json-api-dotnet · Sep 4, 2023
diff --git a/‎src/JsonApiDotNetCore/Queries/Expressions/QueryExpressionRewriter.cs
+1-1 b/‎src/JsonApiDotNetCore/Queries/Expressions/QueryExpressionRewriter.cs
+1-1
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Archiving/TelevisionBroadcastDefinition.cs
+1-1 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Archiving/TelevisionBroadcastDefinition.cs
+1-1
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Actor.cs
+19 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Actor.cs
+19
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/AuthScopeSet.cs
+127 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/AuthScopeSet.cs
+127
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Genre.cs
+16 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Genre.cs
+16
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Movie.cs
+25 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Movie.cs
+25
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/OperationsController.cs
+53 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/OperationsController.cs
+53
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Permission.cs
+9 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/Permission.cs
+9
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeOperationsTests.cs
+466 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeOperationsTests.cs
+466
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeReadTests.cs
+343 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeReadTests.cs
+343
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeWriteTests.cs
+434 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopeWriteTests.cs
+434
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesAuthorizationFilter.cs
+104 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesAuthorizationFilter.cs
+104
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesDbContext.cs
+18 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesDbContext.cs
+18
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesFakers.cs
+29 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesFakers.cs
+29
diff --git a/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesStartup.cs
+18 b/‎test/JsonApiDotNetCoreTests/IntegrationTests/Authorization/Scopes/ScopesStartup.cs
+18
diff --git a/‎test/JsonApiDotNetCoreTests/UnitTests/Queries/TestableQueryExpressionRewriter.cs
+1-1 b/‎test/JsonApiDotNetCoreTests/UnitTests/Queries/TestableQueryExpressionRewriter.cs
+1-1
@@ -34,7 +34,7 @@ public override QueryExpression DefaultVisit(QueryExpression expression, TArgume
         return null;
     }
 
-    public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, TArgument argument)
+    public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, TArgument argument)
     {
         return expression;
     }
 
@@ -180,7 +180,7 @@ private sealed class FilterWalker : QueryExpressionRewriter<object?>
     {
         public bool HasFilterOnArchivedAt { get; private set; }
 
-        public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)
+        public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)
         {
             if (expression.Fields[0].Property.Name == nameof(TelevisionBroadcast.ArchivedAt))
             {
 
@@ -0,0 +1,19 @@
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+[UsedImplicitly(ImplicitUseTargetFlags.Members)]
+[Resource(ControllerNamespace = "JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes")]
+public sealed class Actor : Identifiable<long>
+{
+    [Attr]
+    public string Name { get; set; } = null!;
+
+    [Attr]
+    public DateTime BornAt { get; set; }
+
+    [HasMany]
+    public ISet<Movie> ActsIn { get; set; } = new HashSet<Movie>();
+}
@@ -0,0 +1,127 @@
+using System.Text;
+using JsonApiDotNetCore.Configuration;
+using JsonApiDotNetCore.Middleware;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Primitives;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+internal sealed class AuthScopeSet
+{
+    private const StringSplitOptions ScopesHeaderSplitOptions = StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries;
+
+    public const string ScopesHeaderName = "X-Auth-Scopes";
+
+    private readonly Dictionary<string, Permission> _scopes = new();
+
+    public static AuthScopeSet GetRequestedScopes(IHeaderDictionary requestHeaders)
+    {
+        var requestedScopes = new AuthScopeSet();
+
+        // In a real application, the scopes would be read from the signed ticket in the Authorization HTTP header.
+        // For simplicity, this sample allows the client to send them directly, which is obviously insecure.
+
+        if (requestHeaders.TryGetValue(ScopesHeaderName, out StringValues headerValue))
+        {
+            foreach (string scopeValue in headerValue.ToString().Split(' ', ScopesHeaderSplitOptions))
+            {
+                string[] scopeParts = scopeValue.Split(':', 2, ScopesHeaderSplitOptions);
+
+                if (scopeParts.Length == 2 && Enum.TryParse(scopeParts[0], true, out Permission permission) && Enum.IsDefined(permission))
+                {
+                    requestedScopes.Include(scopeParts[1], permission);
+                }
+            }
+        }
+
+        return requestedScopes;
+    }
+
+    public void IncludeFrom(IJsonApiRequest request, ITargetedFields targetedFields)
+    {
+        Permission permission = request.IsReadOnly ? Permission.Read : Permission.Write;
+
+        if (request.PrimaryResourceType != null)
+        {
+            Include(request.PrimaryResourceType, permission);
+        }
+
+        if (request.SecondaryResourceType != null)
+        {
+            Include(request.SecondaryResourceType, permission);
+        }
+
+        if (request.Relationship != null)
+        {
+            Include(request.Relationship, permission);
+        }
+
+        foreach (RelationshipAttribute relationship in targetedFields.Relationships)
+        {
+            Include(relationship, permission);
+        }
+    }
+
+    public void Include(ResourceType resourceType, Permission permission)
+    {
+        Include(resourceType.PublicName, permission);
+    }
+
+    public void Include(RelationshipAttribute relationship, Permission permission)
+    {
+        Include(relationship.LeftType, permission);
+        Include(relationship.RightType, permission);
+    }
+
+    private void Include(string name, Permission permission)
+    {
+        // Unify with existing entries. For example, adding read:movies when write:movies already exists is a no-op.
+
+        if (_scopes.TryGetValue(name, out Permission value))
+        {
+            if (value >= permission)
+            {
+                return;
+            }
+        }
+
+        _scopes[name] = permission;
+    }
+
+    public bool ContainsAll(AuthScopeSet other)
+    {
+        foreach (string otherName in other._scopes.Keys)
+        {
+            if (!_scopes.TryGetValue(otherName, out Permission thisPermission))
+            {
+                return false;
+            }
+
+            if (thisPermission < other._scopes[otherName])
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public override string ToString()
+    {
+        var builder = new StringBuilder();
+
+        foreach ((string name, Permission permission) in _scopes.OrderBy(scope => scope.Key))
+        {
+            if (builder.Length > 0)
+            {
+                builder.Append(' ');
+            }
+
+            builder.Append($"{permission.ToString().ToLowerInvariant()}:{name}");
+        }
+
+        return builder.ToString();
+    }
+}
@@ -0,0 +1,16 @@
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+[UsedImplicitly(ImplicitUseTargetFlags.Members)]
+[Resource(ControllerNamespace = "JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes")]
+public sealed class Genre : Identifiable<long>
+{
+    [Attr]
+    public string Name { get; set; } = null!;
+
+    [HasMany]
+    public ISet<Movie> Movies { get; set; } = new HashSet<Movie>();
+}
@@ -0,0 +1,25 @@
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+[UsedImplicitly(ImplicitUseTargetFlags.Members)]
+[Resource(ControllerNamespace = "JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes")]
+public sealed class Movie : Identifiable<long>
+{
+    [Attr]
+    public string Title { get; set; } = null!;
+
+    [Attr]
+    public int ReleaseYear { get; set; }
+
+    [Attr]
+    public int DurationInSeconds { get; set; }
+
+    [HasOne]
+    public Genre Genre { get; set; } = null!;
+
+    [HasMany]
+    public ISet<Actor> Cast { get; set; } = new HashSet<Actor>();
+}
@@ -0,0 +1,53 @@
+using System.Net;
+using JsonApiDotNetCore.AtomicOperations;
+using JsonApiDotNetCore.Configuration;
+using JsonApiDotNetCore.Controllers;
+using JsonApiDotNetCore.Middleware;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Serialization.Objects;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+public sealed class OperationsController : JsonApiOperationsController
+{
+    public OperationsController(IJsonApiOptions options, IResourceGraph resourceGraph, ILoggerFactory loggerFactory, IOperationsProcessor processor,
+        IJsonApiRequest request, ITargetedFields targetedFields)
+        : base(options, resourceGraph, loggerFactory, processor, request, targetedFields)
+    {
+    }
+
+    public override async Task<IActionResult> PostOperationsAsync(IList<OperationContainer> operations, CancellationToken cancellationToken)
+    {
+        AuthScopeSet requestedScopes = AuthScopeSet.GetRequestedScopes(HttpContext.Request.Headers);
+        AuthScopeSet requiredScopes = GetRequiredScopes(operations);
+
+        if (!requestedScopes.ContainsAll(requiredScopes))
+        {
+            return Error(new ErrorObject(HttpStatusCode.Unauthorized)
+            {
+                Title = "Insufficient permissions to perform this request.",
+                Detail = $"Performing this request requires the following scopes: {requiredScopes}.",
+                Source = new ErrorSource
+                {
+                    Header = AuthScopeSet.ScopesHeaderName
+                }
+            });
+        }
+
+        return await base.PostOperationsAsync(operations, cancellationToken);
+    }
+
+    private AuthScopeSet GetRequiredScopes(IEnumerable<OperationContainer> operations)
+    {
+        var requiredScopes = new AuthScopeSet();
+
+        foreach (OperationContainer operation in operations)
+        {
+            requiredScopes.IncludeFrom(operation.Request, operation.TargetedFields);
+        }
+
+        return requiredScopes;
+    }
+}
@@ -0,0 +1,9 @@
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+internal enum Permission
+{
+    Read,
+
+    // Write access implicitly includes read access, because POST/PATCH in JSON:API may return the changed resource.
+    Write
+}
@@ -0,0 +1,343 @@
+using System.Net;
+using System.Net.Http.Headers;
+using FluentAssertions;
+using JsonApiDotNetCore.Serialization.Objects;
+using TestBuildingBlocks;
+using Xunit;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+public sealed class ScopeReadTests : IClassFixture<IntegrationTestContext<ScopesStartup<ScopesDbContext>, ScopesDbContext>>
+{
+    private const string ScopeHeaderName = "X-Auth-Scopes";
+    private readonly IntegrationTestContext<ScopesStartup<ScopesDbContext>, ScopesDbContext> _testContext;
+    private readonly ScopesFakers _fakers = new();
+
+    public ScopeReadTests(IntegrationTestContext<ScopesStartup<ScopesDbContext>, ScopesDbContext> testContext)
+    {
+        _testContext = testContext;
+
+        testContext.UseController<MoviesController>();
+        testContext.UseController<ActorsController>();
+        testContext.UseController<GenresController>();
+    }
+
+    [Fact]
+    public async Task Cannot_get_primary_resources_without_scopes()
+    {
+        // Arrange
+        const string route = "/movies";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_get_primary_resources_with_incorrect_scopes()
+    {
+        // Arrange
+        const string route = "/movies";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:actors write:genres");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Can_get_primary_resources_with_correct_scope()
+    {
+        // Arrange
+        Movie movie = _fakers.Movie.Generate();
+        movie.Genre = _fakers.Genre.Generate();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            await dbContext.ClearTableAsync<Movie>();
+            dbContext.Movies.Add(movie);
+            await dbContext.SaveChangesAsync();
+        });
+
+        const string route = "/movies";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:movies");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.OK);
+
+        responseDocument.Data.ManyValue.ShouldHaveCount(1);
+        responseDocument.Data.ManyValue[0].Type.Should().Be("movies");
+        responseDocument.Data.ManyValue[0].Id.Should().Be(movie.StringId);
+        responseDocument.Data.ManyValue[0].Attributes.ShouldNotBeEmpty();
+        responseDocument.Data.ManyValue[0].Relationships.ShouldNotBeEmpty();
+    }
+
+    [Fact]
+    public async Task Can_get_primary_resources_with_write_scope()
+    {
+        // Arrange
+        Genre genre = _fakers.Genre.Generate();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            await dbContext.ClearTableAsync<Genre>();
+            dbContext.Genres.Add(genre);
+            await dbContext.SaveChangesAsync();
+        });
+
+        const string route = "/genres";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "write:genres");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.OK);
+
+        responseDocument.Data.ManyValue.ShouldHaveCount(1);
+        responseDocument.Data.ManyValue[0].Type.Should().Be("genres");
+        responseDocument.Data.ManyValue[0].Id.Should().Be(genre.StringId);
+        responseDocument.Data.ManyValue[0].Attributes.ShouldNotBeEmpty();
+        responseDocument.Data.ManyValue[0].Relationships.ShouldNotBeEmpty();
+    }
+
+    [Fact]
+    public async Task Can_get_primary_resources_with_redundant_scopes()
+    {
+        // Arrange
+        Actor actor = _fakers.Actor.Generate();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            await dbContext.ClearTableAsync<Actor>();
+            dbContext.Actors.Add(actor);
+            await dbContext.SaveChangesAsync();
+        });
+
+        const string route = "/actors";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:genres read:actors write:movies");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.OK);
+
+        responseDocument.Data.ManyValue.ShouldHaveCount(1);
+        responseDocument.Data.ManyValue[0].Type.Should().Be("actors");
+        responseDocument.Data.ManyValue[0].Id.Should().Be(actor.StringId);
+        responseDocument.Data.ManyValue[0].Attributes.ShouldNotBeEmpty();
+        responseDocument.Data.ManyValue[0].Relationships.ShouldNotBeEmpty();
+    }
+
+    [Fact]
+    public async Task Cannot_get_primary_resource_without_scopes()
+    {
+        // Arrange
+        const string route = "/actors/1";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:actors.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_get_secondary_resource_without_scopes()
+    {
+        // Arrange
+        const string route = "/movies/1/genre";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_get_secondary_resources_without_scopes()
+    {
+        // Arrange
+        const string route = "/genres/1/movies";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_get_ToOne_relationship_without_scopes()
+    {
+        // Arrange
+        const string route = "/movies/1/relationships/genre";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_get_ToMany_relationship_without_scopes()
+    {
+        // Arrange
+        const string route = "/genres/1/relationships/movies";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_include_with_insufficient_scopes()
+    {
+        // Arrange
+        const string route = "/movies?include=genre,cast";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:movies");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:actors read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_filter_with_insufficient_scopes()
+    {
+        // Arrange
+        const string route = "/movies?filter=and(has(cast),equals(genre.name,'some'))";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:movies");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:actors read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+
+    [Fact]
+    public async Task Cannot_sort_with_insufficient_scopes()
+    {
+        // Arrange
+        const string route = "/movies?sort=count(cast),genre.name";
+
+        Action<HttpRequestHeaders> setRequestHeaders = headers => headers.Add(ScopeHeaderName, "read:movies");
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route, setRequestHeaders);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Unauthorized);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+        error.Title.Should().Be("Insufficient permissions to perform this request.");
+        error.Detail.Should().Be("Performing this request requires the following scopes: read:actors read:genres read:movies.");
+        error.Source.ShouldNotBeNull();
+        error.Source.Header.Should().Be(ScopeHeaderName);
+    }
+}
@@ -0,0 +1,104 @@
+using System.Net;
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Middleware;
+using JsonApiDotNetCore.Queries;
+using JsonApiDotNetCore.Queries.Expressions;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+using JsonApiDotNetCore.Serialization.Objects;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+// Implements IActionFilter instead of IAuthorizationFilter because it needs to execute *after* parsing query string parameters.
+[UsedImplicitly(ImplicitUseKindFlags.InstantiatedNoFixedConstructorSignature)]
+internal sealed class ScopesAuthorizationFilter : IActionFilter
+{
+    public void OnActionExecuting(ActionExecutingContext context)
+    {
+        var request = context.HttpContext.RequestServices.GetRequiredService<IJsonApiRequest>();
+        var targetedFields = context.HttpContext.RequestServices.GetRequiredService<ITargetedFields>();
+        var constraintProviders = context.HttpContext.RequestServices.GetRequiredService<IEnumerable<IQueryConstraintProvider>>();
+
+        if (request.Kind == EndpointKind.AtomicOperations)
+        {
+            // Handled in operators controller, because it requires access to the individual operations.
+            return;
+        }
+
+        AuthScopeSet requestedScopes = AuthScopeSet.GetRequestedScopes(context.HttpContext.Request.Headers);
+        AuthScopeSet requiredScopes = GetRequiredScopes(request, targetedFields, constraintProviders);
+
+        if (!requestedScopes.ContainsAll(requiredScopes))
+        {
+            context.Result = new UnauthorizedObjectResult(new ErrorObject(HttpStatusCode.Unauthorized)
+            {
+                Title = "Insufficient permissions to perform this request.",
+                Detail = $"Performing this request requires the following scopes: {requiredScopes}.",
+                Source = new ErrorSource
+                {
+                    Header = AuthScopeSet.ScopesHeaderName
+                }
+            });
+        }
+    }
+
+    public void OnActionExecuted(ActionExecutedContext context)
+    {
+    }
+
+    private AuthScopeSet GetRequiredScopes(IJsonApiRequest request, ITargetedFields targetedFields, IEnumerable<IQueryConstraintProvider> constraintProviders)
+    {
+        var requiredScopes = new AuthScopeSet();
+        requiredScopes.IncludeFrom(request, targetedFields);
+
+        var walker = new QueryStringWalker(requiredScopes);
+        walker.IncludeScopesFrom(constraintProviders);
+
+        return requiredScopes;
+    }
+
+    private sealed class QueryStringWalker : QueryExpressionRewriter<object?>
+    {
+        private readonly AuthScopeSet _authScopeSet;
+
+        public QueryStringWalker(AuthScopeSet authScopeSet)
+        {
+            _authScopeSet = authScopeSet;
+        }
+
+        public void IncludeScopesFrom(IEnumerable<IQueryConstraintProvider> constraintProviders)
+        {
+            foreach (ExpressionInScope constraint in constraintProviders.SelectMany(provider => provider.GetConstraints()))
+            {
+                Visit(constraint.Expression, null);
+            }
+        }
+
+        public override QueryExpression VisitIncludeElement(IncludeElementExpression expression, object? argument)
+        {
+            _authScopeSet.Include(expression.Relationship, Permission.Read);
+
+            return base.VisitIncludeElement(expression, argument);
+        }
+
+        public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)
+        {
+            foreach (ResourceFieldAttribute field in expression.Fields)
+            {
+                if (field is RelationshipAttribute relationship)
+                {
+                    _authScopeSet.Include(relationship, Permission.Read);
+                }
+                else
+                {
+                    _authScopeSet.Include(field.Type, Permission.Read);
+                }
+            }
+
+            return base.VisitResourceFieldChain(expression, argument);
+        }
+    }
+}
@@ -0,0 +1,18 @@
+using JetBrains.Annotations;
+using Microsoft.EntityFrameworkCore;
+using TestBuildingBlocks;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+[UsedImplicitly(ImplicitUseTargetFlags.Members)]
+public sealed class ScopesDbContext : TestableDbContext
+{
+    public DbSet<Movie> Movies => Set<Movie>();
+    public DbSet<Actor> Actors => Set<Actor>();
+    public DbSet<Genre> Genres => Set<Genre>();
+
+    public ScopesDbContext(DbContextOptions<ScopesDbContext> options)
+        : base(options)
+    {
+    }
+}
@@ -0,0 +1,29 @@
+using Bogus;
+using TestBuildingBlocks;
+
+// @formatter:wrap_chained_method_calls chop_if_long
+// @formatter:wrap_before_first_method_call true
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+internal sealed class ScopesFakers : FakerContainer
+{
+    private readonly Lazy<Faker<Movie>> _lazyMovieFaker = new(() => new Faker<Movie>()
+        .UseSeed(GetFakerSeed())
+        .RuleFor(movie => movie.Title, faker => faker.Random.Words())
+        .RuleFor(movie => movie.ReleaseYear, faker => faker.Random.Int(1900, 2050))
+        .RuleFor(movie => movie.DurationInSeconds, faker => faker.Random.Int(300, 14400)));
+
+    private readonly Lazy<Faker<Actor>> _lazyActorFaker = new(() => new Faker<Actor>()
+        .UseSeed(GetFakerSeed())
+        .RuleFor(actor => actor.Name, faker => faker.Person.FullName)
+        .RuleFor(actor => actor.BornAt, faker => faker.Date.Past()));
+
+    private readonly Lazy<Faker<Genre>> _lazyGenreFaker = new(() => new Faker<Genre>()
+        .UseSeed(GetFakerSeed())
+        .RuleFor(genre => genre.Name, faker => faker.Random.Word()));
+
+    public Faker<Movie> Movie => _lazyMovieFaker.Value;
+    public Faker<Actor> Actor => _lazyActorFaker.Value;
+    public Faker<Genre> Genre => _lazyGenreFaker.Value;
+}
@@ -0,0 +1,18 @@
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using TestBuildingBlocks;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.Authorization.Scopes;
+
+[UsedImplicitly(ImplicitUseKindFlags.InstantiatedNoFixedConstructorSignature)]
+public sealed class ScopesStartup<TDbContext> : TestableStartup<TDbContext>
+    where TDbContext : TestableDbContext
+{
+    public override void ConfigureServices(IServiceCollection services)
+    {
+        IMvcCoreBuilder mvcBuilder = services.AddMvcCore(options => options.Filters.Add<ScopesAuthorizationFilter>(int.MaxValue));
+
+        services.AddJsonApi<TDbContext>(SetJsonApiOptions, mvcBuilder: mvcBuilder);
+    }
+}
@@ -18,7 +18,7 @@ public override QueryExpression DefaultVisit(QueryExpression expression, object?
         return base.VisitComparison(expression, argument);
     }
 
-    public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)
+    public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)
     {
         Capture(expression);
         return base.VisitResourceFieldChain(expression, argument);
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ public override QueryExpression DefaultVisit(QueryExpression expression, TArgume`
`34`	`34`	`return null;`
`35`	`35`	`}`
`36`	`36`
`37`		`- public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, TArgument argument)`
	`37`	`+ public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, TArgument argument)`
`38`	`38`	`{`
`39`	`39`	`return expression;`
`40`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ private sealed class FilterWalker : QueryExpressionRewriter<object?>`
`180`	`180`	`{`
`181`	`181`	`public bool HasFilterOnArchivedAt { get; private set; }`
`182`	`182`
`183`		`- public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)`
	`183`	`+ public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)`
`184`	`184`	`{`
`185`	`185`	`if (expression.Fields[0].Property.Name == nameof(TelevisionBroadcast.ArchivedAt))`
`186`	`186`	`{`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ public override QueryExpression DefaultVisit(QueryExpression expression, object?`
`18`	`18`	`return base.VisitComparison(expression, argument);`
`19`	`19`	`}`
`20`	`20`
`21`		`- public override QueryExpression? VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)`
	`21`	`+ public override QueryExpression VisitResourceFieldChain(ResourceFieldChainExpression expression, object? argument)`
`22`	`22`	`{`
`23`	`23`	`Capture(expression);`
`24`	`24`	`return base.VisitResourceFieldChain(expression, argument);`