Foxnouns.NET/Foxnouns.Backend/Utils/AuthUtils.cs

// Copyright (C) 2023-present sam/u1f320 (vulpine.solutions)
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published
// by the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <https://www.gnu.org/licenses/>.
using System.Security.Cryptography;
using Foxnouns.Backend.Database.Models;

namespace Foxnouns.Backend.Utils;

public static class AuthUtils
{
    public const string ClientCredentials = "client_credentials";
    public const string AuthorizationCode = "authorization_code";
    private static readonly string[] ForbiddenSchemes =
    [
        "javascript",
        "file",
        "data",
        "mailto",
        "tel",
    ];

    public static readonly string[] UserScopes =
    [
        "user.read_hidden",
        "user.read_privileged",
        "user.update",
        "user.read_flags",
        "user.create_flags",
        "user.update_flags",
        "user.moderation",
    ];

    public static readonly string[] MemberScopes =
    [
        "member.read",
        "member.update",
        "member.create",
    ];

    /// <summary>
    /// All scopes endpoints can be secured by. This does *not* include the catch-all token scopes.
    /// </summary>
    public static readonly string[] Scopes = ["identify", .. UserScopes, .. MemberScopes];

    /// <summary>
    /// All scopes that can be granted to applications and tokens. Includes the catch-all token scopes,
    /// except for "*" which is only granted to the frontend.
    /// </summary>
    public static readonly string[] ApplicationScopes = [.. Scopes, "user", "member"];

    public static string[] ExpandScopes(this string[] scopes)
    {
        if (scopes.Contains("*"))
            return ["*", .. Scopes];
        List<string> expandedScopes = ["identify"];
        if (scopes.Contains("user"))
            expandedScopes.AddRange(UserScopes);
        if (scopes.Contains("member"))
            expandedScopes.AddRange(MemberScopes);

        return expandedScopes.ToArray();
    }

    public static bool HasScope(this Token? token, string scope) =>
        token?.Scopes.ExpandScopes().Contains(scope) == true;

    private static string[] ExpandAppScopes(this string[] scopes)
    {
        var expandedScopes = scopes.ExpandScopes().ToList();
        if (scopes.Contains("user"))
            expandedScopes.Add("user");
        if (scopes.Contains("member"))
            expandedScopes.Add("member");
        return expandedScopes.ToArray();
    }

    public static bool ValidateScopes(Application application, string[] scopes)
    {
        string[] expandedScopes = scopes.ExpandScopes();
        string[] appScopes = application.Scopes.ExpandAppScopes();
        return !expandedScopes.Except(appScopes).Any();
    }

    public static bool ValidateRedirectUri(string uri)
    {
        try
        {
            string scheme = new Uri(uri).Scheme;
            return !ForbiddenSchemes.Contains(scheme);
        }
        catch
        {
            return false;
        }
    }

    public static bool TryFromBase64String(string b64, out byte[] bytes)
    {
        try
        {
            bytes = Convert.FromBase64String(b64);
            return true;
        }
        catch
        {
            bytes = [];
            return false;
        }
    }

    public static bool TryParseToken(string? input, out byte[] rawToken)
    {
        rawToken = [];

        if (string.IsNullOrWhiteSpace(input))
            return false;
        if (input.StartsWith("bearer ", StringComparison.InvariantCultureIgnoreCase))
            input = input["bearer ".Length..];

        return TryFromBase64String(input, out rawToken);
    }

    public static string RandomUrlUnsafeToken(int bytes = 48) =>
        Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('=');

    public static string RandomToken(int bytes = 48) =>
        RandomUrlUnsafeToken()
            // Make the token URL-safe
            .Replace('+', '-')
            .Replace('/', '_');

    public const int MaxAuthMethodsPerType = 3; // Maximum of 3 Discord accounts, 3 emails, etc
}
chore: add license headers to all c# files 2024-12-09 21:11:46 +01:00			`// Copyright (C) 2023-present sam/u1f320 (vulpine.solutions)`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published`
			`// by the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <https://www.gnu.org/licenses/>.`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`using System.Security.Cryptography;`
feat: add debug registration endpoint, fix snowflake serialization 2024-06-04 17:38:59 +02:00			`using Foxnouns.Backend.Database.Models;`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`namespace Foxnouns.Backend.Utils;`

too many things to list (notably, user avatar update) 2024-07-08 19:03:04 +02:00			`public static class AuthUtils`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`{`
			`public const string ClientCredentials = "client_credentials";`
			`public const string AuthorizationCode = "authorization_code";`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`private static readonly string[] ForbiddenSchemes =`
			`[`
			`"javascript",`
			`"file",`
			`"data",`
			`"mailto",`
			`"tel",`
			`];`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`public static readonly string[] UserScopes =`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`[`
			`"user.read_hidden",`
			`"user.read_privileged",`
			`"user.update",`
feat(backend): allow suspended users to access some endpoints, add flag scopes 2024-12-11 16:54:06 +01:00			`"user.read_flags",`
			`"user.create_flags",`
			`"user.update_flags",`
feat: moderation API 2024-12-17 17:52:32 +01:00			`"user.moderation",`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`];`

			`public static readonly string[] MemberScopes =`
			`[`
			`"member.read",`
			`"member.update",`
			`"member.create",`
			`];`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`/// <summary>`
			`/// All scopes endpoints can be secured by. This does not include the catch-all token scopes.`
			`/// </summary>`
feat: add PATCH request support, expand PATCH /users/@me, serialize enums correctly 2024-07-12 17:12:24 +02:00			`public static readonly string[] Scopes = ["identify", .. UserScopes, .. MemberScopes];`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`/// <summary>`
			`/// All scopes that can be granted to applications and tokens. Includes the catch-all token scopes,`
			`/// except for "*" which is only granted to the frontend.`
			`/// </summary>`
feat: add PATCH request support, expand PATCH /users/@me, serialize enums correctly 2024-07-12 17:12:24 +02:00			`public static readonly string[] ApplicationScopes = [.. Scopes, "user", "member"];`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`public static string[] ExpandScopes(this string[] scopes)`
			`{`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (scopes.Contains("*"))`
			`return ["*", .. Scopes];`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`List<string> expandedScopes = ["identify"];`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (scopes.Contains("user"))`
			`expandedScopes.AddRange(UserScopes);`
			`if (scopes.Contains("member"))`
			`expandedScopes.AddRange(MemberScopes);`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
			`return expandedScopes.ToArray();`
			`}`

feat: add PATCH request support, expand PATCH /users/@me, serialize enums correctly 2024-07-12 17:12:24 +02:00			`public static bool HasScope(this Token? token, string scope) =>`
			`token?.Scopes.ExpandScopes().Contains(scope) == true;`

feat: add debug registration endpoint, fix snowflake serialization 2024-06-04 17:38:59 +02:00			`private static string[] ExpandAppScopes(this string[] scopes)`
			`{`
			`var expandedScopes = scopes.ExpandScopes().ToList();`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (scopes.Contains("user"))`
			`expandedScopes.Add("user");`
			`if (scopes.Contains("member"))`
			`expandedScopes.Add("member");`
feat: add debug registration endpoint, fix snowflake serialization 2024-06-04 17:38:59 +02:00			`return expandedScopes.ToArray();`
			`}`

			`public static bool ValidateScopes(Application application, string[] scopes)`
			`{`
refactor(backend): use explicit types instead of var by default 2024-12-08 15:07:25 +01:00			`string[] expandedScopes = scopes.ExpandScopes();`
			`string[] appScopes = application.Scopes.ExpandAppScopes();`
feat: add debug registration endpoint, fix snowflake serialization 2024-06-04 17:38:59 +02:00			`return !expandedScopes.Except(appScopes).Any();`
			`}`

add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`public static bool ValidateRedirectUri(string uri)`
			`{`
			`try`
			`{`
refactor(backend): use explicit types instead of var by default 2024-12-08 15:07:25 +01:00			`string scheme = new Uri(uri).Scheme;`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`return !ForbiddenSchemes.Contains(scheme);`
			`}`
			`catch`
			`{`
			`return false;`
			`}`
			`}`

			`public static bool TryFromBase64String(string b64, out byte[] bytes)`
			`{`
			`try`
			`{`
			`bytes = Convert.FromBase64String(b64);`
			`return true;`
			`}`
feat(backend): add member GET endpoints, POST /users/@me/members endpoint 2024-07-13 19:38:40 +02:00			`catch`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`{`
			`bytes = [];`
			`return false;`
			`}`
			`}`
feat(backend): return unlisted status in partial member for authenticated users 2024-09-25 19:48:05 +02:00
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`public static bool TryParseToken(string? input, out byte[] rawToken)`
			`{`
			`rawToken = [];`

chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (string.IsNullOrWhiteSpace(input))`
			`return false;`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`if (input.StartsWith("bearer ", StringComparison.InvariantCultureIgnoreCase))`
			`input = input["bearer ".Length..];`

			`return TryFromBase64String(input, out rawToken);`
			`}`
add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00
fix: use url-unsafe base 64 for auth tokens .net throws an error when decoding url-safe base 64 luckily we never decode it except for tokens, so those can keep using url-unsafe base 64. they're never used in URLs after all 2024-12-14 16:39:02 +01:00			`public static string RandomUrlUnsafeToken(int bytes = 48) =>`
			`Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('=');`

add a bunch of stuff copied from Foxchat.NET 2024-05-28 15:29:18 +02:00			`public static string RandomToken(int bytes = 48) =>`
fix: use url-unsafe base 64 for auth tokens .net throws an error when decoding url-safe base 64 luckily we never decode it except for tokens, so those can keep using url-unsafe base 64. they're never used in URLs after all 2024-12-14 16:39:02 +01:00			`RandomUrlUnsafeToken()`
feat: forgot password/reset password 2024-12-14 16:32:08 +01:00			`// Make the token URL-safe`
			`.Replace('+', '-')`
			`.Replace('/', '_');`
too many things to list (notably, user avatar update) 2024-07-08 19:03:04 +02:00
			`public const int MaxAuthMethodsPerType = 3; // Maximum of 3 Discord accounts, 3 emails, etc`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`}`