MireaBackend/Endpoint/Controllers/V1/AuthController.cs

using Asp.Versioning;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using Mirea.Api.Dto.Common;
using Mirea.Api.Dto.Requests;
using Mirea.Api.Dto.Responses;
using Mirea.Api.Endpoint.Common.Attributes;
using Mirea.Api.Endpoint.Common.Exceptions;
using Mirea.Api.Endpoint.Common.MapperDto;
using Mirea.Api.Endpoint.Common.Services;
using Mirea.Api.Endpoint.Configuration.Model;
using Mirea.Api.Security.Common.Domain;
using Mirea.Api.Security.Services;
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using OAuthProvider = Mirea.Api.Security.Common.Domain.OAuthProvider;

namespace Mirea.Api.Endpoint.Controllers.V1;

[ApiVersion("1.0")]
public class AuthController(IOptionsSnapshot<Admin> user, AuthService auth, PasswordHashService passwordService) : BaseController
{
    private CookieOptionsParameters GetCookieParams() =>
        new()
        {
            Domain = HttpContext.GetCurrentDomain(),
            Path = UrlHelper.GetSubPathWithoutFirstApiName + "api"
        };

    /// <summary>
    /// Initiates the OAuth2 authorization process for the selected provider.
    /// </summary>
    /// <remarks>
    /// This method generates a redirect URL for the selected provider and redirects the user to it.
    /// </remarks>
    /// <param name="provider">The identifier of the OAuth provider to authorize with.</param>
    /// <returns>A redirect to the OAuth provider's authorization URL.</returns>
    /// <exception cref="ControllerArgumentException">Thrown if the specified provider is not valid.</exception>
    [HttpGet("AuthorizeOAuth2")]
    [MaintenanceModeIgnore]
    public ActionResult AuthorizeOAuth2([FromQuery] int provider)
    {
        if (!Enum.IsDefined(typeof(OAuthProvider), provider))
            throw new ControllerArgumentException("There is no selected provider");

        return Redirect(oAuthService.GetProviderRedirect(HttpContext, GetCookieParams(), HttpContext.GetApiUrl(Url.Action("OAuth2")!), (OAuthProvider)provider).AbsoluteUri);
    }

    /// <summary>
    /// Retrieves a list of available OAuth providers with their corresponding authorization URLs.
    /// </summary>
    /// <remarks>
    /// This allows the client to fetch all possible OAuth options and the URLs required to initiate authorization.
    /// </remarks>
    /// <returns>A list of available providers and their redirect URLs.</returns>
    [HttpGet("AvailableProviders")]
    [MaintenanceModeIgnore]
    public ActionResult<List<AvailableOAuthProvidersResponse>> AvailableProviders() =>
        Ok(oAuthService
            .GetAvailableProviders(HttpContext, HttpContext.GetApiUrl(Url.Action("AuthorizeOAuth2")!))
            .ConvertToDto());

    /// <summary>
    /// Logs in a user using their username or email and password.
    /// </summary>
    /// <param name="request">The login request containing username/email and password.</param>
    /// <returns>A TwoFactorAuthentication token if the login is successful; otherwise, a BadRequest response.</returns>
    [HttpPost("Login")]
    [BadRequestResponse]
    public async Task<ActionResult<TwoFactorAuthentication>> Login([FromBody] LoginRequest request)
    {
        var userEntity = user.Value;

        if (!userEntity.Username.Equals(request.Username, StringComparison.OrdinalIgnoreCase) &&
            !userEntity.Email.Equals(request.Username, StringComparison.OrdinalIgnoreCase))
            return Unauthorized("Authentication failed. Please check your credentials.");

        var tokenResult = await auth.LoginAsync(
            GetCookieParams(),
            new User
            {
                Id = 1.ToString(),
                Username = userEntity.Username,
                Email = userEntity.Email,
                PasswordHash = userEntity.PasswordHash,
                Salt = userEntity.Salt,
                TwoFactorAuthenticator = userEntity.TwoFactorAuthenticator,
                SecondFactorToken = userEntity.Secret,
                OAuthProviders = userEntity.OAuthProviders
            },
            HttpContext, request.Password);

        return Ok(tokenResult.ConvertToDto());
    }

    /// <summary>
    /// Performs two-factor authentication for the user.
    /// </summary>
    /// <param name="request">The request containing the method and code for two-factor authentication.</param>
    /// <returns>A boolean indicating whether the two-factor authentication was successful.</returns>
    [HttpPost("2FA")]
    [BadRequestResponse]
    public async Task<ActionResult<bool>> TwoFactorAuth([FromBody] TwoFactorAuthRequest request)
    {
        var tokenResult = await auth.LoginAsync(GetCookieParams(), HttpContext, request.Method.ConvertFromDto(), request.Code);
        return Ok(tokenResult);
    }

    /// <summary>
    /// Refreshes the authentication token using the existing refresh token.
    /// </summary>
    /// <returns>User's AuthRoles.</returns>
    [HttpGet("ReLogin")]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    public async Task<ActionResult<AuthRoles>> ReLogin()
    {
        await auth.RefreshTokenAsync(GetCookieParams(), HttpContext);
        return Ok(AuthRoles.Admin);
    }

    /// <summary>
    /// Logs the user out by clearing the refresh token and performing any necessary cleanup.
    /// </summary>
    /// <returns>An Ok response if the logout was successful.</returns>
    [HttpGet("Logout")]
    public async Task<ActionResult> Logout()
    {
        await auth.LogoutAsync(GetCookieParams(), HttpContext);
        return Ok();
    }

    /// <summary>
    /// Retrieves the role of the authenticated user.
    /// </summary>
    /// <returns>The role of the authenticated user.</returns>
    [HttpGet("GetRole")]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
    [Authorize]
    public ActionResult<AuthRoles> GetRole() => Ok(AuthRoles.Admin);

    [HttpPost("RenewPassword")]
    [ApiExplorerSettings(IgnoreApi = true)]
    [Localhost]
    [BadRequestResponse]
    public ActionResult<string> RenewPassword([FromBody] string? password = null)
    {
        if (string.IsNullOrEmpty(password))
            password = string.Empty;
        else if (!PasswordHashService.HasPasswordInPolicySecurity(password))
            throw new ControllerArgumentException("The password must be at least 8 characters long and contain at least one uppercase letter and one special character.");

        while (!PasswordHashService.HasPasswordInPolicySecurity(password))
            password = GeneratorKey.GenerateAlphaNumeric(16, includes: "!@#%^");

        var (salt, hash) = passwordService.HashPassword(password);

        var admin = user.Value;

        admin.Salt = salt;
        admin.PasswordHash = hash;
        admin.SaveSetting();

        return Ok(password);
    }
}