azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-23 01:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

add authorization

Browse Source
This commit is contained in:
Alex Bezdieniezhnykh
2024-11-11 21:07:28 +02:00
parent ca6175da7f
commit 85139b4fd2
12 changed files with 146 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Azaion.Api/Azaion.Api.csproj
+1
View File
@@ -8,6 +8,7 @@
<ItemGroup>
<PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.8"/>
<PackageReference Include="Swashbuckle.AspNetCore" Version="6.4.0"/>
</ItemGroup>
Azaion.Api/Program.cs
+76 -11
View File
@@ -1,11 +1,41 @@
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using Azaion.Common;
using Azaion.Common.Configs;
using Azaion.Common.Database;
using Azaion.Common.Entities;
using Azaion.Common.Requests;
using Azaion.Services;
using FluentValidation;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddEnvironmentVariables();
var jwtConfig = builder.Configuration.GetSection(nameof(JwtConfig)).Get<JwtConfig>();
if (jwtConfig == null)
throw new Exception("Missing configuration section: JwtConfig");
var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtConfig.Secret));
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtConfig.Issuer,
ValidAudience = jwtConfig.Audience,
IssuerSigningKey = signingKey
};
});
builder.Services.AddAuthorization();
builder.Services.AddHttpContextAccessor();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
@@ -27,22 +57,57 @@ if (app.Environment.IsDevelopment())
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapPost("/login",
async (string username, string password, IUserService userService, CancellationToken cancellationToken) =>
{
var user = await userService.ValidateUser(username, password);
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity([
new Claim(ClaimTypes.NameIdentifier, user.Id),
new Claim(ClaimTypes.Name, user.Email),
new Claim(ClaimTypes.Role, user.Role.ToString()),
new Claim(Constants.HARDWARE_ID, user.HardwareId)
]),
Expires = DateTime.UtcNow.AddHours(2),
Issuer = jwtConfig.Issuer,
Audience = jwtConfig.Audience,
SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
return Results.Ok(new { Token = tokenString });
});
app.MapPost("/register-user",
async (RegisterUserRequest registerUserRequest, IUserService userService, CancellationToken cancellationToken)
=> await userService.RegisterUser(registerUserRequest, cancellationToken));
app.MapPost("/resources/get",
async (GetResourceRequest getResourceRequest, IUserService userService, IResourcesService resourcesService, CancellationToken cancellationToken) =>
{
await userService.ValidateUser(getResourceRequest, cancellationToken);
var ms = new MemoryStream();
await resourcesService.GetEncryptedResource(getResourceRequest, ms, cancellationToken);
return ms;
});
=> await userService.RegisterUser(registerUserRequest, cancellationToken))
.RequireAuthorization(p => p.RequireRole(RoleEnum.ApiAdmin.ToString()));
app.MapPost("/resources",
async (UploadResourceRequest uploadResourceRequest, IResourcesService resourceService, CancellationToken cancellationToken)
=> await resourceService.SaveResource(uploadResourceRequest, cancellationToken));
=> await resourceService.SaveResource(uploadResourceRequest, cancellationToken))
.RequireAuthorization(p => p.RequireRole(RoleEnum.ApiAdmin.ToString()));
app.MapPost("/resources/get",
async (GetResourceRequest request, IUserService userService, IResourcesService resourcesService, CancellationToken cancellationToken) =>
{
var user = userService.CurrentUser;
if (user == null)
throw new BusinessException(ExceptionEnum.NoUser, "No current user");
if (string.IsNullOrEmpty(user.HardwareId))
await userService.UpdateHardwareId(user.Email, request.HardwareId);
var ms = new MemoryStream();
var key = Security.MakeEncryptionKey(user.Email, request.Password);
await resourcesService.GetEncryptedResource(request.ResourceEnum, key, ms, cancellationToken);
return ms;
}).RequireAuthorization();
app.Run();
Azaion.Common/BusinessException.cs
+1
View File
@@ -8,6 +8,7 @@ public class BusinessException(ExceptionEnum exEnum, string message) : Exception
public enum ExceptionEnum
{
NoUserFound = 10,
NoUser = 15,
UserExists = 20,
PasswordIncorrect = 30,
UserLengthIncorrect = 33,
Azaion.Common/Configs/Constants.cs
+6
View File
@@ -0,0 +1,6 @@
namespace Azaion.Common.Configs;
public class Constants
{
public const string HARDWARE_ID = nameof(HARDWARE_ID);
}
Azaion.Common/Configs/JwtConfig.cs
+8
View File
@@ -0,0 +1,8 @@
namespace Azaion.Common.Configs;
public class JwtConfig
{
public string Issuer { get; set; } = null!;
public string Audience { get; set; } = null!;
public string Secret { get; set; }
}
Azaion.Common/Entities/RoleEnum.cs
+3 -2
View File
@@ -1,9 +1,10 @@
namespace Azaion.Common;
namespace Azaion.Common.Entities;
public enum RoleEnum
{
Operator,
Validator,
CompanionPC,
Admin
Admin,
ApiAdmin
}
Azaion.Common/Entities/User.cs
+1 -3
View File
@@ -3,10 +3,8 @@
public class User
{
public string Id { get; set; } = null!;
public string Username { get; set; } = null!;
public string Email { get; set; } = null!;
public string PasswordHash { get; set; } = null!;
public string HardwareId { get; set; } = null!;
public RoleEnum Role { get; set; }
public string UniqueKey => $"Azaion#{Username}#{PasswordHash}#{HardwareId}";
}
Azaion.Common/Requests/GetResourceRequest.cs
-1
View File
@@ -4,7 +4,6 @@ namespace Azaion.Common.Requests;
public class GetResourceRequest
{
public string Username { get; set; } = null!;
public string Password { get; set; } = null!;
public string HardwareId { get; set; } = null!;
public ResourceEnum ResourceEnum { get; set; }
Azaion.Common/Requests/RegisterUserRequest.cs
+1
View File
@@ -1,3 +1,4 @@
using Azaion.Common.Entities;
using FluentValidation;
namespace Azaion.Common.Requests;
Azaion.Services/Azaion.Services.csproj
+3
View File
@@ -11,6 +11,9 @@
</ItemGroup>
<ItemGroup>
<Reference Include="Microsoft.AspNetCore.Http.Abstractions">
<HintPath>C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\8.0.8\Microsoft.AspNetCore.Http.Abstractions.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Extensions.Options">
<HintPath>C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\8.0.8\Microsoft.Extensions.Options.dll</HintPath>
</Reference>
Azaion.Services/ResourcesService.cs
+3 -4
View File
@@ -8,16 +8,15 @@ namespace Azaion.Services;
public interface IResourcesService
{
Task GetEncryptedResource(GetResourceRequest request, Stream outputStream, CancellationToken cancellationToken = default);
Task GetEncryptedResource(ResourceEnum resource, string key, Stream outputStream, CancellationToken cancellationToken = default);
Task SaveResource(UploadResourceRequest request, CancellationToken cancellationToken = default);
}
public class ResourcesService(IOptions<ResourcesConfig> resourcesConfig) : IResourcesService
{
public async Task GetEncryptedResource(GetResourceRequest request, Stream outputStream, CancellationToken cancellationToken = default)
public async Task GetEncryptedResource(ResourceEnum resource, string key, Stream outputStream, CancellationToken cancellationToken = default)
{
var fileStream = new FileStream(GetResourcePath(request.ResourceEnum), FileMode.Open, FileAccess.Read);
var key = Security.MakeEncryptionKey(request.Username, request.Password);
var fileStream = new FileStream(GetResourcePath(resource), FileMode.Open, FileAccess.Read);
await fileStream.EncryptTo(outputStream, key, cancellationToken);
}
Azaion.Services/UserService.cs
+41 -17
View File
@@ -1,56 +1,80 @@
using Azaion.Common;
using System.Security.Claims;
using Azaion.Common;
using Azaion.Common.Configs;
using Azaion.Common.Database;
using Azaion.Common.Entities;
using Azaion.Common.Requests;
using LinqToDB;
using Microsoft.AspNetCore.Http;
namespace Azaion.Services;
public interface IUserService
{
User? CurrentUser { get; }
Task RegisterUser(RegisterUserRequest request, CancellationToken cancellationToken = default);
Task<User?> ValidateUser(GetResourceRequest request, CancellationToken cancellationToken = default);
Task<User> ValidateUser(string username, string password, string? hardwareId = null, CancellationToken cancellationToken = default);
Task UpdateHardwareId(string username, string hardwareId, CancellationToken cancellationToken = default);
}
public class UserService(IDbFactory dbFactory) : IUserService
public class UserService(IDbFactory dbFactory, IHttpContextAccessor httpContextAccessor) : IUserService
{
public User? CurrentUser
{
get
{
var claims = httpContextAccessor.HttpContext?.User.Claims.ToDictionary(x => x.Type);
if (claims == null)
return null;
Enum.TryParse(claims[ClaimTypes.Role].Value, out RoleEnum role);
return new User
{
Id = claims[ClaimTypes.NameIdentifier].Value,
Email = claims[ClaimTypes.Name].Value,
Role = role,
HardwareId = claims[Constants.HARDWARE_ID].Value,
};
}
}
public async Task RegisterUser(RegisterUserRequest request, CancellationToken cancellationToken = default)
{
await dbFactory.Run(async db =>
{
var existingUser = await db.Users.FirstOrDefaultAsync(u => u.Username == request.Email, token: cancellationToken);
var existingUser = await db.Users.FirstOrDefaultAsync(u => u.Email == request.Email, token: cancellationToken);
if (existingUser != null)
throw new BusinessException(ExceptionEnum.UserExists, "User already exists");
await db.InsertAsync(new User
{
Username = request.Email,
Email = request.Email,
PasswordHash = request.Password.ToHash(),
Role = request.Role
}, token: cancellationToken);
});
}
public async Task<User?> ValidateUser(GetResourceRequest request, CancellationToken cancellationToken = default) =>
public async Task<User> ValidateUser(string username, string password, string? hardwareId = null, CancellationToken cancellationToken = default) =>
await dbFactory.Run(async db =>
{
var user = await db.Users.FirstOrDefaultAsync(x => x.Username == request.Username, token: cancellationToken);
var user = await db.Users.FirstOrDefaultAsync(x => x.Email == username, token: cancellationToken);
if (user == null)
throw new BusinessException(ExceptionEnum.NoUserFound, "No user found");
if (request.Password.ToHash() != user.PasswordHash)
if (password.ToHash() != user.PasswordHash)
throw new BusinessException(ExceptionEnum.PasswordIncorrect, "Passwords do not match");
//If user's hardware Id is empty (usually on the first time login), then write down user
if (string.IsNullOrEmpty(user.HardwareId))
await db.Users.UpdateAsync(x => x.Username == request.Username, u => new User{HardwareId = request.HardwareId}, token: cancellationToken);
else
{
//But if hardware Id exists, it should match with request
if (user.HardwareId != request.HardwareId)
throw new BusinessException(ExceptionEnum.HardwareIdMismatch, "Hardware id mismatch");
}
if (user.Role == RoleEnum.ApiAdmin)
return user;
// For Non-API admins hardwareId should match if it was already set
if (user.HardwareId != null && user.HardwareId != hardwareId)
throw new BusinessException(ExceptionEnum.HardwareIdMismatch, "Hardware id mismatch");
return user;
});
public async Task UpdateHardwareId(string username, string hardwareId, CancellationToken cancellationToken = default) =>
await dbFactory.Run(async db =>
await db.Users.UpdateAsync(x => x.Email == username, u => new User { HardwareId = hardwareId}, token: cancellationToken));
}