refactor: add DatabaseContext.GetToken method

This commit is contained in:
sam 2024-09-11 16:23:45 +02:00
parent be34c4c77e
commit 2682cabfb0
Signed by: sam
GPG key ID: B4EF20DDE721CAA1
6 changed files with 51 additions and 35 deletions

View file

@ -40,55 +40,53 @@ public class EmailAuthController(
} }
[HttpPost("callback")] [HttpPost("callback")]
public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req, CancellationToken ct = default) public async Task<IActionResult> CallbackAsync([FromBody] CallbackRequest req)
{ {
CheckRequirements(); CheckRequirements();
var state = await keyCacheService.GetRegisterEmailStateAsync(req.State, ct); var state = await keyCacheService.GetRegisterEmailStateAsync(req.State);
if (state == null) throw new ApiError.BadRequest("Invalid state", "state", req.State); if (state == null) throw new ApiError.BadRequest("Invalid state", "state", req.State);
// If this callback is for an existing user, add the email address to their auth methods // If this callback is for an existing user, add the email address to their auth methods
if (state.ExistingUserId != null) if (state.ExistingUserId != null)
{ {
var authMethod = var authMethod =
await authService.AddAuthMethodAsync(state.ExistingUserId.Value, AuthType.Email, state.Email, ct: ct); await authService.AddAuthMethodAsync(state.ExistingUserId.Value, AuthType.Email, state.Email);
_logger.Debug("Added email auth {AuthId} for user {UserId}", authMethod.Id, state.ExistingUserId); _logger.Debug("Added email auth {AuthId} for user {UserId}", authMethod.Id, state.ExistingUserId);
return NoContent(); return NoContent();
} }
var ticket = AuthUtils.RandomToken(); var ticket = AuthUtils.RandomToken();
await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20), ct); await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20));
return Ok(new AuthController.CallbackResponse(false, ticket, state.Email)); return Ok(new AuthController.CallbackResponse(false, ticket, state.Email));
} }
[HttpPost("complete-registration")] [HttpPost("complete-registration")]
public async Task<IActionResult> CompleteRegistrationAsync([FromBody] CompleteRegistrationRequest req, public async Task<IActionResult> CompleteRegistrationAsync([FromBody] CompleteRegistrationRequest req)
CancellationToken ct = default)
{ {
var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}", ct: ct); var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}");
if (email == null) throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket); if (email == null) throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket);
// Check if username is valid at all // Check if username is valid at all
ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]); ValidationUtils.Validate([("username", ValidationUtils.ValidateUsername(req.Username))]);
// Check if username is already taken // Check if username is already taken
if (await db.Users.AnyAsync(u => u.Username == req.Username, ct)) if (await db.Users.AnyAsync(u => u.Username == req.Username))
throw new ApiError.BadRequest("Username is already taken", "username", req.Username); throw new ApiError.BadRequest("Username is already taken", "username", req.Username);
var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password, ct); var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password);
var frontendApp = await db.GetFrontendApplicationAsync(ct); var frontendApp = await db.GetFrontendApplicationAsync();
var (tokenStr, token) = var (tokenStr, token) =
authService.GenerateToken(user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365)); authService.GenerateToken(user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365));
db.Add(token); db.Add(token);
await db.SaveChangesAsync(ct); await db.SaveChangesAsync();
// Specifically do *not* pass the CancellationToken so we don't cancel the rendering after creating the user account. await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}");
await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}", ct: default);
return Ok(new AuthController.AuthResponse( return Ok(new AuthController.AuthResponse(
await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false, ct: default), await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false),
tokenStr, tokenStr,
token.ExpiresAt token.ExpiresAt
)); ));

View file

@ -40,16 +40,10 @@ public partial class InternalController(DatabaseContext db, IClock clock) : Cont
template = GetCleanedTemplate(template); template = GetCleanedTemplate(template);
// If no token was supplied, or it isn't valid base 64, return a null user ID (limiting by IP) // If no token was supplied, or it isn't valid base 64, return a null user ID (limiting by IP)
if (req.Token == null) return Ok(new RequestDataResponse(null, template)); if (!AuthUtils.TryParseToken(req.Token, out var rawToken))
if (!AuthUtils.TryFromBase64String(req.Token, out var rawToken))
return Ok(new RequestDataResponse(null, template)); return Ok(new RequestDataResponse(null, template));
var hash = SHA512.HashData(rawToken); var oauthToken = await db.GetToken(rawToken);
var oauthToken = await db.Tokens
.Include(t => t.Application)
.Include(t => t.User)
.FirstOrDefaultAsync(t => t.Hash == hash && t.ExpiresAt > clock.GetCurrentInstant() && !t.ManuallyExpired);
return Ok(new RequestDataResponse(oauthToken?.UserId, template)); return Ok(new RequestDataResponse(oauthToken?.UserId, template));
} }

View file

@ -105,4 +105,18 @@ public static class DatabaseQueryExtensions
await context.SaveChangesAsync(ct); await context.SaveChangesAsync(ct);
return app; return app;
} }
public static async Task<Token?> GetToken(this DatabaseContext context, byte[] rawToken,
CancellationToken ct = default)
{
var hash = SHA512.HashData(rawToken);
var oauthToken = await context.Tokens
.Include(t => t.Application)
.Include(t => t.User)
.FirstOrDefaultAsync(
t => t.Hash == hash && t.ExpiresAt > SystemClock.Instance.GetCurrentInstant() && !t.ManuallyExpired,
ct);
return oauthToken;
}
} }

View file

@ -20,18 +20,13 @@ public class AuthenticationMiddleware(DatabaseContext db, IClock clock) : IMiddl
return; return;
} }
var header = ctx.Request.Headers.Authorization.ToString(); if (!AuthUtils.TryParseToken(ctx.Request.Headers.Authorization.ToString(), out var rawToken))
if (!AuthUtils.TryFromBase64String(header, out var rawToken))
{ {
await next(ctx); await next(ctx);
return; return;
} }
var hash = SHA512.HashData(rawToken); var oauthToken = await db.GetToken(rawToken);
var oauthToken = await db.Tokens
.Include(t => t.Application)
.Include(t => t.User)
.FirstOrDefaultAsync(t => t.Hash == hash && t.ExpiresAt > clock.GetCurrentInstant() && !t.ManuallyExpired);
if (oauthToken == null) if (oauthToken == null)
{ {
await next(ctx); await next(ctx);

View file

@ -16,7 +16,8 @@ public class AuthService(IClock clock, DatabaseContext db, ISnowflakeGenerator s
/// Creates a new user with the given email address and password. /// Creates a new user with the given email address and password.
/// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />. /// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />.
/// </summary> /// </summary>
public async Task<User> CreateUserWithPasswordAsync(string username, string email, string password, CancellationToken ct = default) public async Task<User> CreateUserWithPasswordAsync(string username, string email, string password,
CancellationToken ct = default)
{ {
var user = new User var user = new User
{ {
@ -76,16 +77,19 @@ public class AuthService(IClock clock, DatabaseContext db, ISnowflakeGenerator s
/// <returns>A tuple of the authenticated user and whether multi-factor authentication is required</returns> /// <returns>A tuple of the authenticated user and whether multi-factor authentication is required</returns>
/// <exception cref="ApiError.NotFound">Thrown if the email address is not associated with any user /// <exception cref="ApiError.NotFound">Thrown if the email address is not associated with any user
/// or if the password is incorrect</exception> /// or if the password is incorrect</exception>
public async Task<(User, EmailAuthenticationResult)> AuthenticateUserAsync(string email, string password, CancellationToken ct = default) public async Task<(User, EmailAuthenticationResult)> AuthenticateUserAsync(string email, string password,
CancellationToken ct = default)
{ {
var user = await db.Users.FirstOrDefaultAsync(u => var user = await db.Users.FirstOrDefaultAsync(u =>
u.AuthMethods.Any(a => a.AuthType == AuthType.Email && a.RemoteId == email), ct); u.AuthMethods.Any(a => a.AuthType == AuthType.Email && a.RemoteId == email), ct);
if (user == null) if (user == null)
throw new ApiError.NotFound("No user with that email address found, or password is incorrect", ErrorCode.UserNotFound); throw new ApiError.NotFound("No user with that email address found, or password is incorrect",
ErrorCode.UserNotFound);
var pwResult = await Task.Run(() => _passwordHasher.VerifyHashedPassword(user, user.Password!, password), ct); var pwResult = await Task.Run(() => _passwordHasher.VerifyHashedPassword(user, user.Password!, password), ct);
if (pwResult == PasswordVerificationResult.Failed) // TODO: this seems to fail on some valid passwords? if (pwResult == PasswordVerificationResult.Failed) // TODO: this seems to fail on some valid passwords?
throw new ApiError.NotFound("No user with that email address found, or password is incorrect", ErrorCode.UserNotFound); throw new ApiError.NotFound("No user with that email address found, or password is incorrect",
ErrorCode.UserNotFound);
if (pwResult == PasswordVerificationResult.SuccessRehashNeeded) if (pwResult == PasswordVerificationResult.SuccessRehashNeeded)
{ {
user.Password = await Task.Run(() => _passwordHasher.HashPassword(user, password), ct); user.Password = await Task.Run(() => _passwordHasher.HashPassword(user, password), ct);

View file

@ -80,6 +80,17 @@ public static class AuthUtils
} }
} }
public static bool TryParseToken(string? input, out byte[] rawToken)
{
rawToken = [];
if (string.IsNullOrWhiteSpace(input)) return false;
if (input.StartsWith("bearer ", StringComparison.InvariantCultureIgnoreCase))
input = input["bearer ".Length..];
return TryFromBase64String(input, out rawToken);
}
public static string RandomToken(int bytes = 48) => public static string RandomToken(int bytes = 48) =>
Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('='); Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('=');