MireaBackend/Endpoint/Controllers/V1/AuthController.cs

using Asp.Versioning;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using Mirea.Api.Dto.Common;
using Mirea.Api.Dto.Requests;
using Mirea.Api.Dto.Responses;
using Mirea.Api.Endpoint.Common.Attributes;
using Mirea.Api.Endpoint.Common.Exceptions;
using Mirea.Api.Endpoint.Common.MapperDto;
using Mirea.Api.Endpoint.Common.Services;
using Mirea.Api.Endpoint.Configuration.Model;
using Mirea.Api.Security.Services;
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.Diagnostics;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using CookieOptions = Mirea.Api.Security.Common.Model.CookieOptions;
using OAuthProvider = Mirea.Api.Security.Common.Domain.OAuthProvider;

namespace Mirea.Api.Endpoint.Controllers.V1;

[ApiVersion("1.0")]
public class AuthController(IOptionsSnapshot<Admin> user, IOptionsSnapshot<GeneralConfig> generalConfig, AuthService auth,
    PasswordHashService passwordService, OAuthService oAuthService) : BaseController
{
    private CookieOptions GetCookieParams() =>
        new()
        {
            Domain = HttpContext.GetCurrentDomain(),
            Path = UrlHelper.GetSubPathWithoutFirstApiName + "api"
        };

    private static string GenerateHtmlResponse(
        string title,
        string message,
        Uri? callback,
        string traceId,
        bool isError)
    {
        var callbackUrl = callback?.ToString();

        var script = callback == null ? string.Empty :
            $"<script>setTimeout(()=>{{window.location.href='{callbackUrl}';}}, {(isError ? 15000 : 5000)});</script>";

        var blockInfo = "<p>" + (callback == null ?
            "Вернитесь обратно и попробуйте снова позже.</p>" :
            $"Если вы не будете автоматически перенаправлены, нажмите ниже.</p>" +
            $"<a href=\"{callbackUrl}\" style=\"color:inherit;text-decoration:underline;\">Перейти вручную</a>");

        return $"<!DOCTYPE html><html lang=ru><head><meta charset=UTF-8><meta content=\"width=device-width,initial-scale=1\"name=viewport><link href=\"https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap\"rel=stylesheet><style>body{{background-color:#121212;color:#fff;font-family:Roboto,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;text-align:center}}.container{{max-width:600px;padding:20px;border-radius:8px;background-color:#1e1e1e;box-shadow:0 4px 20px rgba(0,0,0,.5)}}h1{{font-size:24px;margin-bottom:20px}}</style><title>{title}</title></head><body><div class=container><h1>{title}</h1>{blockInfo}<p style=font-size:14px;color:silver;>{message}</p><code style=font-size:12px;color:gray;>TraceId={traceId}</code></div>{script}</body></html>";
    }

    /// <summary>
    /// Handles the callback from an OAuth2 provider and finalizes the authorization process.
    /// </summary>
    /// <remarks>
    /// This method processes the response from an OAuth provider after the user authorizes the application. 
    /// Upon successful authorization, it redirects the user back to the specified callback URL.
    /// </remarks>
    /// <param name="code">The authorization code returned by the OAuth provider.</param>
    /// <param name="state">The state parameter to ensure the request's integrity and prevent CSRF attacks.</param>
    /// <returns>
    /// An HTML response indicating the success or failure of the authorization process. 
    /// If a callback URL is provided, the user will be redirected to it.
    /// </returns>
    [HttpGet("OAuth2")]
    [BadRequestResponse]
    [Produces("text/html")]
    [MaintenanceModeIgnore]
    public async Task<ContentResult> OAuth2([FromQuery] string? code, [FromQuery] string? state)
    {
        var traceId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;

        if (string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
            return Content(GenerateHtmlResponse(
                "Ошибка передачи данных!",
                "Провайдер OAuth не передал нужных данных.",
                null,
                traceId,
                true), "text/html");

        var result = await oAuthService.LoginOAuth(GetCookieParams(), HttpContext,
                HttpContext.GetApiUrl(Url.Action("OAuth2")!), code, state);

        string? callbackUrl = null;

        if (result.Callback != null)
            callbackUrl = result.Callback + (result.Callback.Query.Length > 0 ? "&" : "?") +
                          $"result={Uri.EscapeDataString(result.Token)}";

        string title, message;

        if (!result.Success)
        {
            if (callbackUrl != null)
                callbackUrl += $"&traceId={Uri.EscapeDataString(traceId)}";

            title = "Ошибка авторизации!";
            message = result.ErrorMessage ?? "Произошла ошибка. Попробуйте ещё раз.";
        }
        else
        {
            title = "Авторизация завершена!";
            message = "Вы будете перенаправлены обратно через несколько секунд.";
        }

        return Content(GenerateHtmlResponse(
            title,
            message,
            callbackUrl == null ? null : new Uri(callbackUrl),
            traceId,
            !result.Success), "text/html");
    }

    /// <summary>
    /// Initiates the OAuth2 authorization process for the selected provider.
    /// </summary>
    /// <remarks>
    /// This method generates a redirect URL for the selected provider and redirects the user to it.
    /// </remarks>
    /// <param name="provider">The identifier of the OAuth provider to authorize with.</param>
    /// <param name="callback">The address where the user will need to be redirected after the end of communication with the OAuth provider</param>
    /// <returns>A redirect to the OAuth provider's authorization URL.</returns>
    /// <exception cref="ControllerArgumentException">Thrown if the specified provider is not valid.</exception>
    [HttpGet("AuthorizeOAuth2")]
    [MaintenanceModeIgnore]
    public ActionResult AuthorizeOAuth2([FromQuery] int provider, [FromQuery] Uri callback)
    {
        if (!Enum.IsDefined(typeof(OAuthProvider), provider))
            throw new ControllerArgumentException("There is no selected provider");

        if (!callback.IsAbsoluteUri)
            throw new ControllerArgumentException("The callback URL must be absolute.");

        return Redirect(oAuthService.GetProviderRedirect(GetCookieParams(), HttpContext,
            HttpContext.GetApiUrl(Url.Action("OAuth2")!),
            (OAuthProvider)provider,
            callback).AbsoluteUri);
    }

    /// <summary>
    /// Retrieves a list of available OAuth providers with their corresponding authorization URLs.
    /// </summary>
    /// <remarks>
    /// This allows the client to fetch all possible OAuth options and the URLs required to initiate authorization.
    /// </remarks>
    /// <returns>A list of available providers and their redirect URLs.</returns>
    [HttpGet("AvailableProviders")]
    [MaintenanceModeIgnore]
    public ActionResult<List<AvailableOAuthProvidersResponse>> AvailableProviders([FromQuery] Uri callback) =>
        Ok(oAuthService
            .GetAvailableProviders(HttpContext.GetApiUrl(Url.Action("AuthorizeOAuth2")!))
            .Select(x =>
            {
                if (!callback.IsAbsoluteUri)
                    throw new ControllerArgumentException("The callback URL must be absolute.");

                x.Redirect = new Uri(x.Redirect + "&callback=" + Uri.EscapeDataString(callback.AbsoluteUri));
                return x;
            })
            .ConvertToDto());

    /// <summary>
    /// Processes the OAuth token
    /// </summary>
    /// <param name="token">The OAuth token used for authentication or binding.</param>
    /// <param name="action">The action to be performed: Login or Bind.</param>
    /// <returns>If <see cref="OAuthAction.Bind"/> return Ok. If <see cref="OAuthAction.Login"/> return <see cref="TwoFactorAuthentication"/></returns>
    [HttpGet("HandleToken")]
    [BadRequestResponse]
    public async Task<ActionResult> HandleToken([FromQuery][MinLength(2)] string token, [FromQuery] OAuthAction action)
    {
        var (oAuthUser, error, isSuccess, provider) = await oAuthService.GetOAuthUser(GetCookieParams(), HttpContext, token);

        if (!isSuccess || oAuthUser == null || provider == null)
            throw new ControllerArgumentException(error ?? "Token processing error.");

        switch (action)
        {
            case OAuthAction.Login:
                return Ok(await auth.LoginOAuthAsync(GetCookieParams(), HttpContext, user.Value.ConvertToSecurity(), oAuthUser, provider.Value));

            case OAuthAction.Bind:
                var userId = HttpContext.User.FindFirstValue(ClaimTypes.NameIdentifier);
                var admin = user.Value;

                if (string.IsNullOrEmpty(userId) || !int.TryParse(userId, out var result) || result != 1)
                    return Unauthorized(new ProblemDetails
                    {
                        Type = "https://tools.ietf.org/html/rfc9110#section-15.5.2",
                        Title = "Unauthorized",
                        Status = StatusCodes.Status401Unauthorized,
                        Detail = "The user is not logged in to link accounts.",
                        Extensions = new Dictionary<string, object?>()
                        {
                            { "traceId", Activity.Current?.Id ?? HttpContext.TraceIdentifier }
                        }
                    });

                if (admin.OAuthProviders != null && admin.OAuthProviders.ContainsKey(provider.Value))
                    return Conflict(new ProblemDetails
                    {
                        Type = "https://tools.ietf.org/html/rfc9110#section-15.5.10",
                        Title = "Conflict",
                        Status = StatusCodes.Status409Conflict,
                        Detail = "This OAuth provider is already associated with the account.",
                        Extensions = new Dictionary<string, object?>()
                        {
                            { "traceId", Activity.Current?.Id ?? HttpContext.TraceIdentifier }
                        }
                    });

                admin.OAuthProviders ??= [];
                admin.OAuthProviders.Add(provider.Value, oAuthUser);
                admin.SaveSetting();

                return Ok();
            default:
                throw new ControllerArgumentException("The action cannot be processed.");
        }
    }

    /// <summary>
    /// Logs in a user using their username or email and password.
    /// </summary>
    /// <param name="request">The login request containing username/email and password.</param>
    /// <returns>A TwoFactorAuthentication token if the login is successful; otherwise, a BadRequest response.</returns>
    [HttpPost("Login")]
    [BadRequestResponse]
    public async Task<ActionResult<TwoFactorAuthentication>> Login([FromBody] LoginRequest request)
    {
        var userEntity = user.Value;

        var tokenResult = await auth.LoginAsync(
            GetCookieParams(),
            HttpContext,
            userEntity.ConvertToSecurity(),
            request.Password, request.Username);

        return Ok(tokenResult.ConvertToDto());
    }

    /// <summary>
    /// Performs two-factor authentication for the user.
    /// </summary>
    /// <param name="request">The request containing the method and code for two-factor authentication.</param>
    /// <returns>A boolean indicating whether the two-factor authentication was successful.</returns>
    [HttpPost("2FA")]
    [BadRequestResponse]
    public async Task<ActionResult<bool>> TwoFactorAuth([FromBody] TwoFactorAuthRequest request) =>
        await auth.LoginAsync(GetCookieParams(), HttpContext, request.Method.ConvertFromDto(), request.Code);

    /// <summary>
    /// Refreshes the authentication token using the existing refresh token.
    /// </summary>
    /// <returns>User's AuthRoles.</returns>
    [HttpGet("ReLogin")]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    public async Task<ActionResult<AuthRoles>> ReLogin()
    {
        await auth.RefreshTokenAsync(GetCookieParams(), HttpContext);
        return Ok(AuthRoles.Admin);
    }

    /// <summary>
    /// Logs the user out by clearing the refresh token and performing any necessary cleanup.
    /// </summary>
    /// <returns>An Ok response if the logout was successful.</returns>
    [HttpGet("Logout")]
    public async Task<ActionResult> Logout()
    {
        await auth.LogoutAsync(GetCookieParams(), HttpContext);
        return Ok();
    }

    /// <summary>
    /// Retrieves the role of the authenticated user.
    /// </summary>
    /// <returns>The role of the authenticated user.</returns>
    [HttpGet("GetRole")]
    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
    [Authorize]
    public ActionResult<AuthRoles> GetRole() => Ok(AuthRoles.Admin);

    [HttpPost("RenewPassword")]
    [ApiExplorerSettings(IgnoreApi = true)]
    [Localhost]
    [BadRequestResponse]
    public ActionResult<string> RenewPassword([FromBody] string? password = null)
    {
        var passwordPolicy = generalConfig.Value.PasswordPolicy;
        var passwordPolicyService = new PasswordPolicyService(passwordPolicy);

        if (string.IsNullOrEmpty(password))
            password = string.Empty;
        else
            passwordPolicyService.ValidatePasswordOrThrow(password);

        while (!passwordPolicyService.TryValidatePassword(password))
            password = GeneratorKey.GenerateAlphaNumeric(passwordPolicy.MinimumLength + 2, includes: "!@#%^");

        var (salt, hash) = passwordService.HashPassword(password);

        var admin = user.Value;

        admin.Salt = salt;
        admin.PasswordHash = hash;
        admin.SaveSetting();

        return Ok(password);
    }
}