From bf0c085739beb42fb0a5c855215b18873cace3f9 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Thu, 14 May 2026 16:41:16 +0200
Subject: [PATCH] api: properly compute authorization based on ccchh role

---
 api/src/dooris_api/__init__.py | 2 +-
 api/src/dooris_api/app.py      | 7 ++++---
 api/src/dooris_api/models.py   | 9 +++++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py
index 57ed503..f587774 100644
--- a/api/src/dooris_api/__init__.py
+++ b/api/src/dooris_api/__init__.py
@@ -19,7 +19,7 @@ def main():
     )
     argp.add_argument(
         "--openid-scope",
-        default=os.environ.get("DOORIS_OPENID_SCOPE", "openid profile"),
+        default=os.environ.get("DOORIS_OPENID_SCOPE", "openid profile ccchh-roles"),
         help="The Keycloak OpenID isser to use for authentication",
     )
     argp.add_argument(
diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py
index 5b1eb65..9f8bedc 100644
--- a/api/src/dooris_api/app.py
+++ b/api/src/dooris_api/app.py
@@ -71,6 +71,7 @@ async def get_user_info(
             current_user.id_token.exp, UTC
         ),
         username=current_user.id_token.preferred_username,
+        ccchh_roles=current_user.ccchh_roles,
     )
 
 
@@ -117,7 +118,7 @@ async def login_init(
     response_class=RedirectResponse,
     status_code=302,
 )
-async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient):
+async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient) -> str:
     # check that the user is currently in an authenticating state
     # these cookies are set by the login_init() view
     if (
@@ -167,7 +168,7 @@ async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidC
 )
 async def logout(
     resp: Response, oidc_client: deps.OpenidClient, current_user: deps.CurrentUser
-):
+) -> str:
     deps.clear_auth_state(resp)
     return oidc_client.initiate_logout(
         RpInitiatedLogoutRequest(
@@ -253,7 +254,7 @@ async def operate_lock(
 ) -> None:
     if not current_user.may_operate_locks:
         raise exceptions.HttpProblemException.forbidden_to_operate(req.url)
-    # TODO: Validate that the user is authorized
+
     # find appropriate lock from ccujack
     for i_lock, lock_channels in ccujack.locks:
         if i_lock.identifier == lock_id:
diff --git a/api/src/dooris_api/models.py b/api/src/dooris_api/models.py
index eac83dd..d1574c4 100644
--- a/api/src/dooris_api/models.py
+++ b/api/src/dooris_api/models.py
@@ -33,17 +33,18 @@ class CurrentUser(BaseModel):
 
     @property
     def ccchh_roles(self) -> List[str]:
-        return []
+        return getattr(self.id_token, "ccchh-roles", [])
 
     @property
     def may_operate_locks(self) -> bool:
-        return True
+        return "intern@" in self.ccchh_roles
 
 
 class UserStatus(BaseModel):
     is_authorized: bool
-    guaranteed_session_until: Optional[datetime]
-    username: Optional[str]
+    guaranteed_session_until: datetime
+    username: str
+    ccchh_roles: List[str]
 
 
 class LockStatus(BaseModel):