320 lines
14 KiB
C#
320 lines
14 KiB
C#
using Asp.Versioning;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Microsoft.Extensions.Options;
|
|
using Mirea.Api.Dto.Common;
|
|
using Mirea.Api.Dto.Requests;
|
|
using Mirea.Api.Dto.Responses;
|
|
using Mirea.Api.Endpoint.Common.Attributes;
|
|
using Mirea.Api.Endpoint.Common.Exceptions;
|
|
using Mirea.Api.Endpoint.Common.MapperDto;
|
|
using Mirea.Api.Endpoint.Common.Services;
|
|
using Mirea.Api.Endpoint.Configuration.Model;
|
|
using Mirea.Api.Security.Services;
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.ComponentModel.DataAnnotations;
|
|
using System.Diagnostics;
|
|
using System.Linq;
|
|
using System.Security.Claims;
|
|
using System.Threading.Tasks;
|
|
using CookieOptions = Mirea.Api.Security.Common.Model.CookieOptions;
|
|
using OAuthProvider = Mirea.Api.Security.Common.Domain.OAuthProvider;
|
|
|
|
namespace Mirea.Api.Endpoint.Controllers.V1;
|
|
|
|
[ApiVersion("1.0")]
|
|
public class AuthController(IOptionsSnapshot<Admin> user, IOptionsSnapshot<GeneralConfig> generalConfig, AuthService auth,
|
|
PasswordHashService passwordService, OAuthService oAuthService) : BaseController
|
|
{
|
|
private CookieOptions GetCookieParams() =>
|
|
new()
|
|
{
|
|
Domain = HttpContext.GetCurrentDomain(),
|
|
Path = UrlHelper.GetSubPathWithoutFirstApiName + "api"
|
|
};
|
|
|
|
private static string GenerateHtmlResponse(
|
|
string title,
|
|
string message,
|
|
Uri? callback,
|
|
string traceId,
|
|
bool isError)
|
|
{
|
|
var callbackUrl = callback?.ToString();
|
|
|
|
var script = callback == null ? string.Empty :
|
|
$"<script>setTimeout(()=>{{window.location.href='{callbackUrl}';}}, {(isError ? 15000 : 5000)});</script>";
|
|
|
|
var blockInfo = "<p>" + (callback == null ?
|
|
"Вернитесь обратно и попробуйте снова позже.</p>" :
|
|
$"Если вы не будете автоматически перенаправлены, нажмите ниже.</p>" +
|
|
$"<a href=\"{callbackUrl}\" style=\"color:inherit;text-decoration:underline;\">Перейти вручную</a>");
|
|
|
|
return $"<!DOCTYPE html><html lang=ru><head><meta charset=UTF-8><meta content=\"width=device-width,initial-scale=1\"name=viewport><link href=\"https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap\"rel=stylesheet><style>body{{background-color:#121212;color:#fff;font-family:Roboto,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;text-align:center}}.container{{max-width:600px;padding:20px;border-radius:8px;background-color:#1e1e1e;box-shadow:0 4px 20px rgba(0,0,0,.5)}}h1{{font-size:24px;margin-bottom:20px}}</style><title>{title}</title></head><body><div class=container><h1>{title}</h1>{blockInfo}<p style=font-size:14px;color:silver;>{message}</p><code style=font-size:12px;color:gray;>TraceId={traceId}</code></div>{script}</body></html>";
|
|
}
|
|
|
|
/// <summary>
|
|
/// Handles the callback from an OAuth2 provider and finalizes the authorization process.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This method processes the response from an OAuth provider after the user authorizes the application.
|
|
/// Upon successful authorization, it redirects the user back to the specified callback URL.
|
|
/// </remarks>
|
|
/// <param name="code">The authorization code returned by the OAuth provider.</param>
|
|
/// <param name="state">The state parameter to ensure the request's integrity and prevent CSRF attacks.</param>
|
|
/// <returns>
|
|
/// An HTML response indicating the success or failure of the authorization process.
|
|
/// If a callback URL is provided, the user will be redirected to it.
|
|
/// </returns>
|
|
[HttpGet("OAuth2")]
|
|
[BadRequestResponse]
|
|
[Produces("text/html")]
|
|
[MaintenanceModeIgnore]
|
|
public async Task<ContentResult> OAuth2([FromQuery] string? code, [FromQuery] string? state)
|
|
{
|
|
var traceId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;
|
|
|
|
if (string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
|
|
return Content(GenerateHtmlResponse(
|
|
"Ошибка передачи данных!",
|
|
"Провайдер OAuth не передал нужных данных.",
|
|
null,
|
|
traceId,
|
|
true), "text/html");
|
|
|
|
var result = await oAuthService.LoginOAuth(GetCookieParams(), HttpContext,
|
|
HttpContext.GetApiUrl(Url.Action("OAuth2")!), code, state);
|
|
|
|
string? callbackUrl = null;
|
|
|
|
if (result.Callback != null)
|
|
callbackUrl = result.Callback + (result.Callback.Query.Length > 0 ? "&" : "?") +
|
|
$"result={Uri.EscapeDataString(result.Token)}";
|
|
|
|
string title, message;
|
|
|
|
if (!result.Success)
|
|
{
|
|
if (callbackUrl != null)
|
|
callbackUrl += $"&traceId={Uri.EscapeDataString(traceId)}";
|
|
|
|
title = "Ошибка авторизации!";
|
|
message = result.ErrorMessage ?? "Произошла ошибка. Попробуйте ещё раз.";
|
|
}
|
|
else
|
|
{
|
|
title = "Авторизация завершена!";
|
|
message = "Вы будете перенаправлены обратно через несколько секунд.";
|
|
}
|
|
|
|
return Content(GenerateHtmlResponse(
|
|
title,
|
|
message,
|
|
callbackUrl == null ? null : new Uri(callbackUrl),
|
|
traceId,
|
|
!result.Success), "text/html");
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initiates the OAuth2 authorization process for the selected provider.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This method generates a redirect URL for the selected provider and redirects the user to it.
|
|
/// </remarks>
|
|
/// <param name="provider">The identifier of the OAuth provider to authorize with.</param>
|
|
/// <param name="callback">The address where the user will need to be redirected after the end of communication with the OAuth provider</param>
|
|
/// <returns>A redirect to the OAuth provider's authorization URL.</returns>
|
|
/// <exception cref="ControllerArgumentException">Thrown if the specified provider is not valid.</exception>
|
|
[HttpGet("AuthorizeOAuth2")]
|
|
[MaintenanceModeIgnore]
|
|
public ActionResult AuthorizeOAuth2([FromQuery] int provider, [FromQuery] Uri callback)
|
|
{
|
|
if (!Enum.IsDefined(typeof(OAuthProvider), provider))
|
|
throw new ControllerArgumentException("There is no selected provider");
|
|
|
|
if (!callback.IsAbsoluteUri)
|
|
throw new ControllerArgumentException("The callback URL must be absolute.");
|
|
|
|
return Redirect(oAuthService.GetProviderRedirect(GetCookieParams(), HttpContext,
|
|
HttpContext.GetApiUrl(Url.Action("OAuth2")!),
|
|
(OAuthProvider)provider,
|
|
callback).AbsoluteUri);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Retrieves a list of available OAuth providers with their corresponding authorization URLs.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This allows the client to fetch all possible OAuth options and the URLs required to initiate authorization.
|
|
/// </remarks>
|
|
/// <returns>A list of available providers and their redirect URLs.</returns>
|
|
[HttpGet("AvailableProviders")]
|
|
[MaintenanceModeIgnore]
|
|
public ActionResult<List<AvailableOAuthProvidersResponse>> AvailableProviders([FromQuery] Uri callback) =>
|
|
Ok(oAuthService
|
|
.GetAvailableProviders(HttpContext.GetApiUrl(Url.Action("AuthorizeOAuth2")!))
|
|
.Select(x =>
|
|
{
|
|
if (!callback.IsAbsoluteUri)
|
|
throw new ControllerArgumentException("The callback URL must be absolute.");
|
|
|
|
x.Redirect = new Uri(x.Redirect + "&callback=" + Uri.EscapeDataString(callback.AbsoluteUri));
|
|
return x;
|
|
})
|
|
.ConvertToDto());
|
|
|
|
/// <summary>
|
|
/// Processes the OAuth token
|
|
/// </summary>
|
|
/// <param name="token">The OAuth token used for authentication or binding.</param>
|
|
/// <param name="action">The action to be performed: Login or Bind.</param>
|
|
/// <returns>If <see cref="OAuthAction.Bind"/> return Ok. If <see cref="OAuthAction.Login"/> return <see cref="TwoFactorAuthentication"/></returns>
|
|
[HttpGet("HandleToken")]
|
|
[MaintenanceModeIgnore]
|
|
[BadRequestResponse]
|
|
public async Task<ActionResult> HandleToken([FromQuery][MinLength(2)] string token, [FromQuery] OAuthAction action)
|
|
{
|
|
var (oAuthUser, error, isSuccess, provider) = await oAuthService.GetOAuthUser(GetCookieParams(), HttpContext, token);
|
|
|
|
if (!isSuccess || oAuthUser == null || provider == null)
|
|
throw new ControllerArgumentException(error ?? "Token processing error.");
|
|
|
|
switch (action)
|
|
{
|
|
case OAuthAction.Login:
|
|
return Ok(await auth.LoginOAuthAsync(GetCookieParams(), HttpContext, user.Value.ConvertToSecurity(), oAuthUser, provider.Value));
|
|
|
|
case OAuthAction.Bind:
|
|
var userId = HttpContext.User.FindFirstValue(ClaimTypes.NameIdentifier);
|
|
var admin = user.Value;
|
|
|
|
if (string.IsNullOrEmpty(userId) || !int.TryParse(userId, out var result) || result != 1)
|
|
return Unauthorized(new ProblemDetails
|
|
{
|
|
Type = "https://tools.ietf.org/html/rfc9110#section-15.5.2",
|
|
Title = "Unauthorized",
|
|
Status = StatusCodes.Status401Unauthorized,
|
|
Detail = "The user is not logged in to link accounts.",
|
|
Extensions = new Dictionary<string, object?>()
|
|
{
|
|
{ "traceId", Activity.Current?.Id ?? HttpContext.TraceIdentifier }
|
|
}
|
|
});
|
|
|
|
if (admin.OAuthProviders != null && admin.OAuthProviders.ContainsKey(provider.Value))
|
|
return Conflict(new ProblemDetails
|
|
{
|
|
Type = "https://tools.ietf.org/html/rfc9110#section-15.5.10",
|
|
Title = "Conflict",
|
|
Status = StatusCodes.Status409Conflict,
|
|
Detail = "This OAuth provider is already associated with the account.",
|
|
Extensions = new Dictionary<string, object?>()
|
|
{
|
|
{ "traceId", Activity.Current?.Id ?? HttpContext.TraceIdentifier }
|
|
}
|
|
});
|
|
|
|
admin.OAuthProviders ??= [];
|
|
admin.OAuthProviders.Add(provider.Value, oAuthUser);
|
|
admin.SaveSetting();
|
|
|
|
return Ok();
|
|
default:
|
|
throw new ControllerArgumentException("The action cannot be processed.");
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Logs in a user using their username or email and password.
|
|
/// </summary>
|
|
/// <param name="request">The login request containing username/email and password.</param>
|
|
/// <returns>A TwoFactorAuthentication token if the login is successful; otherwise, a BadRequest response.</returns>
|
|
[HttpPost("Login")]
|
|
[BadRequestResponse]
|
|
public async Task<ActionResult<TwoFactorAuthentication>> Login([FromBody] LoginRequest request)
|
|
{
|
|
var userEntity = user.Value;
|
|
|
|
var tokenResult = await auth.LoginAsync(
|
|
GetCookieParams(),
|
|
HttpContext,
|
|
userEntity.ConvertToSecurity(),
|
|
request.Password, request.Username);
|
|
|
|
return Ok(tokenResult.ConvertToDto());
|
|
}
|
|
|
|
/// <summary>
|
|
/// Performs two-factor authentication for the user.
|
|
/// </summary>
|
|
/// <param name="request">The request containing the method and code for two-factor authentication.</param>
|
|
/// <returns>A boolean indicating whether the two-factor authentication was successful.</returns>
|
|
[HttpPost("2FA")]
|
|
[BadRequestResponse]
|
|
public async Task<ActionResult<bool>> TwoFactorAuth([FromBody] TwoFactorAuthRequest request) =>
|
|
await auth.LoginAsync(GetCookieParams(), HttpContext, request.Method.ConvertFromDto(), request.Code);
|
|
|
|
/// <summary>
|
|
/// Refreshes the authentication token using the existing refresh token.
|
|
/// </summary>
|
|
/// <returns>User's AuthRoles.</returns>
|
|
[HttpGet("ReLogin")]
|
|
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
|
[ProducesResponseType(StatusCodes.Status403Forbidden)]
|
|
public async Task<ActionResult<AuthRoles>> ReLogin()
|
|
{
|
|
await auth.RefreshTokenAsync(GetCookieParams(), HttpContext);
|
|
return Ok(AuthRoles.Admin);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Logs the user out by clearing the refresh token and performing any necessary cleanup.
|
|
/// </summary>
|
|
/// <returns>An Ok response if the logout was successful.</returns>
|
|
[HttpGet("Logout")]
|
|
public async Task<ActionResult> Logout()
|
|
{
|
|
await auth.LogoutAsync(GetCookieParams(), HttpContext);
|
|
return Ok();
|
|
}
|
|
|
|
/// <summary>
|
|
/// Retrieves the role of the authenticated user.
|
|
/// </summary>
|
|
/// <returns>The role of the authenticated user.</returns>
|
|
[HttpGet("GetRole")]
|
|
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
|
[Authorize]
|
|
public ActionResult<AuthRoles> GetRole() => Ok(AuthRoles.Admin);
|
|
|
|
[HttpPost("RenewPassword")]
|
|
[ApiExplorerSettings(IgnoreApi = true)]
|
|
[Localhost]
|
|
[BadRequestResponse]
|
|
public ActionResult<string> RenewPassword([FromBody] string? password = null)
|
|
{
|
|
var passwordPolicy = generalConfig.Value.PasswordPolicy;
|
|
var passwordPolicyService = new PasswordPolicyService(passwordPolicy);
|
|
|
|
if (string.IsNullOrEmpty(password))
|
|
password = string.Empty;
|
|
else
|
|
passwordPolicyService.ValidatePasswordOrThrow(password);
|
|
|
|
while (!passwordPolicyService.TryValidatePassword(password))
|
|
password = GeneratorKey.GenerateAlphaNumeric(passwordPolicy.MinimumLength + 2, includes: "!@#%^");
|
|
|
|
var (salt, hash) = passwordService.HashPassword(password);
|
|
|
|
var admin = user.Value;
|
|
|
|
admin.Salt = salt;
|
|
admin.PasswordHash = hash;
|
|
admin.SaveSetting();
|
|
|
|
return Ok(password);
|
|
}
|
|
}
|