188 lines
8.1 KiB
C#
188 lines
8.1 KiB
C#
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.Extensions.Logging;
|
|
using Mirea.Api.Security.Common.Domain;
|
|
using Mirea.Api.Security.Common.Domain.OAuth2;
|
|
using Mirea.Api.Security.Common.Domain.OAuth2.UserInfo;
|
|
using Mirea.Api.Security.Common.Interfaces;
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Net.Http;
|
|
using System.Net.Http.Headers;
|
|
using System.Security;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Text.Json;
|
|
using System.Threading;
|
|
using System.Threading.Tasks;
|
|
|
|
namespace Mirea.Api.Security.Services;
|
|
|
|
public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider, (string ClientId, string Secret)> providers, string secretKey)
|
|
{
|
|
private static readonly Dictionary<OAuthProvider, OAuthProviderUrisData> ProviderData = new()
|
|
{
|
|
[OAuthProvider.Google] = new OAuthProviderUrisData
|
|
{
|
|
RedirectUrl = "https://accounts.google.com/o/oauth2/v2/auth",
|
|
TokenUrl = "https://oauth2.googleapis.com/token",
|
|
UserInfoUrl = "https://www.googleapis.com/oauth2/v2/userinfo",
|
|
Scope = "openid email profile",
|
|
AuthHeader = "Bearer",
|
|
UserInfoType = typeof(GoogleUserInfo)
|
|
},
|
|
[OAuthProvider.Yandex] = new OAuthProviderUrisData
|
|
{
|
|
RedirectUrl = "https://oauth.yandex.ru/authorize",
|
|
TokenUrl = "https://oauth.yandex.ru/token",
|
|
UserInfoUrl = "https://login.yandex.ru/info?format=json",
|
|
Scope = "login:email login:info login:avatar",
|
|
AuthHeader = "OAuth",
|
|
UserInfoType = typeof(YandexUserInfo)
|
|
},
|
|
[OAuthProvider.MailRu] = new OAuthProviderUrisData
|
|
{
|
|
RedirectUrl = "https://oauth.mail.ru/login",
|
|
TokenUrl = "https://oauth.mail.ru/token",
|
|
UserInfoUrl = "https://oauth.mail.ru/userinfo",
|
|
AuthHeader = "",
|
|
Scope = "",
|
|
UserInfoType = typeof(MailRuUserInfo)
|
|
}
|
|
};
|
|
|
|
private static async Task<OAuthTokenResponse?> ExchangeCodeForTokensAsync(string requestUri, string redirectUrl, string code, string clientId, string secret, CancellationToken cancellation)
|
|
{
|
|
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, requestUri)
|
|
{
|
|
Content = new FormUrlEncodedContent(new Dictionary<string, string>
|
|
{
|
|
{ "code", code },
|
|
{ "client_id", clientId },
|
|
{ "client_secret", secret },
|
|
{ "redirect_uri", redirectUrl},
|
|
{ "grant_type", "authorization_code" }
|
|
})
|
|
};
|
|
|
|
using var httpClient = new HttpClient();
|
|
httpClient.DefaultRequestHeaders.UserAgent.ParseAdd("MireaSchedule/1.0 (Winsomnia)");
|
|
|
|
var response = await httpClient.SendAsync(tokenRequest, cancellation);
|
|
var data = await response.Content.ReadAsStringAsync(cancellation);
|
|
|
|
if (!response.IsSuccessStatusCode)
|
|
throw new HttpRequestException(data);
|
|
|
|
return JsonSerializer.Deserialize<OAuthTokenResponse>(data);
|
|
}
|
|
|
|
private static async Task<OAuthUser?> GetUserProfileAsync(string requestUri, string authHeader, string accessToken, OAuthProvider provider, CancellationToken cancellation)
|
|
{
|
|
var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
|
|
|
|
if (string.IsNullOrEmpty(authHeader))
|
|
request.RequestUri = new Uri(request.RequestUri?.AbsoluteUri + "?access_token=" + accessToken);
|
|
else
|
|
request.Headers.Authorization = new AuthenticationHeaderValue(authHeader, accessToken);
|
|
|
|
using var httpClient = new HttpClient();
|
|
httpClient.DefaultRequestHeaders.UserAgent.ParseAdd("MireaSchedule/1.0 (Winsomnia)");
|
|
|
|
var response = await httpClient.SendAsync(request, cancellation);
|
|
var data = await response.Content.ReadAsStringAsync(cancellation);
|
|
|
|
if (!response.IsSuccessStatusCode)
|
|
throw new HttpRequestException(data);
|
|
|
|
var userInfo = JsonSerializer.Deserialize(data, ProviderData[provider].UserInfoType) as IUserInfo;
|
|
return userInfo?.MapToInternalUser();
|
|
}
|
|
|
|
private static string GetHmacString(RequestContextInfo contextInfo, string secretKey)
|
|
{
|
|
var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey));
|
|
return Convert.ToBase64String(hmac.ComputeHash(
|
|
Encoding.UTF8.GetBytes($"{contextInfo.Fingerprint}_{contextInfo.Ip}_{contextInfo.UserAgent}")));
|
|
}
|
|
|
|
public Uri GetProviderRedirect(HttpContext context, CookieOptionsParameters cookieOptions, string redirectUri, OAuthProvider provider)
|
|
{
|
|
var (clientId, _) = providers[provider];
|
|
|
|
var requestInfo = new RequestContextInfo(context, cookieOptions);
|
|
var state = GetHmacString(requestInfo, secretKey);
|
|
|
|
var redirectUrl = $"?client_id={clientId}" +
|
|
"&response_type=code" +
|
|
$"&redirect_uri={redirectUri}" +
|
|
$"&scope={ProviderData[provider].Scope}" +
|
|
$"&state={Uri.EscapeDataString(state + "_" + Enum.GetName(provider))}";
|
|
|
|
logger.LogInformation("Redirecting user Fingerprint: {Fingerprint} to OAuth provider {Provider} with state: {State}",
|
|
requestInfo.Fingerprint,
|
|
provider,
|
|
state);
|
|
|
|
return new Uri(ProviderData[provider].RedirectUrl + redirectUrl);
|
|
}
|
|
|
|
public (OAuthProvider Provider, Uri Redirect)[] GetAvailableProviders(string redirectUri) =>
|
|
[.. providers.Select(x => (x.Key, new Uri(redirectUri.TrimEnd('/') + "/?provider=" + (int)x.Key)))];
|
|
|
|
public async Task<(OAuthProvider provider, OAuthUser User)> LoginOAuth(HttpContext context, CookieOptionsParameters cookieOptions, string redirectUrl, string code, string state, CancellationToken cancellation = default)
|
|
{
|
|
var partsState = state.Split('_');
|
|
|
|
if (!Enum.TryParse<OAuthProvider>(partsState.Last(), true, out var provider) ||
|
|
!providers.TryGetValue(provider, out var providerInfo) ||
|
|
!ProviderData.TryGetValue(provider, out var currentProviderStruct))
|
|
{
|
|
logger.LogWarning("Failed to parse OAuth provider from state: {State}", state);
|
|
throw new InvalidOperationException("Invalid authorization request.");
|
|
}
|
|
|
|
var secretStateData = string.Join("_", partsState.SkipLast(1));
|
|
var requestInfo = new RequestContextInfo(context, cookieOptions);
|
|
var secretData = GetHmacString(requestInfo, secretKey);
|
|
|
|
if (secretData != secretStateData)
|
|
{
|
|
logger.LogWarning(
|
|
"Fingerprint mismatch. Possible CSRF attack detected. Fingerprint: {Fingerprint}, State: {State}, ExpectedState: {ExpectedState}",
|
|
requestInfo.Fingerprint,
|
|
secretData,
|
|
secretStateData
|
|
);
|
|
throw new SecurityException("Suspicious activity detected. Please try again.");
|
|
}
|
|
|
|
OAuthTokenResponse? accessToken = null;
|
|
try
|
|
{
|
|
accessToken = await ExchangeCodeForTokensAsync(currentProviderStruct.TokenUrl, redirectUrl, code, providerInfo.ClientId, providerInfo.Secret, cancellation);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
logger.LogWarning(ex, "Failed to exchange code for access token with provider {Provider}. State: {State}", provider, state);
|
|
}
|
|
|
|
if (accessToken == null)
|
|
throw new SecurityException("Unable to complete authorization with the provider. Please try again later.");
|
|
|
|
OAuthUser? result = null;
|
|
try
|
|
{
|
|
result = await GetUserProfileAsync(currentProviderStruct.UserInfoUrl, currentProviderStruct.AuthHeader, accessToken.AccessToken, provider, cancellation);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
logger.LogWarning(ex, "Failed to retrieve user information from provider {Provider}", provider);
|
|
}
|
|
|
|
if (result == null)
|
|
throw new SecurityException("Unable to retrieve user information. Please check the details and try again.");
|
|
|
|
return (provider, result);
|
|
}
|
|
} |