Foxchat.NET/Foxchat.Chat/Middleware/AuthenticationMiddleware.cs

using Foxchat.Chat.Database;
using Foxchat.Chat.Database.Models;
using Foxchat.Core;
using Foxchat.Core.Federation;
using Microsoft.EntityFrameworkCore;

namespace Foxchat.Chat.Middleware;

public class AuthenticationMiddleware(ILogger logger, ChatContext db, RequestSigningService requestSigningService)
    : IMiddleware
{
    public async Task InvokeAsync(HttpContext ctx, RequestDelegate next)
    {
        var endpoint = ctx.GetEndpoint();
        // Endpoints require server authentication by default, unless they have the [Unauthenticated] attribute.
        var metadata = endpoint?.Metadata.GetMetadata<UnauthenticatedAttribute>();
        if (metadata != null)
        {
            await next(ctx);
            return;
        }

        if (!ExtractRequestData(ctx, out var signature, out var domain, out var signatureData))
            throw new ApiError.IncomingFederationError("This endpoint requires signed requests.");

        var instance = await GetInstanceAsync(domain);

        if (!requestSigningService.VerifySignature(instance.PublicKey, signature, signatureData))
            throw new ApiError.IncomingFederationError("Signature is not valid.");
        
        ctx.SetSignature(instance, signatureData);

        await next(ctx);
    }

    private async Task<IdentityInstance> GetInstanceAsync(string domain)
    {
        return await db.IdentityInstances.FirstOrDefaultAsync(i => i.Domain == domain)
               ?? throw new ApiError.IncomingFederationError("Remote instance is not known.");
    }

    private bool ExtractRequestData(HttpContext ctx, out string signature, out string domain, out SignatureData data)
    {
        signature = string.Empty;
        domain = string.Empty;
        data = SignatureData.Empty;

        if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SIGNATURE_HEADER, out var encodedSignature))
            return false;
        if (!ctx.Request.Headers.TryGetValue(RequestSigningService.DATE_HEADER, out var date))
            return false;
        if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SERVER_HEADER, out var server))
            return false;
        var time = RequestSigningService.ParseTime(date.ToString());
        string? userId = null;
        if (ctx.Request.Headers.TryGetValue(RequestSigningService.USER_HEADER, out var userIdHeader))
            userId = userIdHeader;
        var host = ctx.Request.Headers.Host.ToString();

        signature = encodedSignature.ToString();
        domain = server.ToString();
        data = new SignatureData(
            time,
            host,
            ctx.Request.Path,
            (int?)ctx.Request.Headers.ContentLength,
            userId
        );

        return true;
    }
}

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class UnauthenticatedAttribute : Attribute;

public static class HttpContextExtensions
{
    private const string Key = "instance";

    public static void SetSignature(this HttpContext ctx, IdentityInstance instance, SignatureData data)
    {
        ctx.Items.Add(Key, (instance, data));
    }

    public static (IdentityInstance?, SignatureData?) GetSignature(this HttpContext ctx)
    {
        try
        {
            var obj = ctx.GetSignatureOrThrow();
            return (obj.Item1, obj.Item2);
        }
        catch
        {
            return (null, null);
        }
    }

    public static (IdentityInstance, SignatureData) GetSignatureOrThrow(this HttpContext ctx)
    {
        if (!ctx.Items.TryGetValue(Key, out var obj))
            throw new ApiError.AuthenticationError("No instance in HttpContext");

        return ((IdentityInstance, SignatureData))obj!;
    }
}
chat: add database types and auth middleware 2024-05-21 16:41:01 +02:00			`using Foxchat.Chat.Database;`
			`using Foxchat.Chat.Database.Models;`
			`using Foxchat.Core;`
			`using Foxchat.Core.Federation;`
			`using Microsoft.EntityFrameworkCore;`

			`namespace Foxchat.Chat.Middleware;`

			`public class AuthenticationMiddleware(ILogger logger, ChatContext db, RequestSigningService requestSigningService)`
			`: IMiddleware`
			`{`
			`public async Task InvokeAsync(HttpContext ctx, RequestDelegate next)`
			`{`
			`var endpoint = ctx.GetEndpoint();`
			`// Endpoints require server authentication by default, unless they have the [Unauthenticated] attribute.`
			`var metadata = endpoint?.Metadata.GetMetadata<UnauthenticatedAttribute>();`
			`if (metadata != null)`
			`{`
			`await next(ctx);`
			`return;`
			`}`

			`if (!ExtractRequestData(ctx, out var signature, out var domain, out var signatureData))`
			`throw new ApiError.IncomingFederationError("This endpoint requires signed requests.");`

			`var instance = await GetInstanceAsync(domain);`

			`if (!requestSigningService.VerifySignature(instance.PublicKey, signature, signatureData))`
			`throw new ApiError.IncomingFederationError("Signature is not valid.");`

			`ctx.SetSignature(instance, signatureData);`

			`await next(ctx);`
			`}`

			`private async Task<IdentityInstance> GetInstanceAsync(string domain)`
			`{`
			`return await db.IdentityInstances.FirstOrDefaultAsync(i => i.Domain == domain)`
			`?? throw new ApiError.IncomingFederationError("Remote instance is not known.");`
			`}`

			`private bool ExtractRequestData(HttpContext ctx, out string signature, out string domain, out SignatureData data)`
			`{`
			`signature = string.Empty;`
			`domain = string.Empty;`
			`data = SignatureData.Empty;`

			`if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SIGNATURE_HEADER, out var encodedSignature))`
			`return false;`
			`if (!ctx.Request.Headers.TryGetValue(RequestSigningService.DATE_HEADER, out var date))`
			`return false;`
			`if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SERVER_HEADER, out var server))`
			`return false;`
			`var time = RequestSigningService.ParseTime(date.ToString());`
			`string? userId = null;`
			`if (ctx.Request.Headers.TryGetValue(RequestSigningService.USER_HEADER, out var userIdHeader))`
			`userId = userIdHeader;`
			`var host = ctx.Request.Headers.Host.ToString();`

			`signature = encodedSignature.ToString();`
			`domain = server.ToString();`
			`data = new SignatureData(`
			`time,`
			`host,`
			`ctx.Request.Path,`
			`(int?)ctx.Request.Headers.ContentLength,`
			`userId`
			`);`

			`return true;`
			`}`
			`}`

			`[AttributeUsage(AttributeTargets.Class \| AttributeTargets.Method)]`
			`public class UnauthenticatedAttribute : Attribute;`

			`public static class HttpContextExtensions`
			`{`
			`private const string Key = "instance";`

			`public static void SetSignature(this HttpContext ctx, IdentityInstance instance, SignatureData data)`
			`{`
			`ctx.Items.Add(Key, (instance, data));`
			`}`

			`public static (IdentityInstance?, SignatureData?) GetSignature(this HttpContext ctx)`
			`{`
			`try`
			`{`
			`var obj = ctx.GetSignatureOrThrow();`
			`return (obj.Item1, obj.Item2);`
			`}`
			`catch`
			`{`
			`return (null, null);`
			`}`
			`}`

			`public static (IdentityInstance, SignatureData) GetSignatureOrThrow(this HttpContext ctx)`
			`{`
			`if (!ctx.Items.TryGetValue(Key, out var obj))`
			`throw new ApiError.AuthenticationError("No instance in HttpContext");`

			`return ((IdentityInstance, SignatureData))obj!;`
			`}`
			`}`