Foxnouns.NET/Foxnouns.Backend/Controllers/Authentication/EmailAuthController.cs

using Foxnouns.Backend.Database;
using Foxnouns.Backend.Database.Models;
using Foxnouns.Backend.Extensions;
using Foxnouns.Backend.Middleware;
using Foxnouns.Backend.Services;
using Foxnouns.Backend.Utils;
using JetBrains.Annotations;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using NodaTime;

namespace Foxnouns.Backend.Controllers.Authentication;

[Route("/api/internal/auth/email")]
public class EmailAuthController(
    [UsedImplicitly] Config config,
    DatabaseContext db,
    AuthService authService,
    MailService mailService,
    KeyCacheService keyCacheService,
    UserRendererService userRenderer,
    IClock clock,
    ILogger logger
) : ApiControllerBase
{
    private readonly ILogger _logger = logger.ForContext<EmailAuthController>();

    [HttpPost("register")]
    public async Task<IActionResult> RegisterAsync(
        [FromBody] RegisterRequest req,
        CancellationToken ct = default
    )
    {
        CheckRequirements();

        if (!req.Email.Contains('@'))
            throw new ApiError.BadRequest("Email is invalid", "email", req.Email);

        var state = await keyCacheService.GenerateRegisterEmailStateAsync(
            req.Email,
            userId: null,
            ct
        );

        // If there's already a user with that email address, pretend we sent an email but actually ignore it
        if (
            await db.AuthMethods.AnyAsync(
                a => a.AuthType == AuthType.Email && a.RemoteId == req.Email,
                ct
            )
        )
            return NoContent();

        mailService.QueueAccountCreationEmail(req.Email, state);
        return NoContent();
    }

    [HttpPost("callback")]
    public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req)
    {
        CheckRequirements();

        var state = await keyCacheService.GetRegisterEmailStateAsync(req.State);
        if (state == null)
            throw new ApiError.BadRequest("Invalid state", "state", req.State);

        // If this callback is for an existing user, add the email address to their auth methods
        if (state.ExistingUserId != null)
        {
            var authMethod = await authService.AddAuthMethodAsync(
                state.ExistingUserId.Value,
                AuthType.Email,
                state.Email
            );
            _logger.Debug(
                "Added email auth {AuthId} for user {UserId}",
                authMethod.Id,
                state.ExistingUserId
            );
            return NoContent();
        }

        var ticket = AuthUtils.RandomToken();
        await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20));

        return Ok(
            new AuthController.CallbackResponse(
                HasAccount: false,
                Ticket: ticket,
                RemoteUsername: state.Email,
                User: null,
                Token: null,
                ExpiresAt: null
            )
        );
    }

    [HttpPost("complete-registration")]
    public async Task<IActionResult> CompleteRegistrationAsync(
        [FromBody] CompleteRegistrationRequest req
    )
    {
        var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}");
        if (email == null)
            throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket);

        // Check if username is valid at all
        ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]);
        // Check if username is already taken
        if (await db.Users.AnyAsync(u => u.Username == req.Username))
            throw new ApiError.BadRequest("Username is already taken", "username", req.Username);

        var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password);
        var frontendApp = await db.GetFrontendApplicationAsync();

        var (tokenStr, token) = authService.GenerateToken(
            user,
            frontendApp,
            ["*"],
            clock.GetCurrentInstant() + Duration.FromDays(365)
        );
        db.Add(token);

        await db.SaveChangesAsync();

        await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}");

        return Ok(
            new AuthController.AuthResponse(
                await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false),
                tokenStr,
                token.ExpiresAt
            )
        );
    }

    [HttpPost("login")]
    [ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
    public async Task<IActionResult> LoginAsync(
        [FromBody] LoginRequest req,
        CancellationToken ct = default
    )
    {
        CheckRequirements();

        var (user, authenticationResult) = await authService.AuthenticateUserAsync(
            req.Email,
            req.Password,
            ct
        );
        if (authenticationResult == AuthService.EmailAuthenticationResult.MfaRequired)
            throw new NotImplementedException("MFA is not implemented yet");

        var frontendApp = await db.GetFrontendApplicationAsync(ct);

        _logger.Debug("Logging user {Id} in with email and password", user.Id);

        var (tokenStr, token) = authService.GenerateToken(
            user,
            frontendApp,
            ["*"],
            clock.GetCurrentInstant() + Duration.FromDays(365)
        );
        db.Add(token);

        _logger.Debug("Generated token {TokenId} for {UserId}", token.Id, user.Id);

        await db.SaveChangesAsync(ct);

        return Ok(
            new AuthController.AuthResponse(
                await userRenderer.RenderUserAsync(
                    user,
                    selfUser: user,
                    renderMembers: false,
                    ct: ct
                ),
                tokenStr,
                token.ExpiresAt
            )
        );
    }

    [HttpPost("add")]
    [Authorize("*")]
    public async Task<IActionResult> AddEmailAddressAsync([FromBody] AddEmailAddressRequest req)
    {
        var emails = await db
            .AuthMethods.Where(m => m.UserId == CurrentUser!.Id && m.AuthType == AuthType.Email)
            .ToListAsync();
        if (emails.Count > AuthUtils.MaxAuthMethodsPerType)
        {
            throw new ApiError.BadRequest(
                "Too many email addresses, maximum of 3 per account.",
                "email",
                null
            );
        }

        var validPassword = await authService.ValidatePasswordAsync(CurrentUser!, req.Password);
        if (!validPassword)
        {
            throw new ApiError.Forbidden("Invalid password");
        }

        var state = await keyCacheService.GenerateRegisterEmailStateAsync(
            req.Email,
            userId: CurrentUser!.Id
        );

        var emailExists = await db
            .AuthMethods.Where(m => m.AuthType == AuthType.Email && m.RemoteId == req.Email)
            .AnyAsync();
        if (emailExists)
        {
            return NoContent();
        }

        mailService.QueueAddEmailAddressEmail(req.Email, state, CurrentUser.Username);
        return NoContent();
    }

    public record AddEmailAddressRequest(string Email, string Password);

    private void CheckRequirements()
    {
        if (!config.EmailAuth.Enabled)
            throw new ApiError.BadRequest("Email authentication is not enabled on this instance.");
    }

    public record LoginRequest(string Email, string Password);

    public record RegisterRequest(string Email);

    public record CompleteRegistrationRequest(string Ticket, string Username, string Password);

    public record CallbackRequest(string State);
}
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`using Foxnouns.Backend.Database;`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`using Foxnouns.Backend.Database.Models;`
			`using Foxnouns.Backend.Extensions;`
feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00			`using Foxnouns.Backend.Middleware;`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`using Foxnouns.Backend.Services;`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`using Foxnouns.Backend.Utils;`
chore(backend): silence some more resharper errors 2024-09-14 16:37:52 +02:00			`using JetBrains.Annotations;`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`using Microsoft.AspNetCore.Mvc;`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`using Microsoft.EntityFrameworkCore;`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`using NodaTime;`

			`namespace Foxnouns.Backend.Controllers.Authentication;`

feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00			`[Route("/api/internal/auth/email")]`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00			`public class EmailAuthController(`
chore(backend): silence some more resharper errors 2024-09-14 16:37:52 +02:00			`[UsedImplicitly] Config config,`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00			`DatabaseContext db,`
refactor: more consistent field names, also in STYLE.md 2024-09-09 14:50:00 +02:00			`AuthService authService,`
			`MailService mailService,`
			`KeyCacheService keyCacheService,`
			`UserRendererService userRenderer,`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00			`IClock clock,`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`ILogger logger`
			`) : ApiControllerBase`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`{`
fix: add class context to all loggers, format 2024-09-04 14:25:44 +02:00			`private readonly ILogger _logger = logger.ForContext<EmailAuthController>();`

start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`[HttpPost("register")]`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`public async Task<IActionResult> RegisterAsync(`
			`[FromBody] RegisterRequest req,`
			`CancellationToken ct = default`
			`)`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`{`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`CheckRequirements();`

chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (!req.Email.Contains('@'))`
			`throw new ApiError.BadRequest("Email is invalid", "email", req.Email);`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`var state = await keyCacheService.GenerateRegisterEmailStateAsync(`
			`req.Email,`
			`userId: null,`
			`ct`
			`);`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`// If there's already a user with that email address, pretend we sent an email but actually ignore it`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (`
			`await db.AuthMethods.AnyAsync(`
			`a => a.AuthType == AuthType.Email && a.RemoteId == req.Email,`
			`ct`
			`)`
			`)`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`return NoContent();`

refactor: more consistent field names, also in STYLE.md 2024-09-09 14:50:00 +02:00			`mailService.QueueAccountCreationEmail(req.Email, state);`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`return NoContent();`
			`}`

			`[HttpPost("callback")]`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req)`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`{`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`CheckRequirements();`

refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`var state = await keyCacheService.GetRegisterEmailStateAsync(req.State);`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (state == null)`
			`throw new ApiError.BadRequest("Invalid state", "state", req.State);`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`// If this callback is for an existing user, add the email address to their auth methods`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`if (state.ExistingUserId != null)`
			`{`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`var authMethod = await authService.AddAuthMethodAsync(`
			`state.ExistingUserId.Value,`
			`AuthType.Email,`
			`state.Email`
			`);`
			`_logger.Debug(`
			`"Added email auth {AuthId} for user {UserId}",`
			`authMethod.Id,`
			`state.ExistingUserId`
			`);`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`return NoContent();`
			`}`

			`var ticket = AuthUtils.RandomToken();`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20));`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`return Ok(`
			`new AuthController.CallbackResponse(`
			`HasAccount: false,`
			`Ticket: ticket,`
			`RemoteUsername: state.Email,`
			`User: null,`
			`Token: null,`
			`ExpiresAt: null`
			`)`
			`);`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`}`

feat(backend): email registration 2024-09-10 02:39:07 +02:00			`[HttpPost("complete-registration")]`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`public async Task<IActionResult> CompleteRegistrationAsync(`
			`[FromBody] CompleteRegistrationRequest req`
			`)`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`{`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}");`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`if (email == null)`
			`throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket);`
feat(backend): email registration 2024-09-10 02:39:07 +02:00
			`// Check if username is valid at all`
			`ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]);`
			`// Check if username is already taken`
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`if (await db.Users.AnyAsync(u => u.Username == req.Username))`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`throw new ApiError.BadRequest("Username is already taken", "username", req.Username);`

refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password);`
			`var frontendApp = await db.GetFrontendApplicationAsync();`
feat(backend): email registration 2024-09-10 02:39:07 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`var (tokenStr, token) = authService.GenerateToken(`
			`user,`
			`frontendApp,`
			`["*"],`
			`clock.GetCurrentInstant() + Duration.FromDays(365)`
			`);`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`db.Add(token);`

refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`await db.SaveChangesAsync();`
feat(backend): email registration 2024-09-10 02:39:07 +02:00
refactor: add DatabaseContext.GetToken method 2024-09-11 16:23:45 +02:00			`await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}");`
feat(backend): email registration 2024-09-10 02:39:07 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`return Ok(`
			`new AuthController.AuthResponse(`
			`await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false),`
			`tokenStr,`
			`token.ExpiresAt`
			`)`
			`);`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`}`

feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`[HttpPost("login")]`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00			`[ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`public async Task<IActionResult> LoginAsync(`
			`[FromBody] LoginRequest req,`
			`CancellationToken ct = default`
			`)`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`{`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`CheckRequirements();`

chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`var (user, authenticationResult) = await authService.AuthenticateUserAsync(`
			`req.Email,`
			`req.Password,`
			`ct`
			`);`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00			`if (authenticationResult == AuthService.EmailAuthenticationResult.MfaRequired)`
			`throw new NotImplementedException("MFA is not implemented yet");`

start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`var frontendApp = await db.GetFrontendApplicationAsync(ct);`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00
fix: add class context to all loggers, format 2024-09-04 14:25:44 +02:00			`_logger.Debug("Logging user {Id} in with email and password", user.Id);`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`var (tokenStr, token) = authService.GenerateToken(`
			`user,`
			`frontendApp,`
			`["*"],`
			`clock.GetCurrentInstant() + Duration.FromDays(365)`
			`);`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`db.Add(token);`

fix: add class context to all loggers, format 2024-09-04 14:25:44 +02:00			`_logger.Debug("Generated token {TokenId} for {UserId}", token.Id, user.Id);`
feat(backend): add RequestDiscordTokenAsync method 2024-06-12 16:19:49 +02:00
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`await db.SaveChangesAsync(ct);`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`return Ok(`
			`new AuthController.AuthResponse(`
			`await userRenderer.RenderUserAsync(`
			`user,`
			`selfUser: user,`
			`renderMembers: false,`
			`ct: ct`
			`),`
			`tokenStr,`
			`token.ExpiresAt`
			`)`
			`);`
feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`}`

feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00			`[HttpPost("add")]`
			`[Authorize("*")]`
feat(backend): add add email address endpoint 2024-10-02 00:52:49 +02:00			`public async Task<IActionResult> AddEmailAddressAsync([FromBody] AddEmailAddressRequest req)`
feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00			`{`
feat(backend): add add email address endpoint 2024-10-02 00:52:49 +02:00			`var emails = await db`
			`.AuthMethods.Where(m => m.UserId == CurrentUser!.Id && m.AuthType == AuthType.Email)`
			`.ToListAsync();`
			`if (emails.Count > AuthUtils.MaxAuthMethodsPerType)`
			`{`
			`throw new ApiError.BadRequest(`
			`"Too many email addresses, maximum of 3 per account.",`
			`"email",`
			`null`
			`);`
			`}`

			`var validPassword = await authService.ValidatePasswordAsync(CurrentUser!, req.Password);`
			`if (!validPassword)`
			`{`
			`throw new ApiError.Forbidden("Invalid password");`
			`}`

			`var state = await keyCacheService.GenerateRegisterEmailStateAsync(`
			`req.Email,`
			`userId: CurrentUser!.Id`
			`);`

			`var emailExists = await db`
			`.AuthMethods.Where(m => m.AuthType == AuthType.Email && m.RemoteId == req.Email)`
			`.AnyAsync();`
			`if (emailExists)`
			`{`
			`return NoContent();`
			`}`
feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00
feat(backend): add add email address endpoint 2024-10-02 00:52:49 +02:00			`mailService.QueueAddEmailAddressEmail(req.Email, state, CurrentUser.Username);`
feat(backend): move internal endpoints to /api/internal 2024-10-02 00:15:14 +02:00			`return NoContent();`
			`}`

			`public record AddEmailAddressRequest(string Email, string Password);`

feat(backend): email registration 2024-09-10 02:39:07 +02:00			`private void CheckRequirements()`
			`{`
chore(backend): format 2024-10-01 21:58:13 +02:00			`if (!config.EmailAuth.Enabled)`
feat(backend): email registration 2024-09-10 02:39:07 +02:00			`throw new ApiError.BadRequest("Email authentication is not enabled on this instance.");`
			`}`

feat(backend): start authentication controllers 2024-06-12 03:47:20 +02:00			`public record LoginRequest(string Email, string Password);`
start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00
			`public record RegisterRequest(string Email);`

feat(backend): email registration 2024-09-10 02:39:07 +02:00			`public record CompleteRegistrationRequest(string Ticket, string Username, string Password);`

start (actual) email auth, add CancellationToken to most async methods 2024-09-09 14:37:59 +02:00			`public record CallbackRequest(string State);`
chore: add csharpier to husky, format backend with csharpier 2024-10-02 00:28:07 +02:00			`}`