Foxnouns.NET/Foxnouns.Backend/Controllers/Authentication/DiscordAuthController.cs

using Foxnouns.Backend.Database;
using Foxnouns.Backend.Database.Models;
using Foxnouns.Backend.Extensions;
using Foxnouns.Backend.Services;
using Foxnouns.Backend.Utils;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using NodaTime;

namespace Foxnouns.Backend.Controllers.Authentication;

[Route("/api/v2/auth/discord")]
public class DiscordAuthController(
    Config config,
    ILogger logger,
    IClock clock,
    DatabaseContext db,
    KeyCacheService keyCacheSvc,
    AuthService authSvc,
    RemoteAuthService remoteAuthSvc,
    UserRendererService userRendererSvc) : ApiControllerBase
{
    [HttpPost("callback")]
    // TODO: duplicating attribute doesn't work, find another way to mark both as possible response
    // leaving it here for documentation purposes
    [ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
    [ProducesResponseType<AuthController.CallbackResponse>(StatusCodes.Status200OK)]
    public async Task<IActionResult> CallbackAsync([FromBody] AuthController.CallbackRequest req)
    {
        CheckRequirements();
        await keyCacheSvc.ValidateAuthStateAsync(req.State);

        var remoteUser = await remoteAuthSvc.RequestDiscordTokenAsync(req.Code, req.State);
        var user = await authSvc.AuthenticateUserAsync(AuthType.Discord, remoteUser.Id);
        if (user != null) return Ok(await GenerateUserTokenAsync(user));

        logger.Debug("Discord user {Username} ({Id}) authenticated with no local account", remoteUser.Username,
            remoteUser.Id);

        var ticket = AuthUtils.RandomToken();
        await keyCacheSvc.SetKeyAsync($"discord:{ticket}", remoteUser, Duration.FromMinutes(20));

        return Ok(new AuthController.CallbackResponse(false, ticket, remoteUser.Username));
    }

    [HttpPost("register")]
    [ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
    public async Task<IActionResult> RegisterAsync([FromBody] AuthController.OauthRegisterRequest req)
    {
        var remoteUser = await keyCacheSvc.GetKeyAsync<RemoteAuthService.RemoteUser>($"discord:{req.Ticket}");
        if (remoteUser == null) throw new ApiError.BadRequest("Invalid ticket", "ticket", req.Ticket);
        if (await db.AuthMethods.AnyAsync(a => a.AuthType == AuthType.Discord && a.RemoteId == remoteUser.Id))
        {
            logger.Error("Discord user {Id} has valid ticket but is already linked to an existing account",
                remoteUser.Id);
            throw new FoxnounsError("Discord ticket was issued for user with existing link");
        }

        var user = await authSvc.CreateUserWithRemoteAuthAsync(req.Username, AuthType.Discord, remoteUser.Id,
            remoteUser.Username);

        return Ok(await GenerateUserTokenAsync(user));
    }

    private async Task<AuthController.AuthResponse> GenerateUserTokenAsync(User user)
    {
        var frontendApp = await db.GetFrontendApplicationAsync();
        logger.Debug("Logging user {Id} in with Discord", user.Id);

        var (tokenStr, token) =
            authSvc.GenerateToken(user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365));
        db.Add(token);

        logger.Debug("Generated token {TokenId} for {UserId}", user.Id, token.Id);

        await db.SaveChangesAsync();

        return new AuthController.AuthResponse(
            await userRendererSvc.RenderUserAsync(user, selfUser: user, renderMembers: false),
            tokenStr,
            token.ExpiresAt
        );
    }

    private void CheckRequirements()
    {
        if (!config.DiscordAuth.Enabled)
            throw new ApiError.BadRequest("Discord authentication is not enabled on this instance.");
    }
}