Merge pull request #451 from Moonlight-Panel/v2.1_ImproveAuth

Improved authentication

Author: ChiaraBm

Moonlight.ApiServer/Configuration/AppConfiguration.cs

@@ -1,4 +1,5 @@
 using MoonCore.Helpers;
+using Moonlight.ApiServer.Implementations.LocalAuth;
 using YamlDotNet.Serialization;
 
 namespace Moonlight.ApiServer.Configuration;
@@ -29,6 +30,10 @@ public static AppConfiguration CreateEmpty()
             Kestrel = new()
             {
                 AllowedOrigins = []
+            },
+            Authentication = new()
+            {
+                EnabledSchemes = []
             }
         };
     }
@@ -54,26 +59,21 @@ public record AuthenticationConfig
     {
         [YamlMember(Description = "The secret token to use for creating jwts and encrypting things. This needs to be at least 32 characters long")]
         public string Secret { get; set; } = Formatter.GenerateString(32);
-        
-        [YamlMember(Description = "The lifespan of generated user tokens in hours")]
-        public int TokenDuration { get; set; } = 24 * 10;
 
-        [YamlMember(Description = "This enables the use of the local oauth2 provider, so moonlight will use itself as an oauth2 provider")]
-        public bool EnableLocalOAuth2 { get; set; } = true;
-        public OAuth2Data OAuth2 { get; set; } = new();
+        [YamlMember(Description = "Settings for the user sessions")]
+        public SessionsConfig Sessions { get; set; } = new();
 
-        public record OAuth2Data
-        {
-            public string Secret { get; set; } = Formatter.GenerateString(32);
-            public string ClientId { get; set; } = Formatter.GenerateString(8);
-            public string ClientSecret { get; set; } = Formatter.GenerateString(32);
-            public string? AuthorizationEndpoint { get; set; }
-            public string? AccessEndpoint { get; set; }
-            public string? AuthorizationRedirect { get; set; }
+        [YamlMember(Description = "This specifies if the first registered/synced user will become an admin automatically")]
+        public bool FirstUserAdmin { get; set; } = true;
 
-            [YamlMember(Description = "This specifies if the first registered user will become an admin automatically. This only works when using local oauth2")]
-            public bool FirstUserAdmin { get; set; } = true;
-        }
+        [YamlMember(Description = "This specifies the authentication schemes the frontend should be able to challenge")]
+        public string[] EnabledSchemes { get; set; } = [LocalAuthConstants.AuthenticationScheme];
+    }
+
+    public record SessionsConfig
+    {
+        public string CookieName { get; set; } = "session";
+        public int ExpiresIn { get; set; } = 10;
     }
 
     public record DevelopmentConfig

Moonlight.ApiServer/Http/Controllers/Auth/AuthController.cs

@@ -1,16 +1,11 @@
-using System.IdentityModel.Tokens.Jwt;
-using System.Security.Claims;
-using System.Text;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.IdentityModel.Tokens;
-using MoonCore.Exceptions;
-using MoonCore.Extended.Abstractions;
 using Moonlight.ApiServer.Configuration;
-using Moonlight.ApiServer.Database.Entities;
+using Moonlight.ApiServer.Implementations.LocalAuth;
 using Moonlight.ApiServer.Interfaces;
-using Moonlight.Shared.Http.Requests.Auth;
 using Moonlight.Shared.Http.Responses.Auth;
 
 namespace Moonlight.ApiServer.Http.Controllers.Auth;
@@ -19,93 +14,116 @@ namespace Moonlight.ApiServer.Http.Controllers.Auth;
 [Route("api/auth")]
 public class AuthController : Controller
 {
+    private readonly IAuthenticationSchemeProvider SchemeProvider;
+    private readonly IEnumerable<IAuthCheckExtension> Extensions;
     private readonly AppConfiguration Configuration;
-    private readonly DatabaseRepository<User> UserRepository;
-    private readonly IOAuth2Provider OAuth2Provider;
 
     public AuthController(
-        AppConfiguration configuration,
-        DatabaseRepository<User> userRepository,
-        IOAuth2Provider oAuth2Provider
+        IAuthenticationSchemeProvider schemeProvider,
+        IEnumerable<IAuthCheckExtension> extensions,
+        AppConfiguration configuration
     )
     {
-        UserRepository = userRepository;
-        OAuth2Provider = oAuth2Provider;
+        SchemeProvider = schemeProvider;
+        Extensions = extensions;
         Configuration = configuration;
     }
 
-    [AllowAnonymous]
-    [HttpGet("start")]
-    public async Task<LoginStartResponse> Start()
+    [HttpGet]
+    public async Task<AuthSchemeResponse[]> GetSchemes()
     {
-        var url = await OAuth2Provider.Start();
+        var schemes = await SchemeProvider.GetAllSchemesAsync();
 
-        return new LoginStartResponse()
-        {
-            Url = url
-        };
+        var allowedSchemes = Configuration.Authentication.EnabledSchemes;
+
+        return schemes
+            .Where(x => allowedSchemes.Contains(x.Name))
+            .Select(scheme => new AuthSchemeResponse()
+            {
+                DisplayName = scheme.DisplayName ?? scheme.Name,
+                Identifier = scheme.Name
+            })
+            .ToArray();
     }
 
-    [AllowAnonymous]
-    [HttpPost("complete")]
-    public async Task<LoginCompleteResponse> Complete([FromBody] LoginCompleteRequest request)
+    [HttpGet("{identifier:alpha}")]
+    public async Task StartScheme([FromRoute] string identifier)
     {
-        var user = await OAuth2Provider.Complete(request.Code);
-
-        if (user == null)
-            throw new HttpApiException("Unable to load user data", 500);
+        // Validate identifier against our enable list
+        var allowedSchemes = Configuration.Authentication.EnabledSchemes;
 
-        // Generate token
-        var securityTokenDescriptor = new SecurityTokenDescriptor()
+        if (!allowedSchemes.Contains(identifier))
         {
-            Expires = DateTime.Now.AddHours(Configuration.Authentication.TokenDuration),
-            IssuedAt = DateTime.Now,
-            NotBefore = DateTime.Now.AddMinutes(-1),
-            Claims = new Dictionary<string, object>()
-            {
-                {
-                    "userId",
-                    user.Id
-                },
-                {
-                    "permissions",
-                    string.Join(";", user.Permissions)
-                }
-            },
-            SigningCredentials = new SigningCredentials(
-                new SymmetricSecurityKey(
-                    Encoding.UTF8.GetBytes(Configuration.Authentication.Secret)
-                ),
-                SecurityAlgorithms.HmacSha256
-            ),
-            Issuer = Configuration.PublicUrl,
-            Audience = Configuration.PublicUrl
-        };
+            await Results
+                .Problem(
+                    "Invalid scheme identifier provided",
+                    statusCode: 404
+                )
+                .ExecuteAsync(HttpContext);
 
-        var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
-        var securityToken = jwtSecurityTokenHandler.CreateToken(securityTokenDescriptor);
+            return;
+        }
 
-        var jwt = jwtSecurityTokenHandler.WriteToken(securityToken);
+        // Now we can check if it even exists
+        var scheme = await SchemeProvider.GetSchemeAsync(identifier);
 
-        return new()
+        if (scheme == null)
         {
-            AccessToken = jwt
-        };
+            await Results
+                .Problem(
+                    "Invalid scheme identifier provided",
+                    statusCode: 404
+                )
+                .ExecuteAsync(HttpContext);
+
+            return;
+        }
+
+        // Everything fine, challenge the frontend
+        await HttpContext.ChallengeAsync(
+            scheme.Name,
+            new AuthenticationProperties()
+            {
+                RedirectUri = "/"
+            }
+        );
     }
 
     [Authorize]
     [HttpGet("check")]
-    public async Task<CheckResponse> Check()
+    public async Task<AuthClaimResponse[]> Check()
     {
-        var userIdStr = User.FindFirstValue("userId")!;
-        var userId = int.Parse(userIdStr);
-        var user = await UserRepository.Get().FirstAsync(x => x.Id == userId);
+        var username = User.FindFirstValue(ClaimTypes.Name)!;
+        var id = User.FindFirstValue(ClaimTypes.NameIdentifier)!;
+        var email = User.FindFirstValue(ClaimTypes.Email)!;
+        var userId = User.FindFirstValue("UserId")!;
+        var permissions = User.FindFirstValue("Permissions")!;
 
-        return new()
+        // Create basic set of claims used by the frontend
+        var claims = new List<AuthClaimResponse>()
         {
-            Email = user.Email,
-            Username = user.Username,
-            Permissions = user.Permissions
+            new(ClaimTypes.Name, username),
+            new(ClaimTypes.NameIdentifier, id),
+            new(ClaimTypes.Email, email),
+            new("UserId", userId),
+            new("Permissions", permissions)
         };
+
+        // Enrich the frontend claims by extensions (used by plugins)
+        foreach (var extension in Extensions)
+        {
+            claims.AddRange(
+                await extension.GetFrontendClaims(User)
+            );
+        }
+
+        return claims.ToArray();
+    }
+
+    [HttpGet("logout")]
+    public async Task Logout()
+    {
+        await HttpContext.SignOutAsync();
+        await Results.Redirect("/").ExecuteAsync(HttpContext);
     }
 }