using System.Net; using EntityFramework.Exceptions.Common; using Foxnouns.Backend.Database; using Foxnouns.Backend.Database.Models; using Foxnouns.Backend.Extensions; using Foxnouns.Backend.Middleware; using Foxnouns.Backend.Services; using Foxnouns.Backend.Services.Auth; using Foxnouns.Backend.Utils; using JetBrains.Annotations; using Microsoft.AspNetCore.Mvc; using Microsoft.EntityFrameworkCore; using NodaTime; namespace Foxnouns.Backend.Controllers.Authentication; [Route("/api/internal/auth/email")] public class EmailAuthController( [UsedImplicitly] Config config, DatabaseContext db, AuthService authService, MailService mailService, KeyCacheService keyCacheService, UserRendererService userRenderer, IClock clock, ILogger logger ) : ApiControllerBase { private readonly ILogger _logger = logger.ForContext(); [HttpPost("register/init")] public async Task RegisterInitAsync( [FromBody] RegisterRequest req, CancellationToken ct = default ) { CheckRequirements(); if (!req.Email.Contains('@')) throw new ApiError.BadRequest("Email is invalid", "email", req.Email); var state = await keyCacheService.GenerateRegisterEmailStateAsync( req.Email, userId: null, ct ); // If there's already a user with that email address, pretend we sent an email but actually ignore it if ( await db.AuthMethods.AnyAsync( a => a.AuthType == AuthType.Email && a.RemoteId == req.Email, ct ) ) return NoContent(); mailService.QueueAccountCreationEmail(req.Email, state); return NoContent(); } [HttpPost("callback")] public async Task CallbackAsync([FromBody] CallbackRequest req) { CheckRequirements(); var state = await keyCacheService.GetRegisterEmailStateAsync(req.State); if (state is not { ExistingUserId: null }) throw new ApiError.BadRequest("Invalid state", "state", req.State); var ticket = AuthUtils.RandomToken(); await keyCacheService.SetKeyAsync($"email:{ticket}", state.Email, Duration.FromMinutes(20)); return Ok( new CallbackResponse( HasAccount: false, Ticket: ticket, RemoteUsername: state.Email, User: null, Token: null, ExpiresAt: null ) ); } [HttpPost("register")] public async Task CompleteRegistrationAsync( [FromBody] CompleteRegistrationRequest req ) { CheckRequirements(); var email = await keyCacheService.GetKeyAsync($"email:{req.Ticket}"); if (email == null) throw new ApiError.BadRequest("Unknown ticket", "ticket", req.Ticket); var user = await authService.CreateUserWithPasswordAsync(req.Username, email, req.Password); var frontendApp = await db.GetFrontendApplicationAsync(); var (tokenStr, token) = authService.GenerateToken( user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365) ); db.Add(token); await db.SaveChangesAsync(); await keyCacheService.DeleteKeyAsync($"email:{req.Ticket}"); return Ok( new AuthController.AuthResponse( await userRenderer.RenderUserAsync(user, selfUser: user, renderMembers: false), tokenStr, token.ExpiresAt ) ); } [HttpPost("login")] [ProducesResponseType(StatusCodes.Status200OK)] public async Task LoginAsync( [FromBody] LoginRequest req, CancellationToken ct = default ) { CheckRequirements(); var (user, authenticationResult) = await authService.AuthenticateUserAsync( req.Email, req.Password, ct ); if (authenticationResult == AuthService.EmailAuthenticationResult.MfaRequired) throw new NotImplementedException("MFA is not implemented yet"); var frontendApp = await db.GetFrontendApplicationAsync(ct); _logger.Debug("Logging user {Id} in with email and password", user.Id); var (tokenStr, token) = authService.GenerateToken( user, frontendApp, ["*"], clock.GetCurrentInstant() + Duration.FromDays(365) ); db.Add(token); _logger.Debug("Generated token {TokenId} for {UserId}", token.Id, user.Id); await db.SaveChangesAsync(ct); return Ok( new AuthController.AuthResponse( await userRenderer.RenderUserAsync( user, selfUser: user, renderMembers: false, ct: ct ), tokenStr, token.ExpiresAt ) ); } [HttpPost("change-password")] [Authorize("*")] public async Task UpdatePasswordAsync([FromBody] ChangePasswordRequest req) { if (!await authService.ValidatePasswordAsync(CurrentUser!, req.Current)) throw new ApiError.Forbidden("Invalid password"); ValidationUtils.Validate([("new", ValidationUtils.ValidatePassword(req.New))]); await authService.SetUserPasswordAsync(CurrentUser!, req.New); await db.SaveChangesAsync(); return NoContent(); } [HttpPost("add-email")] [Authorize("*")] public async Task AddEmailAddressAsync([FromBody] AddEmailAddressRequest req) { CheckRequirements(); var emails = await db .AuthMethods.Where(m => m.UserId == CurrentUser!.Id && m.AuthType == AuthType.Email) .ToListAsync(); if (emails.Count > AuthUtils.MaxAuthMethodsPerType) { throw new ApiError.BadRequest( "Too many email addresses, maximum of 3 per account.", "email", null ); } if (emails.Count != 0) { if (!await authService.ValidatePasswordAsync(CurrentUser!, req.Password)) throw new ApiError.Forbidden("Invalid password"); } else { await authService.SetUserPasswordAsync(CurrentUser!, req.Password); await db.SaveChangesAsync(); } var state = await keyCacheService.GenerateRegisterEmailStateAsync( req.Email, userId: CurrentUser!.Id ); var emailExists = await db .AuthMethods.Where(m => m.AuthType == AuthType.Email && m.RemoteId == req.Email) .AnyAsync(); if (emailExists) { return NoContent(); } mailService.QueueAddEmailAddressEmail(req.Email, state, CurrentUser.Username); return NoContent(); } [HttpPost("add-email/callback")] [Authorize("*")] public async Task AddEmailCallbackAsync([FromBody] CallbackRequest req) { CheckRequirements(); var state = await keyCacheService.GetRegisterEmailStateAsync(req.State); if (state?.ExistingUserId != CurrentUser!.Id) throw new ApiError.BadRequest("Invalid state", "state", req.State); try { var authMethod = await authService.AddAuthMethodAsync( CurrentUser.Id, AuthType.Email, state.Email ); _logger.Debug( "Added email auth {AuthId} for user {UserId}", authMethod.Id, CurrentUser.Id ); return Ok( new AuthController.AddOauthAccountResponse( authMethod.Id, AuthType.Email, authMethod.RemoteId, RemoteUsername: null ) ); } catch (UniqueConstraintException) { throw new ApiError( "That email address is already linked.", HttpStatusCode.BadRequest, ErrorCode.AccountAlreadyLinked ); } } public record AddEmailAddressRequest(string Email, string Password); private void CheckRequirements() { if (!config.EmailAuth.Enabled) throw new ApiError.BadRequest("Email authentication is not enabled on this instance."); } public record LoginRequest(string Email, string Password); public record RegisterRequest(string Email); public record CompleteRegistrationRequest(string Ticket, string Username, string Password); public record CallbackRequest(string State); public record ChangePasswordRequest(string Current, string New); }