Foxchat.NET/Foxchat.Chat/Middleware/AuthenticationMiddleware.cs

106 lines
No EOL
3.6 KiB
C#

using Foxchat.Chat.Database;
using Foxchat.Chat.Database.Models;
using Foxchat.Core;
using Foxchat.Core.Federation;
using Microsoft.EntityFrameworkCore;
namespace Foxchat.Chat.Middleware;
public class AuthenticationMiddleware(ILogger logger, ChatContext db, RequestSigningService requestSigningService)
: IMiddleware
{
public async Task InvokeAsync(HttpContext ctx, RequestDelegate next)
{
var endpoint = ctx.GetEndpoint();
// Endpoints require server authentication by default, unless they have the [Unauthenticated] attribute.
var metadata = endpoint?.Metadata.GetMetadata<UnauthenticatedAttribute>();
if (metadata != null)
{
await next(ctx);
return;
}
if (!ExtractRequestData(ctx, out var signature, out var domain, out var signatureData))
throw new ApiError.IncomingFederationError("This endpoint requires signed requests.");
var instance = await GetInstanceAsync(domain);
if (!requestSigningService.VerifySignature(instance.PublicKey, signature, signatureData))
throw new ApiError.IncomingFederationError("Signature is not valid.");
ctx.SetSignature(instance, signatureData);
await next(ctx);
}
private async Task<IdentityInstance> GetInstanceAsync(string domain)
{
return await db.IdentityInstances.FirstOrDefaultAsync(i => i.Domain == domain)
?? throw new ApiError.IncomingFederationError("Remote instance is not known.");
}
private bool ExtractRequestData(HttpContext ctx, out string signature, out string domain, out SignatureData data)
{
signature = string.Empty;
domain = string.Empty;
data = SignatureData.Empty;
if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SIGNATURE_HEADER, out var encodedSignature))
return false;
if (!ctx.Request.Headers.TryGetValue(RequestSigningService.DATE_HEADER, out var date))
return false;
if (!ctx.Request.Headers.TryGetValue(RequestSigningService.SERVER_HEADER, out var server))
return false;
var time = RequestSigningService.ParseTime(date.ToString());
string? userId = null;
if (ctx.Request.Headers.TryGetValue(RequestSigningService.USER_HEADER, out var userIdHeader))
userId = userIdHeader;
var host = ctx.Request.Headers.Host.ToString();
signature = encodedSignature.ToString();
domain = server.ToString();
data = new SignatureData(
time,
host,
ctx.Request.Path,
(int?)ctx.Request.Headers.ContentLength,
userId
);
return true;
}
}
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class UnauthenticatedAttribute : Attribute;
public static class HttpContextExtensions
{
private const string Key = "instance";
public static void SetSignature(this HttpContext ctx, IdentityInstance instance, SignatureData data)
{
ctx.Items.Add(Key, (instance, data));
}
public static (IdentityInstance?, SignatureData?) GetSignature(this HttpContext ctx)
{
try
{
var obj = ctx.GetSignatureOrThrow();
return (obj.Item1, obj.Item2);
}
catch
{
return (null, null);
}
}
public static (IdentityInstance, SignatureData) GetSignatureOrThrow(this HttpContext ctx)
{
if (!ctx.Items.TryGetValue(Key, out var obj))
throw new ApiError.AuthenticationError("No instance in HttpContext");
return ((IdentityInstance, SignatureData))obj!;
}
}