* Bring back integrations page

* Rename notifications nav pages file

* Fix user stores controller policies

* Controller policy fixes from code review

* CookieAuthHandler: Simplify CanViewInvoices case

* Revert "Controller policy fixes from code review"

This reverts commit 97e8b8379c.

* Simplify LayoutSimple

* Fix CanViewInvoices condition

Co-authored-by: Kukks <evilkukka@gmail.com>
2021-12-31 16:36:38 +09:00
Nicolas Dorier
ed5b159fb6
Use ArgumentNullException.ThrowIfNull everywhere (#3239) 2021-12-28 17:39:54 +09:00
Nicolas Dorier
02419dcdd1
Migrate to .net6.0 (#3198) 2021-12-27 13:15:43 +09:00
d11n
4a66c91cac
Fix app permissions (#3227)
* Fix app permissions

As pointed out by @nicolasdorier [here](https://github.com/btcpayserver/btcpayserver/pull/3205#issuecomment-999437555).

* Fix for login codes view

* Ensure app belongs to store
2021-12-26 12:20:46 +09:00
Dennis Reimann
3a59e2a5c4 Cache resolved store items in HTTP context 2021-12-21 09:24:09 +01:00
Nicolas Dorier
c68141119c
[Greenfield] Send forbid 403 rather than empty results on /api/v1/stores (#3215) 2021-12-19 01:01:54 +09:00
Wouter Samaey
6de4f6a3ac
Mention the missing API permission in the response of a Greenfield request (#3195)
* Mention the missing API permission in the response header or body

* Fixes + Added a unit test. 1 TODO remains.

* Added MissingPermissionDescription to the error

* Update BTCPayServer.Tests/GreenfieldAPITests.cs

Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>

* Fix tests

* [GreenField]: Make sure we are sending fully typed errors

Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
2021-12-16 23:04:06 +09:00
d11n
f8e6b51e9d
Store-centric UI (#3091)
* Update layout structure and header

* Implement store selector

* Simplify homepage

* Update layout

* Use dropdown for store selector

* Hide global nav in store context

* Horizontal section nav

* Remove outer section and container from content views

* Update nav

* Set store context for invoice and payment request lists

* Test fixes

* Persist menu collapse state on client-side

* MainNav as view component

* Update app routes to incorporate store context

* Test fixes

* Display ticker for altcoins build only

* Plugins nav

* Incorporate category for active page as well

* Update invoice icon

* Add apps list to nav

* Add store context to app type controllers

* Incorporate id for active page as well

* Test fixes

* AppsController cleanup

* Nav: Display only apps for the current store

* Remove leftover from merge

* Nav styles optimization

* Left-align content container

* Increase sidebar padding on desktop

* Use min-width for store selector menu

* Store settings nav update

* Update app and payment request routes

* Test fixes

* Refactor MainNav component to use StoresController

* Set store context for invoice actions

* Cleanups

* Remove CurrentStore checks

The response will be "Access denied" in case the CookieAuthorizationHandler cannot resolve the store.

* Remove unnecessary store context setters

* Test fix
2021-12-11 12:32:23 +09:00
Andrew Camilleri
fd75008499
Allow pull payments for store guests (#3128) 2021-12-08 00:40:24 +09:00
Kukks
0cd7380af0 Make CSP accessible to plugins 2021-09-27 08:45:55 +02:00
d11n
aac87539ae
Fix pay button CSP issue when using modal (#2872)
* Fix pay button CSP issue when using modal

Fixes #2864.

* Use event handler, refactor csp tags

* Fix script indentation

* Fix onsubmit event handler integration

Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
2021-09-12 20:31:35 +09:00
nicolas.dorier
ad7b62fa3d
Fix CSP when there is a theme 2021-09-10 00:14:26 +09:00
Nicolas Dorier
fc4e47cec6
Add CSP at the website level (#2863) 2021-09-09 21:51:28 +09:00
Andrew Camilleri
ba165ddd4f
Local Greenfield Client for Plugins (#2410)
* wip

* Local GreenField Client for Plugins

* support notification handlers being missing

* Initial support for scoped btcpay client

* test out scoped local client

* wip

* small fix

* Throw exception if using local greenfield client and it has not been implemented yet

* adapt based on new changes in BTCPay

* update

* fix tests

* Allow Local client to bypass authorization handler

* Add Misc endpoints to Local API Client

* Add new endpoints

* Apply code review changes
2021-07-27 21:11:47 +09:00
Umar Bolatov
d9935ada9d
Add "/api/v1/users/me" endpoint 2021-06-02 20:02:29 -07:00
Andrew Camilleri
5fe3c1c61f
U2fremove (#2496)
* Remove U2F support and JS

* fix final changes

* fix more final stuff
2021-04-28 16:22:09 +09:00
Andrew Camilleri
02bf5afe0b
Migrate existing U2F to Fido2 (#2484)
* Migrate existing U2F to Fido2

This seamlessly switches all u2f registrations over to the new FIDO2 support. Please note that I have not yet added a way to drop the u2f DB and its UI so that we can test the migration works properly for all.

* add testing logic

* fix u2f tests

* remove duplicate status message

* fix test and namespaces

* fix test
2021-04-28 13:14:15 +09:00
nicolas.dorier
af9d896510
Do not use Random 2021-03-23 17:53:23 +09:00
Andrew Camilleri
0652e30c30
GreenField: Notifications API (#2055)
* GreenField: Notifications API

This refactors notifications so that we dont have a bunch of duplicated direct access to db contexts in controllers and then introduces new endpoints to fetch/toggle seen/remove  notifications of the current user.

* add tests + docs

* fix test

* pr changes

* fix permission json
2020-12-11 23:11:08 +09:00
Kukks
179520a211 Plugins: Allow creation of independent DbContexts
This allows plugins to create custom dbcontexts, which would be namespaced in the scheme with a prefix. Migrations are supported too and the table would be prefixed too
2020-11-18 12:27:26 +01:00
Andrew Camilleri
5979fe5eef
BTCPay Extensions Part 2 (#2001)
* BTCPay Extensions Part 2

This PR cleans up the extension system a bit in that:
 * It renames the test extension to a more uniform name
 * Allows yo uto have system extensions, which are extensions but bundled by default with the release (and cannot be removed)
 * Adds a tool to help you generate an extension package from a csproj
 * Refactors the UI extension points to a view component
 * Moves some more interfaces to the Abstractions csproj

* Rename to plugins
2020-10-21 14:02:20 +02:00
Kukks
1cb3e5f98c Set roles when authenticating via greenfield
fixes #1855
2020-09-08 11:22:32 +02:00
Kukks
0e07fcc706 fixes and adapt 2020-08-28 09:00:14 +02:00
Kukks
7ca74aeea7 Add API Keys Application identifier
This lets the authorize api key screen redirect to the defined url  and provide it with the user id, permissions granted and the key.

This also allows apps to match existing api keys generated for it specifically using the application identifier, and if matched, presented with a confirmation page before redirection.
2020-08-28 09:00:13 +02:00
Kukks
4b392ad70a fail auth on incorrect basic auth value
fixes #1713
2020-07-13 08:35:13 +02:00