fix: authorization todos in rsocket api

infrastructure/rsocket-api/src/main/kotlin/io/timemates/api/rsocket/auth/AuthInterceptor.kt

@@ -1,7 +1,7 @@
 package io.timemates.api.rsocket.auth
 
 import io.rsocket.kotlin.payload.Payload
-import io.timemates.backend.authorization.usecases.GetUserIdByAccessTokenUseCase
+import io.timemates.backend.authorization.usecases.GetAuthorizationUseCase
 import io.timemates.rsproto.metadata.ExtraMetadata
 import io.timemates.rsproto.server.annotations.ExperimentalInterceptorsApi
 import io.timemates.rsproto.server.interceptors.Interceptor
@@ -14,17 +14,17 @@ import kotlin.coroutines.CoroutineContext
  */
 @OptIn(ExperimentalInterceptorsApi::class)
 class AuthInterceptor(
-    private val getUserIdByAccessTokenUseCase: GetUserIdByAccessTokenUseCase,
+    private val getAuthorizationUseCase: GetAuthorizationUseCase,
 ) : Interceptor() {
-    data class Data(val accessHash: String?, val userIdProvider: GetUserIdByAccessTokenUseCase) : CoroutineContext.Element {
+    data class Data(val accessHash: String?, val authorizationProvider: GetAuthorizationUseCase) : CoroutineContext.Element {
         override val key get() = Key
 
         companion object Key : CoroutineContext.Key<Data>
     }
 
     override fun intercept(coroutineContext: CoroutineContext, incoming: Payload): CoroutineContext {
         val accessHash = coroutineContext[ExtraMetadata]?.extra?.get("access_hash")?.decodeToString()
-        return coroutineContext + Data(accessHash, getUserIdByAccessTokenUseCase)
+        return coroutineContext + Data(accessHash, getAuthorizationUseCase)
     }
 }
 

infrastructure/rsocket-api/src/main/kotlin/io/timemates/api/rsocket/auth/AuthorizationService.kt

@@ -115,7 +115,7 @@ class AuthorizationService(
     }
 
     override suspend fun terminateAuthorization(request: Empty): Empty {
-        removeAccessTokenUseCase.execute(AccessHash.createOrFail(Request.userAccessHash()))
+        removeAccessTokenUseCase.execute(AccessHash.createOrFail(Request.userAccessHash() ?: unauthorized()))
         return Empty.Default
     }
 }

infrastructure/rsocket-api/src/main/kotlin/io/timemates/api/rsocket/internal/ApiFailure.kt

@@ -22,6 +22,9 @@ internal fun alreadyExists(): Nothing = throw ApiFailure.AlreadyExists
 context(RSocketService)
 internal fun noAccess(): Nothing = throw ApiFailure.NoAccess
 
+context(RSocketService)
+internal fun unauthorized(): Nothing = throw ApiFailure.Unauthorized
+
 internal object ApiFailure {
     /**
      * Variable for custom RSocket error when the number of attempts exceeds a limit.
@@ -68,4 +71,10 @@ internal object ApiFailure {
      */
     val NoAccess: RSocketError.Custom
         get() = RSocketError.Custom(HttpStatusCode.Forbidden.value, "No access to given resource or operation.")
+
+    /**
+     * Represents unauthorized failure in requests.
+     */
+    val Unauthorized: RSocketError.Custom
+        get() = RSocketError.Custom(HttpStatusCode.Unauthorized.value, "Unauthorized.")
 }

infrastructure/rsocket-api/src/main/kotlin/io/timemates/api/rsocket/internal/AuthorizationContext.kt

@@ -1,8 +1,15 @@
 package io.timemates.api.rsocket.internal
 
+import io.timemates.api.rsocket.auth.AuthInterceptor
+import io.timemates.backend.authorization.types.value.AccessHash
+import io.timemates.backend.authorization.usecases.GetAuthorizationUseCase
+import io.timemates.backend.features.authorization.Authorized
 import io.timemates.backend.features.authorization.AuthorizedContext
 import io.timemates.backend.features.authorization.Scope
+import io.timemates.backend.features.authorization.authorizationProvider
+import io.timemates.backend.features.authorization.types.AuthorizedId
 import io.timemates.rsproto.server.RSocketService
+import kotlinx.coroutines.currentCoroutineContext
 
 /**
  * Executes the provided block of code within an authorized context.
@@ -11,6 +18,21 @@ import io.timemates.rsproto.server.RSocketService
  * @return The result of executing the code block.
  */
 context(RSocketService)
-internal suspend inline fun <T : Scope, R> authorized(block: AuthorizedContext<T>.() -> R): R {
-    TODO()
+internal suspend inline fun <reified T : Scope, R> authorized(
+    constraint: (List<Scope>) -> Boolean = { scopes -> scopes.any { it is T || it is Scope.All } },
+    block: AuthorizedContext<T>.() -> R,
+): R {
+    val authInfo = currentCoroutineContext()[AuthInterceptor.Data] ?: unauthorized()
+    val accessHash = authInfo.accessHash ?: unauthorized()
+
+    return authorizationProvider(
+        provider = {
+            authInfo.authorizationProvider.execute(AccessHash.createOrFail(accessHash))
+                .let { (it as? GetAuthorizationUseCase.Result.Success)?.authorization ?: unauthorized() }
+                .takeIf { constraint(it.scopes) }
+                ?.let { Authorized(AuthorizedId(it.userId.long), scopes = it.scopes) }
+        },
+        onFailure = { unauthorized() },
+        block = block,
+    )
 }

infrastructure/rsocket-api/src/main/kotlin/io/timemates/api/rsocket/internal/RSocketServiceExt.kt

@@ -1,9 +1,11 @@
 package io.timemates.api.rsocket.internal
 
 import io.rsocket.kotlin.RSocketError
+import io.timemates.api.rsocket.auth.AuthInterceptor
 import io.timemates.backend.validation.SafeConstructor
 import io.timemates.backend.validation.ValidationFailureHandler
 import io.timemates.rsproto.server.RSocketService
+import kotlinx.coroutines.currentCoroutineContext
 
 /**
  * Used as a handler for validation inside RSocket requests.
@@ -35,5 +37,5 @@ internal fun <T, W> SafeConstructor<T, W>.createOrFail(value: W): T {
 
 object Request {
     context(RSocketService)
-    internal fun userAccessHash(): String = TODO()
+    internal suspend fun userAccessHash(): String? = currentCoroutineContext()[AuthInterceptor.Data]?.accessHash
 }