refactor: add DatabaseContext.GetToken method
This commit is contained in:
parent
be34c4c77e
commit
2682cabfb0
6 changed files with 51 additions and 35 deletions
|
@ -40,55 +40,53 @@ public class EmailAuthController(
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPost("callback")]
|
[HttpPost("callback")]
|
||||||
public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req, CancellationToken ct = default)
|
public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req)
|
||||||
{
|
{
|
||||||
CheckRequirements();
|
CheckRequirements();
|
||||||
|
|
||||||
var state = await keyCacheService.GetRegisterEmailStateAsync(req.State, ct);
|
var state = await keyCacheService.GetRegisterEmailStateAsync(req.State);
|
||||||
if (state == null) throw new ApiError.BadRequest("Invalid state", "state", req.State);
|
if (state == null) throw new ApiError.BadRequest("Invalid state", "state", req.State);
|
||||||
|
|
||||||
// If this callback is for an existing user, add the email address to their auth methods
|
// If this callback is for an existing user, add the email address to their auth methods
|
||||||
if (state.ExistingUserId != null)
|
if (state.ExistingUserId != null)
|
||||||
{
|
{
|
||||||
var authMethod =
|
var authMethod =
|
||||||
await authService.AddAuthMethodAsync(state.ExistingUserId.Value, AuthType.Email, state.Email, ct: ct);
|
await authService.AddAuthMethodAsync(state.ExistingUserId.Value, AuthType.Email, state.Email);
|
||||||
_logger.Debug("Added email auth {AuthId} for user {UserId}", authMethod.Id, state.ExistingUserId);
|
_logger.Debug("Added email auth {AuthId} for user {UserId}", authMethod.Id, state.ExistingUserId);
|
||||||
return NoContent();
|
return NoContent();
|
||||||
}
|
}
|
||||||
|
|
||||||
var ticket = AuthUtils.RandomToken();
|
var ticket = AuthUtils.RandomToken();
|
||||||
await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20), ct);
|
await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20));
|
||||||
|
|
||||||
return Ok(new AuthController.CallbackResponse(false, ticket, state.Email));
|
return Ok(new AuthController.CallbackResponse(false, ticket, state.Email));
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPost("complete-registration")]
|
[HttpPost("complete-registration")]
|
||||||
public async Task<IActionResult> CompleteRegistrationAsync([FromBody] CompleteRegistrationRequest req,
|
public async Task<IActionResult> CompleteRegistrationAsync([FromBody] CompleteRegistrationRequest req)
|
||||||
CancellationToken ct = default)
|
|
||||||
{
|
{
|
||||||
var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}", ct: ct);
|
var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}");
|
||||||
if (email == null) throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket);
|
if (email == null) throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket);
|
||||||
|
|
||||||
// Check if username is valid at all
|
// Check if username is valid at all
|
||||||
ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]);
|
ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]);
|
||||||
// Check if username is already taken
|
// Check if username is already taken
|
||||||
if (await db.Users.AnyAsync(u => u.Username == req.Username, ct))
|
if (await db.Users.AnyAsync(u => u.Username == req.Username))
|
||||||
throw new ApiError.BadRequest("Username is already taken", "username", req.Username);
|
throw new ApiError.BadRequest("Username is already taken", "username", req.Username);
|
||||||
|
|
||||||
var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password, ct);
|
var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password);
|
||||||
var frontendApp = await db.GetFrontendApplicationAsync(ct);
|
var frontendApp = await db.GetFrontendApplicationAsync();
|
||||||
|
|
||||||
var (tokenStr, token) =
|
var (tokenStr, token) =
|
||||||
authService.GenerateToken(user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365));
|
authService.GenerateToken(user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365));
|
||||||
db.Add(token);
|
db.Add(token);
|
||||||
|
|
||||||
await db.SaveChangesAsync(ct);
|
await db.SaveChangesAsync();
|
||||||
|
|
||||||
// Specifically do *not* pass the CancellationToken so we don't cancel the rendering after creating the user account.
|
await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}");
|
||||||
await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}", ct: default);
|
|
||||||
|
|
||||||
return Ok(new AuthController.AuthResponse(
|
return Ok(new AuthController.AuthResponse(
|
||||||
await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false, ct: default),
|
await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false),
|
||||||
tokenStr,
|
tokenStr,
|
||||||
token.ExpiresAt
|
token.ExpiresAt
|
||||||
));
|
));
|
||||||
|
|
|
@ -40,16 +40,10 @@ public partial class InternalController(DatabaseContext db, IClock clock) : Cont
|
||||||
template = GetCleanedTemplate(template);
|
template = GetCleanedTemplate(template);
|
||||||
|
|
||||||
// If no token was supplied, or it isn't valid base 64, return a null user ID (limiting by IP)
|
// If no token was supplied, or it isn't valid base 64, return a null user ID (limiting by IP)
|
||||||
if (req.Token == null) return Ok(new RequestDataResponse(null, template));
|
if (!AuthUtils.TryParseToken(req.Token, out var rawToken))
|
||||||
if (!AuthUtils.TryFromBase64String(req.Token, out var rawToken))
|
|
||||||
return Ok(new RequestDataResponse(null, template));
|
return Ok(new RequestDataResponse(null, template));
|
||||||
|
|
||||||
var hash = SHA512.HashData(rawToken);
|
var oauthToken = await db.GetToken(rawToken);
|
||||||
var oauthToken = await db.Tokens
|
|
||||||
.Include(t => t.Application)
|
|
||||||
.Include(t => t.User)
|
|
||||||
.FirstOrDefaultAsync(t => t.Hash == hash && t.ExpiresAt > clock.GetCurrentInstant() && !t.ManuallyExpired);
|
|
||||||
|
|
||||||
return Ok(new RequestDataResponse(oauthToken?.UserId, template));
|
return Ok(new RequestDataResponse(oauthToken?.UserId, template));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -105,4 +105,18 @@ public static class DatabaseQueryExtensions
|
||||||
await context.SaveChangesAsync(ct);
|
await context.SaveChangesAsync(ct);
|
||||||
return app;
|
return app;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static async Task<Token?> GetToken(this DatabaseContext context, byte[] rawToken,
|
||||||
|
CancellationToken ct = default)
|
||||||
|
{
|
||||||
|
var hash = SHA512.HashData(rawToken);
|
||||||
|
var oauthToken = await context.Tokens
|
||||||
|
.Include(t => t.Application)
|
||||||
|
.Include(t => t.User)
|
||||||
|
.FirstOrDefaultAsync(
|
||||||
|
t => t.Hash == hash && t.ExpiresAt > SystemClock.Instance.GetCurrentInstant() && !t.ManuallyExpired,
|
||||||
|
ct);
|
||||||
|
|
||||||
|
return oauthToken;
|
||||||
|
}
|
||||||
}
|
}
|
|
@ -20,18 +20,13 @@ public class AuthenticationMiddleware(DatabaseContext db, IClock clock) : IMiddl
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
var header = ctx.Request.Headers.Authorization.ToString();
|
if (!AuthUtils.TryParseToken(ctx.Request.Headers.Authorization.ToString(), out var rawToken))
|
||||||
if (!AuthUtils.TryFromBase64String(header, out var rawToken))
|
|
||||||
{
|
{
|
||||||
await next(ctx);
|
await next(ctx);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
var hash = SHA512.HashData(rawToken);
|
var oauthToken = await db.GetToken(rawToken);
|
||||||
var oauthToken = await db.Tokens
|
|
||||||
.Include(t => t.Application)
|
|
||||||
.Include(t => t.User)
|
|
||||||
.FirstOrDefaultAsync(t => t.Hash == hash && t.ExpiresAt > clock.GetCurrentInstant() && !t.ManuallyExpired);
|
|
||||||
if (oauthToken == null)
|
if (oauthToken == null)
|
||||||
{
|
{
|
||||||
await next(ctx);
|
await next(ctx);
|
||||||
|
|
|
@ -16,7 +16,8 @@ public class AuthService(IClock clock, DatabaseContext db, ISnowflakeGenerator s
|
||||||
/// Creates a new user with the given email address and password.
|
/// Creates a new user with the given email address and password.
|
||||||
/// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />.
|
/// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
public async Task<User> CreateUserWithPasswordAsync(string username, string email, string password, CancellationToken ct = default)
|
public async Task<User> CreateUserWithPasswordAsync(string username, string email, string password,
|
||||||
|
CancellationToken ct = default)
|
||||||
{
|
{
|
||||||
var user = new User
|
var user = new User
|
||||||
{
|
{
|
||||||
|
@ -76,16 +77,19 @@ public class AuthService(IClock clock, DatabaseContext db, ISnowflakeGenerator s
|
||||||
/// <returns>A tuple of the authenticated user and whether multi-factor authentication is required</returns>
|
/// <returns>A tuple of the authenticated user and whether multi-factor authentication is required</returns>
|
||||||
/// <exception cref="ApiError.NotFound">Thrown if the email address is not associated with any user
|
/// <exception cref="ApiError.NotFound">Thrown if the email address is not associated with any user
|
||||||
/// or if the password is incorrect</exception>
|
/// or if the password is incorrect</exception>
|
||||||
public async Task<(User, EmailAuthenticationResult)> AuthenticateUserAsync(string email, string password, CancellationToken ct = default)
|
public async Task<(User, EmailAuthenticationResult)> AuthenticateUserAsync(string email, string password,
|
||||||
|
CancellationToken ct = default)
|
||||||
{
|
{
|
||||||
var user = await db.Users.FirstOrDefaultAsync(u =>
|
var user = await db.Users.FirstOrDefaultAsync(u =>
|
||||||
u.AuthMethods.Any(a => a.AuthType == AuthType.Email && a.RemoteId == email), ct);
|
u.AuthMethods.Any(a => a.AuthType == AuthType.Email && a.RemoteId == email), ct);
|
||||||
if (user == null)
|
if (user == null)
|
||||||
throw new ApiError.NotFound("No user with that email address found, or password is incorrect", ErrorCode.UserNotFound);
|
throw new ApiError.NotFound("No user with that email address found, or password is incorrect",
|
||||||
|
ErrorCode.UserNotFound);
|
||||||
|
|
||||||
var pwResult = await Task.Run(() => _passwordHasher.VerifyHashedPassword(user, user.Password!, password), ct);
|
var pwResult = await Task.Run(() => _passwordHasher.VerifyHashedPassword(user, user.Password!, password), ct);
|
||||||
if (pwResult == PasswordVerificationResult.Failed) // TODO: this seems to fail on some valid passwords?
|
if (pwResult == PasswordVerificationResult.Failed) // TODO: this seems to fail on some valid passwords?
|
||||||
throw new ApiError.NotFound("No user with that email address found, or password is incorrect", ErrorCode.UserNotFound);
|
throw new ApiError.NotFound("No user with that email address found, or password is incorrect",
|
||||||
|
ErrorCode.UserNotFound);
|
||||||
if (pwResult == PasswordVerificationResult.SuccessRehashNeeded)
|
if (pwResult == PasswordVerificationResult.SuccessRehashNeeded)
|
||||||
{
|
{
|
||||||
user.Password = await Task.Run(() => _passwordHasher.HashPassword(user, password), ct);
|
user.Password = await Task.Run(() => _passwordHasher.HashPassword(user, password), ct);
|
||||||
|
|
|
@ -80,6 +80,17 @@ public static class AuthUtils
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static bool TryParseToken(string? input, out byte[] rawToken)
|
||||||
|
{
|
||||||
|
rawToken = [];
|
||||||
|
|
||||||
|
if (string.IsNullOrWhiteSpace(input)) return false;
|
||||||
|
if (input.StartsWith("bearer ", StringComparison.InvariantCultureIgnoreCase))
|
||||||
|
input = input["bearer ".Length..];
|
||||||
|
|
||||||
|
return TryFromBase64String(input, out rawToken);
|
||||||
|
}
|
||||||
|
|
||||||
public static string RandomToken(int bytes = 48) =>
|
public static string RandomToken(int bytes = 48) =>
|
||||||
Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('=');
|
Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('=');
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue