Moonlight-Panel/Moonlight
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #451 from Moonlight-Panel/v2.1_ImproveAuth

Browse Source 
Improved authentication
This commit is contained in:
ChiaraBm
2025-08-20 17:20:10 +02:00
committed by GitHub
parent 60178dc54b 17cd039c9b
commit 902ca114c1
44 changed files with 1573 additions and 854 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
Moonlight.ApiServer/Configuration/AppConfiguration.cs
View File

@@ -1,4 +1,5 @@
using MoonCore.Helpers;
using Moonlight.ApiServer.Implementations.LocalAuth;
using YamlDotNet.Serialization;
namespace Moonlight.ApiServer.Configuration;
@@ -29,6 +30,10 @@ public record AppConfiguration
Kestrel = new()
{
AllowedOrigins = []
},
Authentication = new()
{
EnabledSchemes = []
}
};
}
@@ -55,25 +60,20 @@ public record AppConfiguration
[YamlMember(Description = "The secret token to use for creating jwts and encrypting things. This needs to be at least 32 characters long")]
public string Secret { get; set; } = Formatter.GenerateString(32);
[YamlMember(Description = "The lifespan of generated user tokens in hours")]
public int TokenDuration { get; set; } = 24 * 10;
[YamlMember(Description = "Settings for the user sessions")]
public SessionsConfig Sessions { get; set; } = new();
[YamlMember(Description = "This enables the use of the local oauth2 provider, so moonlight will use itself as an oauth2 provider")]
public bool EnableLocalOAuth2 { get; set; } = true;
public OAuth2Data OAuth2 { get; set; } = new();
public record OAuth2Data
{
public string Secret { get; set; } = Formatter.GenerateString(32);
public string ClientId { get; set; } = Formatter.GenerateString(8);
public string ClientSecret { get; set; } = Formatter.GenerateString(32);
public string? AuthorizationEndpoint { get; set; }
public string? AccessEndpoint { get; set; }
public string? AuthorizationRedirect { get; set; }
[YamlMember(Description = "This specifies if the first registered user will become an admin automatically. This only works when using local oauth2")]
[YamlMember(Description = "This specifies if the first registered/synced user will become an admin automatically")]
public bool FirstUserAdmin { get; set; } = true;
[YamlMember(Description = "This specifies the authentication schemes the frontend should be able to challenge")]
public string[] EnabledSchemes { get; set; } = [LocalAuthConstants.AuthenticationScheme];
}
public record SessionsConfig
{
public string CookieName { get; set; } = "session";
public int ExpiresIn { get; set; } = 10;
}
public record DevelopmentConfig

156
Moonlight.ApiServer/Http/Controllers/Auth/AuthController.cs
View File

@@ -1,16 +1,11 @@
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens;
using MoonCore.Exceptions;
using MoonCore.Extended.Abstractions;
using Moonlight.ApiServer.Configuration;
using Moonlight.ApiServer.Database.Entities;
using Moonlight.ApiServer.Implementations.LocalAuth;
using Moonlight.ApiServer.Interfaces;
using Moonlight.Shared.Http.Requests.Auth;
using Moonlight.Shared.Http.Responses.Auth;
namespace Moonlight.ApiServer.Http.Controllers.Auth;
@@ -19,93 +14,116 @@ namespace Moonlight.ApiServer.Http.Controllers.Auth;
[Route("api/auth")]
public class AuthController : Controller
{
private readonly IAuthenticationSchemeProvider SchemeProvider;
private readonly IEnumerable<IAuthCheckExtension> Extensions;
private readonly AppConfiguration Configuration;
private readonly DatabaseRepository<User> UserRepository;
private readonly IOAuth2Provider OAuth2Provider;
public AuthController(
AppConfiguration configuration,
DatabaseRepository<User> userRepository,
IOAuth2Provider oAuth2Provider
IAuthenticationSchemeProvider schemeProvider,
IEnumerable<IAuthCheckExtension> extensions,
AppConfiguration configuration
)
{
UserRepository = userRepository;
OAuth2Provider = oAuth2Provider;
SchemeProvider = schemeProvider;
Extensions = extensions;
Configuration = configuration;
}
[AllowAnonymous]
[HttpGet("start")]
public async Task<LoginStartResponse> Start()
[HttpGet]
public async Task<AuthSchemeResponse[]> GetSchemes()
{
var url = await OAuth2Provider.Start();
var schemes = await SchemeProvider.GetAllSchemesAsync();
return new LoginStartResponse()
var allowedSchemes = Configuration.Authentication.EnabledSchemes;
return schemes
.Where(x => allowedSchemes.Contains(x.Name))
.Select(scheme => new AuthSchemeResponse()
{
Url = url
};
DisplayName = scheme.DisplayName ?? scheme.Name,
Identifier = scheme.Name
})
.ToArray();
}
[AllowAnonymous]
[HttpPost("complete")]
public async Task<LoginCompleteResponse> Complete([FromBody] LoginCompleteRequest request)
[HttpGet("{identifier:alpha}")]
public async Task StartScheme([FromRoute] string identifier)
{
var user = await OAuth2Provider.Complete(request.Code);
// Validate identifier against our enable list
var allowedSchemes = Configuration.Authentication.EnabledSchemes;
if (user == null)
throw new HttpApiException("Unable to load user data", 500);
if (!allowedSchemes.Contains(identifier))
{
await Results
.Problem(
"Invalid scheme identifier provided",
statusCode: 404
)
.ExecuteAsync(HttpContext);
// Generate token
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Expires = DateTime.Now.AddHours(Configuration.Authentication.TokenDuration),
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(-1),
Claims = new Dictionary<string, object>()
{
{
"userId",
user.Id
},
{
"permissions",
string.Join(";", user.Permissions)
return;
}
},
SigningCredentials = new SigningCredentials(
new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(Configuration.Authentication.Secret)
),
SecurityAlgorithms.HmacSha256
),
Issuer = Configuration.PublicUrl,
Audience = Configuration.PublicUrl
};
var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
var securityToken = jwtSecurityTokenHandler.CreateToken(securityTokenDescriptor);
// Now we can check if it even exists
var scheme = await SchemeProvider.GetSchemeAsync(identifier);
var jwt = jwtSecurityTokenHandler.WriteToken(securityToken);
return new()
if (scheme == null)
{
AccessToken = jwt
};
await Results
.Problem(
"Invalid scheme identifier provided",
statusCode: 404
)
.ExecuteAsync(HttpContext);
return;
}
// Everything fine, challenge the frontend
await HttpContext.ChallengeAsync(
scheme.Name,
new AuthenticationProperties()
{
RedirectUri = "/"
}
);
}
[Authorize]
[HttpGet("check")]
public async Task<CheckResponse> Check()
public async Task<AuthClaimResponse[]> Check()
{
var userIdStr = User.FindFirstValue("userId")!;
var userId = int.Parse(userIdStr);
var user = await UserRepository.Get().FirstAsync(x => x.Id == userId);
var username = User.FindFirstValue(ClaimTypes.Name)!;
var id = User.FindFirstValue(ClaimTypes.NameIdentifier)!;
var email = User.FindFirstValue(ClaimTypes.Email)!;
var userId = User.FindFirstValue("UserId")!;
var permissions = User.FindFirstValue("Permissions")!;
return new()
// Create basic set of claims used by the frontend
var claims = new List<AuthClaimResponse>()
{
Email = user.Email,
Username = user.Username,
Permissions = user.Permissions
new(ClaimTypes.Name, username),
new(ClaimTypes.NameIdentifier, id),
new(ClaimTypes.Email, email),
new("UserId", userId),
new("Permissions", permissions)
};
// Enrich the frontend claims by extensions (used by plugins)
foreach (var extension in Extensions)
{
claims.AddRange(
await extension.GetFrontendClaims(User)
);
}
return claims.ToArray();
}
[HttpGet("logout")]
public async Task Logout()
{
await HttpContext.SignOutAsync();
await Results.Redirect("/").ExecuteAsync(HttpContext);
}
}

204
Moonlight.ApiServer/Http/Controllers/LocalAuth/LocalAuthController.cs Normal file
View File

@@ -0,0 +1,204 @@
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using MoonCore.Exceptions;
using MoonCore.Extended.Abstractions;
using MoonCore.Extended.Helpers;
using MoonCore.Helpers;
using Moonlight.ApiServer.Configuration;
using Moonlight.ApiServer.Database.Entities;
using Moonlight.ApiServer.Implementations.LocalAuth;
namespace Moonlight.ApiServer.Http.Controllers.LocalAuth;
[ApiController]
[Route("api/localAuth")]
public class LocalAuthController : Controller
{
private readonly DatabaseRepository<User> UserRepository;
private readonly IServiceProvider ServiceProvider;
private readonly IAuthenticationService AuthenticationService;
private readonly IOptionsMonitor<LocalAuthOptions> Options;
private readonly ILogger<LocalAuthController> Logger;
private readonly AppConfiguration Configuration;
public LocalAuthController(
DatabaseRepository<User> userRepository,
IServiceProvider serviceProvider,
IAuthenticationService authenticationService,
IOptionsMonitor<LocalAuthOptions> options,
ILogger<LocalAuthController> logger,
AppConfiguration configuration
)
{
UserRepository = userRepository;
ServiceProvider = serviceProvider;
AuthenticationService = authenticationService;
Options = options;
Logger = logger;
Configuration = configuration;
}
[HttpGet]
[HttpGet("login")]
public async Task<IResult> Login()
{
var html = await ComponentHelper.RenderComponent<Login>(ServiceProvider);
return Results.Content(html, "text/html");
}
[HttpGet("register")]
public async Task<IResult> Register()
{
var html = await ComponentHelper.RenderComponent<Register>(ServiceProvider);
return Results.Content(html, "text/html");
}
[HttpPost]
[HttpPost("login")]
public async Task<IResult> Login([FromForm] string email, [FromForm] string password)
{
try
{
// Perform login
var user = await InternalLogin(email, password);
// Login user
var options = Options.Get(LocalAuthConstants.AuthenticationScheme);
await AuthenticationService.SignInAsync(HttpContext, options.SignInScheme, new ClaimsPrincipal(
new ClaimsIdentity(
[
new Claim(ClaimTypes.Email, user.Email),
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.Username)
],
LocalAuthConstants.AuthenticationScheme
)
), new AuthenticationProperties());
// Redirect back to wasm app
return Results.Redirect("/");
}
catch (Exception e)
{
string errorMessage;
if (e is HttpApiException apiException)
errorMessage = apiException.Title;
else
{
errorMessage = "An internal error occured";
Logger.LogError(e, "An unhandled error occured while logging in user");
}
var html = await ComponentHelper.RenderComponent<Login>(ServiceProvider,
parameters => { parameters["ErrorMessage"] = errorMessage; });
return Results.Content(html, "text/html");
}
}
[HttpPost("register")]
public async Task<IResult> Register([FromForm] string email, [FromForm] string password, [FromForm] string username)
{
try
{
// Perform register
var user = await InternalRegister(username, email, password);
// Login user
var options = Options.Get(LocalAuthConstants.AuthenticationScheme);
await AuthenticationService.SignInAsync(HttpContext, options.SignInScheme, new ClaimsPrincipal(
new ClaimsIdentity(
[
new Claim(ClaimTypes.Email, user.Email),
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.Username)
],
LocalAuthConstants.AuthenticationScheme
)
), new AuthenticationProperties());
// Redirect back to wasm app
return Results.Redirect("/");
}
catch (Exception e)
{
string errorMessage;
if (e is HttpApiException apiException)
errorMessage = apiException.Title;
else
{
errorMessage = "An internal error occured";
Logger.LogError(e, "An unhandled error occured while logging in user");
}
var html = await ComponentHelper.RenderComponent<Register>(ServiceProvider,
parameters => { parameters["ErrorMessage"] = errorMessage; });
return Results.Content(html, "text/html");
}
}
private async Task<User> InternalRegister(string username, string email, string password)
{
email = email.ToLower();
username = username.ToLower();
if (await UserRepository.Get().AnyAsync(x => x.Username == username))
throw new HttpApiException("A account with that username already exists", 400);
if (await UserRepository.Get().AnyAsync(x => x.Email == email))
throw new HttpApiException("A account with that email already exists", 400);
string[] permissions = [];
if (Configuration.Authentication.FirstUserAdmin)
{
var count = await UserRepository
.Get()
.CountAsync();
if (count == 0)
permissions = ["*"];
}
var user = new User()
{
Username = username,
Email = email,
Password = HashHelper.Hash(password),
Permissions = permissions
};
var finalUser = await UserRepository.Add(user);
return finalUser;
}
private async Task<User> InternalLogin(string email, string password)
{
email = email.ToLower();
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(x => x.Email == email);
if (user == null)
throw new HttpApiException("Invalid combination of email and password", 400);
if (!HashHelper.Verify(password, user.Password))
throw new HttpApiException("Invalid combination of email and password", 400);
return user;
}
}

9
Moonlight.ApiServer/Http/Controllers/OAuth2/Login.razor → Moonlight.ApiServer/Http/Controllers/LocalAuth/Login.razor
View File

@@ -9,8 +9,7 @@
<div class="flex h-auto min-h-screen items-center justify-center overflow-x-hidden py-10">
<div class="relative flex items-center justify-center px-4 sm:px-6 lg:px-8">
<div
class="bg-base-100 shadow-base-300/20 z-1 w-full space-y-6 rounded-xl p-6 shadow-md sm:min-w-md lg:p-8">
<div class="bg-base-100 shadow-base-300/20 z-1 w-full space-y-6 rounded-xl p-6 shadow-md sm:min-w-md lg:p-8">
<div class="flex justify-center items-center gap-3">
<img src="/_content/Moonlight.Client/svg/logo.svg" class="size-12" alt="brand-logo"/>
</div>
@@ -42,8 +41,7 @@
</form>
<p class="text-base-content/80 mb-4 text-center">
No account?
<a href="?client_id=@(ClientId)&redirect_uri=@(RedirectUri)&response_type=@(ResponseType)&view=register"
class="link link-animated link-primary font-normal">Create an account</a>
<a href="/api/localAuth/register" class="link link-animated link-primary font-normal">Create an account</a>
</p>
</div>
</div>
@@ -55,8 +53,5 @@
@code
{
[Parameter] public string ClientId { get; set; }
[Parameter] public string RedirectUri { get; set; }
[Parameter] public string ResponseType { get; set; }
[Parameter] public string? ErrorMessage { get; set; }
}

9
Moonlight.ApiServer/Http/Controllers/OAuth2/Register.razor → Moonlight.ApiServer/Http/Controllers/LocalAuth/Register.razor
View File

@@ -9,8 +9,7 @@
<div class="flex h-auto min-h-screen items-center justify-center overflow-x-hidden py-10">
<div class="relative flex items-center justify-center px-4 sm:px-6 lg:px-8">
<div
class="bg-base-100 shadow-base-300/20 z-1 w-full space-y-6 rounded-xl p-6 shadow-md sm:min-w-md lg:p-8">
<div class="bg-base-100 shadow-base-300/20 z-1 w-full space-y-6 rounded-xl p-6 shadow-md sm:min-w-md lg:p-8">
<div class="flex justify-center items-center gap-3">
<img src="/_content/Moonlight.Client/svg/logo.svg" class="size-12" alt="brand-logo"/>
</div>
@@ -47,8 +46,7 @@
</form>
<p class="text-base-content/80 mb-4 text-center">
Already registered?
<a href="?client_id=@(ClientId)&redirect_uri=@(RedirectUri)&response_type=@(ResponseType)&view=login"
class="link link-animated link-primary font-normal">Login into your account</a>
<a href="/api/localAuth/login" class="link link-animated link-primary font-normal">Login into your account</a>
</p>
</div>
</div>
@@ -59,8 +57,5 @@
@code
{
[Parameter] public string ClientId { get; set; }
[Parameter] public string RedirectUri { get; set; }
[Parameter] public string ResponseType { get; set; }
[Parameter] public string? ErrorMessage { get; set; }
}

317
Moonlight.ApiServer/Http/Controllers/OAuth2/OAuth2Controller.cs
View File

@@ -1,317 +0,0 @@
using System.ComponentModel.DataAnnotations;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using System.Text.RegularExpressions;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens;
using MoonCore.Exceptions;
using MoonCore.Extended.Abstractions;
using MoonCore.Extended.Helpers;
using MoonCore.Helpers;
using Moonlight.ApiServer.Configuration;
using Moonlight.ApiServer.Database.Entities;
using Moonlight.Shared.Http.Responses.OAuth2;
namespace Moonlight.ApiServer.Http.Controllers.OAuth2;
[ApiController]
[Route("oauth2")]
public partial class OAuth2Controller : Controller
{
private readonly AppConfiguration Configuration;
private readonly DatabaseRepository<User> UserRepository;
private readonly string ExpectedRedirectUri;
public OAuth2Controller(AppConfiguration configuration, DatabaseRepository<User> userRepository)
{
Configuration = configuration;
UserRepository = userRepository;
ExpectedRedirectUri = string.IsNullOrEmpty(Configuration.Authentication.OAuth2.AuthorizationRedirect)
? Configuration.PublicUrl
: Configuration.Authentication.OAuth2.AuthorizationRedirect;
}
[AllowAnonymous]
[HttpGet("authorize")]
public async Task Authorize(
[FromQuery(Name = "client_id")] string clientId,
[FromQuery(Name = "redirect_uri")] string redirectUri,
[FromQuery(Name = "response_type")] string responseType,
[FromQuery(Name = "view")] string view = "login"
)
{
if (!Configuration.Authentication.EnableLocalOAuth2)
throw new HttpApiException("Local OAuth2 has been disabled", 403);
if (Configuration.Authentication.OAuth2.ClientId != clientId ||
redirectUri != ExpectedRedirectUri ||
responseType != "code")
{
throw new HttpApiException("Invalid oauth2 request", 400);
}
string html;
if (view == "register")
{
html = await ComponentHelper.RenderComponent<Register>(HttpContext.RequestServices, parameters =>
{
parameters.Add("ClientId", clientId);
parameters.Add("RedirectUri", redirectUri);
parameters.Add("ResponseType", responseType);
});
}
else
{
html = await ComponentHelper.RenderComponent<Login>(HttpContext.RequestServices, parameters =>
{
parameters.Add("ClientId", clientId);
parameters.Add("RedirectUri", redirectUri);
parameters.Add("ResponseType", responseType);
});
}
await Results
.Text(html, "text/html", Encoding.UTF8)
.ExecuteAsync(HttpContext);
}
[AllowAnonymous]
[HttpPost("authorize")]
public async Task AuthorizePost(
[FromQuery(Name = "client_id")] string clientId,
[FromQuery(Name = "redirect_uri")] string redirectUri,
[FromQuery(Name = "response_type")] string responseType,
[FromForm(Name = "email")] [EmailAddress(ErrorMessage = "You need to provide a valid email address")] string email,
[FromForm(Name = "password")] string password,
[FromForm(Name = "username")] string username = "",
[FromQuery(Name = "view")] string view = "login"
)
{
if (!Configuration.Authentication.EnableLocalOAuth2)
throw new HttpApiException("Local OAuth2 has been disabled", 403);
if (Configuration.Authentication.OAuth2.ClientId != clientId ||
redirectUri != ExpectedRedirectUri ||
responseType != "code")
{
throw new HttpApiException("Invalid oauth2 request", 400);
}
if (view == "register" && string.IsNullOrEmpty(username))
throw new HttpApiException("You need to provide a username", 400);
string? errorMessage = null;
try
{
if (view == "register")
{
var user = await Register(username, email, password);
var code = await GenerateCode(user);
Response.Redirect($"{redirectUri}?code={code}");
}
else
{
var user = await Login(email, password);
var code = await GenerateCode(user);
Response.Redirect($"{redirectUri}?code={code}");
}
}
catch (HttpApiException e)
{
errorMessage = e.Title;
string html;
if (view == "register")
{
html = await ComponentHelper.RenderComponent<Register>(HttpContext.RequestServices, parameters =>
{
parameters.Add("ClientId", clientId);
parameters.Add("RedirectUri", redirectUri);
parameters.Add("ResponseType", responseType);
parameters.Add("ErrorMessage", errorMessage!);
});
}
else
{
html = await ComponentHelper.RenderComponent<Login>(HttpContext.RequestServices, parameters =>
{
parameters.Add("ClientId", clientId);
parameters.Add("RedirectUri", redirectUri);
parameters.Add("ResponseType", responseType);
parameters.Add("ErrorMessage", errorMessage!);
});
}
await Results
.Text(html, "text/html", Encoding.UTF8)
.ExecuteAsync(HttpContext);
}
}
[AllowAnonymous]
[HttpPost("handle")]
public async Task<OAuth2HandleResponse> Handle(
[FromForm(Name = "grant_type")] string grantType,
[FromForm(Name = "code")] string code,
[FromForm(Name = "redirect_uri")] string redirectUri,
[FromForm(Name = "client_id")] string clientId
)
{
if (!Configuration.Authentication.EnableLocalOAuth2)
throw new HttpApiException("Local OAuth2 has been disabled", 403);
// Check header
if (!Request.Headers.ContainsKey("Authorization"))
throw new HttpApiException("You are missing the Authorization header", 400);
var authorizationHeaderValue = Request.Headers["Authorization"].FirstOrDefault() ?? "";
if (authorizationHeaderValue != $"Basic {Configuration.Authentication.OAuth2.ClientSecret}")
throw new HttpApiException("Invalid Authorization header value", 400);
// Check form
if (grantType != "authorization_code")
throw new HttpApiException("Invalid grant type provided", 400);
if (clientId != Configuration.Authentication.OAuth2.ClientId)
throw new HttpApiException("Invalid client id provided", 400);
if (redirectUri != ExpectedRedirectUri)
throw new HttpApiException("Invalid redirect uri provided", 400);
var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
ClaimsPrincipal? codeData;
try
{
codeData = jwtSecurityTokenHandler.ValidateToken(code, new TokenValidationParameters()
{
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(
Configuration.Authentication.OAuth2.Secret
)),
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
ValidateAudience = false,
ValidateIssuer = false
}, out _);
}
catch (SecurityTokenException)
{
throw new HttpApiException("Invalid code provided", 400);
}
if (codeData == null)
throw new HttpApiException("Invalid code provided", 400);
var userIdClaim = codeData.Claims.FirstOrDefault(x => x.Type == "id");
if (userIdClaim == null)
throw new HttpApiException("Malformed code provided", 400);
if (!int.TryParse(userIdClaim.Value, out var userId))
throw new HttpApiException("Malformed code provided", 400);
var user = UserRepository
.Get()
.FirstOrDefault(x => x.Id == userId);
if (user == null)
throw new HttpApiException("Malformed code provided", 400);
return new()
{
UserId = user.Id
};
}
private Task<string> GenerateCode(User user)
{
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
Expires = DateTime.Now.AddMinutes(1),
IssuedAt = DateTime.Now,
NotBefore = DateTime.Now.AddMinutes(-1),
Claims = new Dictionary<string, object>()
{
{
"id",
user.Id
}
},
SigningCredentials = new SigningCredentials(
new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(Configuration.Authentication.OAuth2.Secret)
),
SecurityAlgorithms.HmacSha256
)
};
var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
var securityToken = jwtSecurityTokenHandler.CreateToken(securityTokenDescriptor);
return Task.FromResult(
jwtSecurityTokenHandler.WriteToken(securityToken)
);
}
private async Task<User> Register(string username, string email, string password)
{
if (await UserRepository.Get().AnyAsync(x => x.Username == username))
throw new HttpApiException("A account with that username already exists", 400);
if (await UserRepository.Get().AnyAsync(x => x.Email == email))
throw new HttpApiException("A account with that email already exists", 400);
if (!UsernameRegex().IsMatch(username))
throw new HttpApiException("The username is only allowed to be contained out of small characters and numbers", 400);
var user = new User()
{
Username = username,
Email = email,
Password = HashHelper.Hash(password),
};
if (Configuration.Authentication.OAuth2.FirstUserAdmin)
{
var userCount = await UserRepository.Get().CountAsync();
if (userCount == 0)
user.Permissions = ["*"];
}
return await UserRepository.Add(user);
}
private async Task<User> Login(string email, string password)
{
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(x => x.Email == email);
if (user == null)
throw new HttpApiException("Invalid combination of email and password", 400);
if (!HashHelper.Verify(password, user.Password))
throw new HttpApiException("Invalid combination of email and password", 400);
return user;
}
[GeneratedRegex("^[a-z][a-z0-9]*$")]
private static partial Regex UsernameRegex();
}

7
Moonlight.ApiServer/Implementations/Diagnose/CoreConfigDiagnoseProvider.cs
View File

@@ -34,15 +34,8 @@ public class CoreConfigDiagnoseProvider : IDiagnoseProvider
}
config.Database.Password = CheckForNullOrEmpty(config.Database.Password);
config.Authentication.OAuth2.ClientSecret = CheckForNullOrEmpty(config.Authentication.OAuth2.ClientSecret);
config.Authentication.OAuth2.Secret = CheckForNullOrEmpty(config.Authentication.OAuth2.Secret);
config.Authentication.Secret = CheckForNullOrEmpty(config.Authentication.Secret);
config.Authentication.OAuth2.ClientId = CheckForNullOrEmpty(config.Authentication.OAuth2.ClientId);
await archive.AddText(
"core/config.txt",
JsonSerializer.Serialize(

6
Moonlight.ApiServer/Implementations/LocalAuth/LocalAuthConstants.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace Moonlight.ApiServer.Implementations.LocalAuth;
public static class LocalAuthConstants
{
public const string AuthenticationScheme = "LocalAuth";
}

32
Moonlight.ApiServer/Implementations/LocalAuth/LocalAuthHandler.cs Normal file
View File

@@ -0,0 +1,32 @@
using System.Text.Encodings.Web;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace Moonlight.ApiServer.Implementations.LocalAuth;
public class LocalAuthHandler : AuthenticationHandler<LocalAuthOptions>
{
public LocalAuthHandler(
IOptionsMonitor<LocalAuthOptions> options,
ILoggerFactory logger,
UrlEncoder encoder
) : base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
return Task.FromResult(
AuthenticateResult.Fail("Local authentication does not directly support AuthenticateAsync")
);
}
protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
{
await Results
.Redirect("/api/localAuth")
.ExecuteAsync(Context);
}
}

8
Moonlight.ApiServer/Implementations/LocalAuth/LocalAuthOptions.cs Normal file
View File

@@ -0,0 +1,8 @@
using Microsoft.AspNetCore.Authentication;
namespace Moonlight.ApiServer.Implementations.LocalAuth;
public class LocalAuthOptions : AuthenticationSchemeOptions
{
public string? SignInScheme { get; set; }
}

106
Moonlight.ApiServer/Implementations/LocalOAuth2Provider.cs
View File

@@ -1,106 +0,0 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
using MoonCore.Exceptions;
using MoonCore.Extended.Abstractions;
using MoonCore.Helpers;
using Moonlight.ApiServer.Configuration;
using Moonlight.ApiServer.Database.Entities;
using Moonlight.ApiServer.Interfaces;
using Moonlight.Shared.Http.Responses.OAuth2;
namespace Moonlight.ApiServer.Implementations;
public class LocalOAuth2Provider : IOAuth2Provider
{
private readonly AppConfiguration Configuration;
private readonly ILogger<LocalOAuth2Provider> Logger;
private readonly DatabaseRepository<User> UserRepository;
public LocalOAuth2Provider(
AppConfiguration configuration,
ILogger<LocalOAuth2Provider> logger,
DatabaseRepository<User> userRepository
)
{
UserRepository = userRepository;
Configuration = configuration;
Logger = logger;
}
public Task<string> Start()
{
var redirectUri = string.IsNullOrEmpty(Configuration.Authentication.OAuth2.AuthorizationRedirect)
? Configuration.PublicUrl
: Configuration.Authentication.OAuth2.AuthorizationRedirect;
var endpoint = string.IsNullOrEmpty(Configuration.Authentication.OAuth2.AuthorizationEndpoint)
? Configuration.PublicUrl + "/oauth2/authorize"
: Configuration.Authentication.OAuth2.AuthorizationEndpoint;
var clientId = Configuration.Authentication.OAuth2.ClientId;
var url = $"{endpoint}" +
$"?client_id={clientId}" +
$"&redirect_uri={redirectUri}" +
$"&response_type=code";
return Task.FromResult(url);
}
public async Task<User?> Complete(string code)
{
// Create http client to call the auth provider
var httpClient = new HttpClient();
using var httpApiClient = new HttpApiClient(httpClient);
httpClient.DefaultRequestHeaders.Add("Authorization",
$"Basic {Configuration.Authentication.OAuth2.ClientSecret}");
// Build access endpoint
var accessEndpoint = string.IsNullOrEmpty(Configuration.Authentication.OAuth2.AccessEndpoint)
? $"{Configuration.PublicUrl}/oauth2/handle"
: Configuration.Authentication.OAuth2.AccessEndpoint;
// Build redirect uri
var redirectUri = string.IsNullOrEmpty(Configuration.Authentication.OAuth2.AuthorizationRedirect)
? Configuration.PublicUrl
: Configuration.Authentication.OAuth2.AuthorizationRedirect;
// Call the auth provider
OAuth2HandleResponse handleData;
try
{
handleData = await httpApiClient.PostJson<OAuth2HandleResponse>(accessEndpoint, new FormUrlEncodedContent(
[
new KeyValuePair<string, string>("grant_type", "authorization_code"),
new KeyValuePair<string, string>("code", code),
new KeyValuePair<string, string>("redirect_uri", redirectUri),
new KeyValuePair<string, string>("client_id", Configuration.Authentication.OAuth2.ClientId)
]
));
}
catch (HttpApiException e)
{
if (e.Status == 400)
Logger.LogTrace("The auth server returned an error: {e}", e);
else
Logger.LogCritical("The auth server returned an error: {e}", e);
throw new HttpApiException("Unable to request user data", 500);
}
// Notice: We just look up the user id here
// which works as our oauth2 provider is using the same db.
// a real oauth2 provider would create a user here
// Handle the returned data
var userId = handleData.UserId;
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(x => x.Id == userId);
return user;
}
}

62
Moonlight.ApiServer/Implementations/UserAuthInvalidation.cs
View File

@@ -1,62 +0,0 @@
using System.Security.Claims;
using Microsoft.EntityFrameworkCore;
using MoonCore.Extended.Abstractions;
using MoonCore.Extended.JwtInvalidation;
using Moonlight.ApiServer.Database.Entities;
namespace Moonlight.ApiServer.Implementations;
public class UserAuthInvalidation : IJwtInvalidateHandler
{
private readonly DatabaseRepository<User> UserRepository;
private readonly DatabaseRepository<ApiKey> ApiKeyRepository;
public UserAuthInvalidation(
DatabaseRepository<User> userRepository,
DatabaseRepository<ApiKey> apiKeyRepository
)
{
UserRepository = userRepository;
ApiKeyRepository = apiKeyRepository;
}
public async Task<bool> Handle(ClaimsPrincipal principal)
{
var userIdClaim = principal.FindFirstValue("userId");
if (!string.IsNullOrEmpty(userIdClaim))
{
var userId = int.Parse(userIdClaim);
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(x => x.Id == userId);
if (user == null)
return true; // User is deleted, invalidate session
var iatStr = principal.FindFirstValue("iat")!;
var iat = DateTimeOffset.FromUnixTimeSeconds(long.Parse(iatStr));
// If the token has been issued before the token valid time, its expired, and we want to invalidate it
return user.TokenValidTimestamp > iat;
}
var apiKeyIdClaim = principal.FindFirstValue("apiKeyId");
if (!string.IsNullOrEmpty(apiKeyIdClaim))
{
var apiKeyId = int.Parse(apiKeyIdClaim);
var apiKey = await ApiKeyRepository
.Get()
.FirstOrDefaultAsync(x => x.Id == apiKeyId);
// If the api key exists, we don't want to invalidate the request.
// If it doesn't exist we want to invalidate the request
return apiKey == null;
}
return true;
}
}

16
Moonlight.ApiServer/Interfaces/IAuthCheckExtension.cs Normal file
View File

@@ -0,0 +1,16 @@
using System.Security.Claims;
using Moonlight.Shared.Http.Responses.Auth;
namespace Moonlight.ApiServer.Interfaces;
public interface IAuthCheckExtension
{
/// <summary>
/// This function will be called by the frontend reaching out to the api server for claim information.
/// You can use this function to give your frontend plugins access to user specific data which is
/// static for the session. E.g. the avatar url of a user
/// </summary>
/// <param name="principal">The principal of the current signed-in user</param>
/// <returns>An array of claim responses which gets added to the list of claims to send to the frontend</returns>
public Task<AuthClaimResponse[]> GetFrontendClaims(ClaimsPrincipal principal);
}

10
Moonlight.ApiServer/Interfaces/IOAuth2Provider.cs
View File

@@ -1,10 +0,0 @@
using Moonlight.ApiServer.Database.Entities;
namespace Moonlight.ApiServer.Interfaces;
public interface IOAuth2Provider
{
public Task<string> Start();
public Task<User?> Complete(string code);
}

25
Moonlight.ApiServer/Interfaces/IUserAuthExtension.cs Normal file
View File

@@ -0,0 +1,25 @@
using System.Security.Claims;
using Moonlight.ApiServer.Database.Entities;
namespace Moonlight.ApiServer.Interfaces;
public interface IUserAuthExtension
{
/// <summary>
/// This function is called on every sign-in. It should be used to synchronize additional user data from the principal
/// or extend the claims saved in the user session
/// </summary>
/// <param name="user">The current user this method is called for</param>
/// <param name="principal">The principal after being processed by moonlight itself</param>
/// <returns>The result of the synchronisation. Returning false will immediately invalidate the sign-in and no other extensions will be called</returns>
public Task<bool> Sync(User user, ClaimsPrincipal principal);
/// <summary>
/// IMPORTANT: Please note that heavy operations should not occur in this method as it will be called for every request
/// of every user
/// </summary>
/// <param name="user">The current user this method is called for</param>
/// <param name="principal">The principal after being processed by moonlight itself</param>
/// <returns>The result of the validation. Returning false will immediately invalidate the users session and no other extensions will be called</returns>
public Task<bool> Validate(User user, ClaimsPrincipal principal);
}

42
Moonlight.ApiServer/Moonlight.ApiServer.csproj
View File

@@ -6,11 +6,11 @@
<ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\Moonlight.Shared\Moonlight.Shared.csproj" />
<ProjectReference Include="..\Moonlight.Shared\Moonlight.Shared.csproj"/>
</ItemGroup>
<ItemGroup>
<Folder Include="Database\Migrations\" />
<Folder Include="Helpers\" />
<Folder Include="Database\Migrations\"/>
<Folder Include="Helpers\"/>
</ItemGroup>
<PropertyGroup>
<PackageId>Moonlight.ApiServer</PackageId>
@@ -23,25 +23,25 @@
<IsPackable>true</IsPackable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Hangfire.AspNetCore" Version="1.8.20" />
<PackageReference Include="Hangfire.Core" Version="1.8.20" />
<PackageReference Include="Hangfire.EntityFrameworkCore" Version="0.7.0" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.7" />
<PackageReference Include="MoonCore" Version="1.9.2" />
<PackageReference Include="MoonCore.Extended" Version="1.3.5" />
<PackageReference Include="MoonCore.PluginFramework.Generator" Version="1.0.2" />
<PackageReference Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.12.0-beta.1" />
<PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.12.0" />
<PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.12.0" />
<PackageReference Include="Riok.Mapperly" Version="4.3.0-next.2" />
<PackageReference Include="SharpZipLib" Version="1.4.2" />
<PackageReference Include="Swashbuckle.AspNetCore" Version="8.1.2" />
<PackageReference Include="Ben.Demystifier" Version="0.4.1" />
<PackageReference Include="Hangfire.AspNetCore" Version="1.8.20"/>
<PackageReference Include="Hangfire.Core" Version="1.8.20"/>
<PackageReference Include="Hangfire.EntityFrameworkCore" Version="0.7.0"/>
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.7"/>
<PackageReference Include="MoonCore" Version="1.9.6"/>
<PackageReference Include="MoonCore.Extended" Version="1.3.6"/>
<PackageReference Include="MoonCore.PluginFramework.Generator" Version="1.0.2"/>
<PackageReference Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.12.0-beta.1"/>
<PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.12.0"/>
<PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.12.0"/>
<PackageReference Include="Riok.Mapperly" Version="4.3.0-next.2"/>
<PackageReference Include="SharpZipLib" Version="1.4.2"/>
<PackageReference Include="Swashbuckle.AspNetCore" Version="8.1.2"/>
<PackageReference Include="Ben.Demystifier" Version="0.4.1"/>
</ItemGroup>
<ItemGroup>
<Compile Remove="storage\**\*" />
<Content Remove="storage\**\*" />
<None Remove="storage\**\*" />
<None Remove="Properties\launchSettings.json" />
<Compile Remove="storage\**\*"/>
<Content Remove="storage\**\*"/>
<None Remove="storage\**\*"/>
<None Remove="Properties\launchSettings.json"/>
</ItemGroup>
</Project>

32
Moonlight.ApiServer/Services/ApiKeyAuthService.cs Normal file
View File

@@ -0,0 +1,32 @@
using System.Security.Claims;
using Microsoft.EntityFrameworkCore;
using MoonCore.Extended.Abstractions;
using Moonlight.ApiServer.Database.Entities;
namespace Moonlight.ApiServer.Services;
public class ApiKeyAuthService
{
private readonly DatabaseRepository<ApiKey> ApiKeyRepository;
public ApiKeyAuthService(DatabaseRepository<ApiKey> apiKeyRepository)
{
ApiKeyRepository = apiKeyRepository;
}
public async Task<bool> Validate(ClaimsPrincipal? principal)
{
// Ignore malformed claims principal
if (principal is not { Identity.IsAuthenticated: true })
return false;
var apiKeyIdStr = principal.FindFirstValue("ApiKeyId");
if (!int.TryParse(apiKeyIdStr, out var apiKeyId))
return false;
return await ApiKeyRepository
.Get()
.AnyAsync(x => x.Id == apiKeyId);
}
}

4
Moonlight.ApiServer/Services/ApiKeyService.cs
View File

@@ -29,11 +29,11 @@ public class ApiKeyService
Claims = new Dictionary<string, object>()
{
{
"apiKeyId",
"ApiKeyId",
apiKey.Id
},
{
"permissions",
"Permissions",
string.Join(";", apiKey.Permissions)
}
},

168
Moonlight.ApiServer/Services/UserAuthService.cs Normal file
View File

@@ -0,0 +1,168 @@
using System.Security.Claims;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
using MoonCore.Extended.Abstractions;
using MoonCore.Extended.Helpers;
using MoonCore.Helpers;
using Moonlight.ApiServer.Configuration;
using Moonlight.ApiServer.Database.Entities;
using Moonlight.ApiServer.Interfaces;
namespace Moonlight.ApiServer.Services;
public class UserAuthService
{
private readonly ILogger<UserAuthService> Logger;
private readonly DatabaseRepository<User> UserRepository;
private readonly AppConfiguration Configuration;
private readonly IEnumerable<IUserAuthExtension> Extensions;
private const string UserIdClaim = "UserId";
private const string IssuedAtClaim = "IssuedAt";
public UserAuthService(
ILogger<UserAuthService> logger,
DatabaseRepository<User> userRepository,
AppConfiguration configuration,
IEnumerable<IUserAuthExtension> extensions
)
{
Logger = logger;
UserRepository = userRepository;
Configuration = configuration;
Extensions = extensions;
}
public async Task<bool> Sync(ClaimsPrincipal? principal)
{
// Ignore malformed claims principal
if (principal is not { Identity.IsAuthenticated: true })
return false;
// Search for email and username. We need both to create the user model if required.
// We do a ToLower here because external authentication provider might provide case-sensitive data
var email = principal.FindFirstValue(ClaimTypes.Email)?.ToLower();
var username = principal.FindFirstValue(ClaimTypes.Name)?.ToLower();
if (string.IsNullOrEmpty(email) || string.IsNullOrEmpty(username))
{
Logger.LogWarning(
"The authentication scheme {scheme} did not provide claim types: email, name. These are required to sync to user to the database",
principal.Identity.AuthenticationType
);
return false;
}
// If you plan to use multiple auth providers it can be a good idea
// to use an identifier in the user model which consists of the provider and the NameIdentifier
// instead of the email address. For simplicity, we just use the email as the identifier so multiple auth providers
// can lead to the same account when the email matches
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(u => u.Email == email);
if (user == null)
{
string[] permissions = [];
// Yes I know we handle the first user admin thing in the LocalAuth too,
// but this only works fo the local auth. So if a user uses an external auth scheme
// like oauth2 discord, the first user admin toggle would do nothing
if (Configuration.Authentication.FirstUserAdmin)
{
var count = await UserRepository
.Get()
.CountAsync();
if (count == 0)
permissions = ["*"];
}
user = await UserRepository.Add(new User()
{
Email = email,
TokenValidTimestamp = DateTimeOffset.UtcNow.AddMinutes(-1),
Username = username,
Password = HashHelper.Hash(Formatter.GenerateString(64)),
Permissions = permissions
});
}
// You can sync other properties here
if (user.Username != username)
{
user.Username = username;
await UserRepository.Update(user);
}
// Enrich claims with required metadata
principal.Identities.First().AddClaims([
new Claim(UserIdClaim, user.Id.ToString()),
new Claim(IssuedAtClaim, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString()),
new Claim("Permissions", string.Join(';', user.Permissions))
]);
// Call extensions
foreach (var extension in Extensions)
{
var result = await extension.Sync(user, principal);
if (!result) // Exit immediately if result is false
return false;
}
return true;
}
public async Task<bool> Validate(ClaimsPrincipal? principal)
{
// Ignore malformed claims principal
if (principal is not { Identity.IsAuthenticated: true })
return false;
// Validate if the user still exists, and then we want to validate the token issue time
// against the invalidation time
var userIdStr = principal.FindFirstValue(UserIdClaim);
if (!int.TryParse(userIdStr, out var userId))
return false;
var user = await UserRepository
.Get()
.FirstOrDefaultAsync(u => u.Id == userId);
if (user == null)
return false;
// Token time validation
var issuedAtStr = principal.FindFirstValue(IssuedAtClaim);
if (!long.TryParse(issuedAtStr, out var issuedAtUnix))
return false;
var issuedAt = DateTimeOffset
.FromUnixTimeSeconds(issuedAtUnix)
.ToUniversalTime();
// If the issued at timestamp is greater than the token validation timestamp
// everything is fine. If not it means that the token should be invalidated
// as it is too old
if (issuedAt < user.TokenValidTimestamp)
return false;
// Call extensions
foreach (var extension in Extensions)
{
var result = await extension.Validate(user, principal);
if (!result) // Exit immediately if result is false
return false;
}
return true;
}
}

0
Moonlight.ApiServer/Services/UserService.cs → Moonlight.ApiServer/Services/UserDeletionService.cs
View File

136
Moonlight.ApiServer/Startup/Startup.Auth.cs
View File

@@ -1,11 +1,12 @@
using System.Text;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
using MoonCore.Extended.JwtInvalidation;
using MoonCore.Permissions;
using Moonlight.ApiServer.Implementations;
using Moonlight.ApiServer.Interfaces;
using Moonlight.ApiServer.Implementations.LocalAuth;
using Moonlight.ApiServer.Services;
namespace Moonlight.ApiServer.Startup;
@@ -15,8 +16,25 @@ public partial class Startup
private Task RegisterAuth()
{
WebApplicationBuilder.Services
.AddAuthentication("coreAuthentication")
.AddJwtBearer("coreAuthentication", options =>
.AddAuthentication(options => { options.DefaultScheme = "MainScheme"; })
.AddPolicyScheme("MainScheme", null, options =>
{
// If an api key is specified via the bearer auth header
// we want to use the ApiKey scheme for authenticating the request
options.ForwardDefaultSelector = context =>
{
if (!context.Request.Headers.TryGetValue("Authorization", out var authHeader))
return "Session";
var auth = authHeader.FirstOrDefault();
if (string.IsNullOrEmpty(auth) || !auth.StartsWith("Bearer "))
return "Session";
return "ApiKey";
};
})
.AddJwtBearer("ApiKey", null, options =>
{
options.TokenValidationParameters = new()
{
@@ -31,22 +49,116 @@ public partial class Startup
ValidateIssuer = true,
ValidIssuer = Configuration.PublicUrl
};
});
WebApplicationBuilder.Services.AddJwtBearerInvalidation("coreAuthentication");
WebApplicationBuilder.Services.AddScoped<IJwtInvalidateHandler, UserAuthInvalidation>();
options.Events = new JwtBearerEvents()
{
OnTokenValidated = async context =>
{
var apiKeyAuthService = context
.HttpContext
.RequestServices
.GetRequiredService<ApiKeyAuthService>();
var result = await apiKeyAuthService.Validate(context.Principal);
if (!result)
context.Fail("API key has been deleted");
}
};
})
.AddCookie("Session", null, options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(Configuration.Authentication.Sessions.ExpiresIn);
options.Cookie = new CookieBuilder()
{
Name = Configuration.Authentication.Sessions.CookieName,
Path = "/",
IsEssential = true,
SecurePolicy = CookieSecurePolicy.SameAsRequest
};
// As redirects won't work in our spa which uses API calls
// we need to customize the responses when certain actions happen
options.Events.OnRedirectToLogin = async context =>
{
await Results.Problem(
title: "Unauthenticated",
detail: "You need to authenticate yourself to use this endpoint",
statusCode: 401
)
.ExecuteAsync(context.HttpContext);
};
options.Events.OnRedirectToAccessDenied = async context =>
{
await Results.Problem(
title: "Permission denied",
detail: "You are missing the required permissions to access this endpoint",
statusCode: 403
)
.ExecuteAsync(context.HttpContext);
};
options.Events.OnSigningIn = async context =>
{
var userSyncService = context
.HttpContext
.RequestServices
.GetRequiredService<UserAuthService>();
var result = await userSyncService.Sync(context.Principal);
if (!result)
context.Principal = new();
else
context.Properties.IsPersistent = true;
};
options.Events.OnValidatePrincipal = async context =>
{
var userSyncService = context
.HttpContext
.RequestServices
.GetRequiredService<UserAuthService>();
var result = await userSyncService.Validate(context.Principal);
if (!result)
context.RejectPrincipal();
};
})
.AddScheme<LocalAuthOptions, LocalAuthHandler>(LocalAuthConstants.AuthenticationScheme, "Local Auth", options =>
{
options.ForwardAuthenticate = "Session";
options.ForwardSignIn = "Session";
options.ForwardSignOut = "Session";
options.SignInScheme = "Session";
});
WebApplicationBuilder.Services.AddAuthorization();
WebApplicationBuilder.Services.AddAuthorizationPermissions(options =>
{
options.ClaimName = "permissions";
options.ClaimName = "Permissions";
options.Prefix = "permissions:";
});
// Add local oauth2 provider if enabled
if (Configuration.Authentication.EnableLocalOAuth2)
WebApplicationBuilder.Services.AddScoped<IOAuth2Provider, LocalOAuth2Provider>();
WebApplicationBuilder.Services.AddScoped<UserAuthService>();
WebApplicationBuilder.Services.AddScoped<ApiKeyAuthService>();
// Setup data protection storage within storage folder
// so its persists in containers
var dpKeyPath = Path.Combine("storage", "dataProtectionKeys");
Directory.CreateDirectory(dpKeyPath);
WebApplicationBuilder.Services
.AddDataProtection()
.PersistKeysToFileSystem(
new DirectoryInfo(dpKeyPath)
);
WebApplicationBuilder.Services.AddScoped<UserDeletionService>();

3
Moonlight.ApiServer/Startup/Startup.Logging.cs
View File

@@ -33,7 +33,8 @@ public partial class Startup
{
{ "Default", "Information" },
{ "Microsoft.AspNetCore", "Warning" },
{ "System.Net.Http.HttpClient", "Warning" }
{ "System.Net.Http.HttpClient", "Warning" },
{ "Moonlight.ApiServer.Implementations.LocalAuth.LocalAuthHandler", "Warning" }
};
var logLevelsJson = JsonSerializer.Serialize(defaultLogLevels);

19
Moonlight.Client/Implementations/LogErrorFilter.cs Normal file
View File

@@ -0,0 +1,19 @@
using MoonCore.Blazor.FlyonUi.Exceptions;
namespace Moonlight.Client.Implementations;
public class LogErrorFilter : IGlobalErrorFilter
{
private readonly ILogger<LogErrorFilter> Logger;
public LogErrorFilter(ILogger<LogErrorFilter> logger)
{
Logger = logger;
}
public Task<bool> HandleException(Exception ex)
{
Logger.LogError(ex, "Global error processed");
return Task.FromResult(false);
}
}

24
Moonlight.Client/Implementations/UnauthenticatedErrorFilter.cs Normal file
View File

@@ -0,0 +1,24 @@
using Microsoft.AspNetCore.Components;
using MoonCore.Blazor.FlyonUi.Exceptions;
using MoonCore.Exceptions;
namespace Moonlight.Client.Implementations;
public class UnauthenticatedErrorFilter : IGlobalErrorFilter
{
private readonly NavigationManager Navigation;
public UnauthenticatedErrorFilter(NavigationManager navigation)
{
Navigation = navigation;
}
public Task<bool> HandleException(Exception ex)
{
if (ex is not HttpApiException { Status: 401 })
return Task.FromResult(false);
Navigation.NavigateTo("/api/auth/logout", true);
return Task.FromResult(true);
}
}

6
Moonlight.Client/Moonlight.Client.csproj
View File

@@ -22,9 +22,11 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Blazor-ApexCharts" Version="6.0.0" />
<PackageReference Include="MoonCore" Version="1.9.2" />
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="9.0.8" />
<PackageReference Include="MoonCore" Version="1.9.6" />
<PackageReference Include="MoonCore.Blazor" Version="1.3.1" />
<PackageReference Include="MoonCore.Blazor.FlyonUi" Version="1.0.9" />
<PackageReference Include="MoonCore.Blazor.FlyonUi" Version="1.1.5" />
<PackageReference Include="System.Security.Claims" Version="4.3.0" />
</ItemGroup>
<ItemGroup>
<Compile Remove="storage\**\*" />

119
Moonlight.Client/Services/RemoteAuthStateManager.cs
View File

@@ -1,119 +0,0 @@
using System.Security.Claims;
using System.Web;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Authorization;
using MoonCore.Blazor.FlyonUi.Auth;
using MoonCore.Blazor.Services;
using MoonCore.Exceptions;
using MoonCore.Helpers;
using Moonlight.Shared.Http.Requests.Auth;
using Moonlight.Shared.Http.Responses.Auth;
namespace Moonlight.Client.Services;
public class RemoteAuthStateManager : AuthenticationStateManager
{
private readonly NavigationManager NavigationManager;
private readonly HttpApiClient HttpApiClient;
private readonly LocalStorageService LocalStorageService;
private readonly ILogger<RemoteAuthStateManager> Logger;
public RemoteAuthStateManager(
HttpApiClient httpApiClient,
LocalStorageService localStorageService,
NavigationManager navigationManager,
ILogger<RemoteAuthStateManager> logger
)
{
HttpApiClient = httpApiClient;
LocalStorageService = localStorageService;
NavigationManager = navigationManager;
Logger = logger;
}
public override async Task<AuthenticationState> GetAuthenticationStateAsync()
=> await LoadAuthState();
public override async Task HandleLogin()
{
var uri = new Uri(NavigationManager.Uri);
var codeParam = HttpUtility.ParseQueryString(uri.Query).Get("code");
if (string.IsNullOrEmpty(codeParam)) // If this is true, we need to log in the user
{
await StartLogin();
}
else
{
try
{
var loginCompleteData = await HttpApiClient.PostJson<LoginCompleteResponse>(
"api/auth/complete",
new LoginCompleteRequest()
{
Code = codeParam
}
);
await LocalStorageService.SetString("AccessToken", loginCompleteData.AccessToken);
NavigationManager.NavigateTo("/");
NotifyAuthenticationStateChanged(LoadAuthState());
}
catch (HttpApiException e)
{
Logger.LogError("Unable to complete login: {e}", e);
await StartLogin();
}
}
}
public override async Task Logout()
{
if (await LocalStorageService.ContainsKey("AccessToken"))
await LocalStorageService.SetString("AccessToken", "");
NotifyAuthenticationStateChanged(LoadAuthState());
}
#region Utilities
private async Task StartLogin()
{
var loginStartData = await HttpApiClient.GetJson<LoginStartResponse>("api/auth/start");
NavigationManager.NavigateTo(loginStartData.Url, true);
}
private async Task<AuthenticationState> LoadAuthState()
{
AuthenticationState newState;
try
{
var checkData = await HttpApiClient.GetJson<CheckResponse>("api/auth/check");
newState = new(new ClaimsPrincipal(
new ClaimsIdentity(
[
new Claim("username", checkData.Username),
new Claim("email", checkData.Email),
new Claim("permissions", string.Join(";", checkData.Permissions))
],
"RemoteAuthStateManager"
)
));
}
catch (HttpApiException)
{
newState = new(new ClaimsPrincipal(
new ClaimsIdentity()
));
}
return newState;
}
#endregion
}

45
Moonlight.Client/Services/RemoteAuthStateProvider.cs Normal file
View File

@@ -0,0 +1,45 @@
using System.Security.Claims;
using Microsoft.AspNetCore.Components.Authorization;
using MoonCore.Exceptions;
using MoonCore.Helpers;
using Moonlight.Shared.Http.Responses.Auth;
namespace Moonlight.Client.Services;
public class RemoteAuthStateProvider : AuthenticationStateProvider
{
private readonly HttpApiClient ApiClient;
public RemoteAuthStateProvider(HttpApiClient apiClient)
{
ApiClient = apiClient;
}
public override async Task<AuthenticationState> GetAuthenticationStateAsync()
{
ClaimsPrincipal principal;
try
{
var claims = await ApiClient.GetJson<AuthClaimResponse[]>(
"api/auth/check"
);
principal = new ClaimsPrincipal(
new ClaimsIdentity(
claims.Select(x => new Claim(x.Type, x.Value)),
"RemoteAuthentication"
)
);
}
catch (HttpApiException e)
{
if (e.Status != 401 && e.Status != 403)
throw;
principal = new ClaimsPrincipal();
}
return new AuthenticationState(principal);
}
}

9
Moonlight.Client/Startup/Startup.Auth.cs
View File

@@ -1,6 +1,8 @@
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.DependencyInjection;
using MoonCore.Blazor.FlyonUi.Auth;
using MoonCore.Blazor.FlyonUi.Exceptions;
using MoonCore.Permissions;
using Moonlight.Client.Implementations;
using Moonlight.Client.Services;
namespace Moonlight.Client.Startup;
@@ -12,11 +14,12 @@ public partial class Startup
WebAssemblyHostBuilder.Services.AddAuthorizationCore();
WebAssemblyHostBuilder.Services.AddCascadingAuthenticationState();
WebAssemblyHostBuilder.Services.AddAuthenticationStateManager<RemoteAuthStateManager>();
WebAssemblyHostBuilder.Services.AddScoped<AuthenticationStateProvider, RemoteAuthStateProvider>();
WebAssemblyHostBuilder.Services.AddScoped<IGlobalErrorFilter, UnauthenticatedErrorFilter>();
WebAssemblyHostBuilder.Services.AddAuthorizationPermissions(options =>
{
options.ClaimName = "permissions";
options.ClaimName = "Permissions";
options.Prefix = "permissions:";
});

18
Moonlight.Client/Startup/Startup.Base.cs
View File

@@ -25,27 +25,11 @@ public partial class Startup
WebAssemblyHostBuilder.Services.AddScoped(sp =>
{
var httpClient = sp.GetRequiredService<HttpClient>();
var httpApiClient = new HttpApiClient(httpClient);
var localStorageService = sp.GetRequiredService<LocalStorageService>();
httpApiClient.OnConfigureRequest += async request =>
{
var accessToken = await localStorageService.GetString("AccessToken");
if (string.IsNullOrEmpty(accessToken))
return;
request.Headers.Add("Authorization", $"Bearer {accessToken}");
};
return httpApiClient;
return new HttpApiClient(httpClient);
});
WebAssemblyHostBuilder.Services.AddScoped<WindowService>();
WebAssemblyHostBuilder.Services.AddFileManagerOperations();
WebAssemblyHostBuilder.Services.AddFlyonUiServices();
WebAssemblyHostBuilder.Services.AddScoped<LocalStorageService>();
WebAssemblyHostBuilder.Services.AddScoped<ThemeService>();

6
Moonlight.Client/Startup/Startup.Logging.cs
View File

@@ -1,4 +1,7 @@
using Microsoft.Extensions.DependencyInjection;
using MoonCore.Blazor.FlyonUi.Exceptions;
using MoonCore.Logging;
using Moonlight.Client.Implementations;
namespace Moonlight.Client.Startup;
@@ -7,6 +10,7 @@ public partial class Startup
private Task SetupLogging()
{
var loggerFactory = new LoggerFactory();
loggerFactory.AddAnsiConsole();
Logger = loggerFactory.CreateLogger<Startup>();
@@ -19,6 +23,8 @@ public partial class Startup
WebAssemblyHostBuilder.Logging.ClearProviders();
WebAssemblyHostBuilder.Logging.AddAnsiConsole();
WebAssemblyHostBuilder.Services.AddScoped<IGlobalErrorFilter, LogErrorFilter>();
return Task.CompletedTask;
}
}

2
Moonlight.Client/Startup/Startup.cs
View File

@@ -28,8 +28,8 @@ public partial class Startup
WebAssemblyHostBuilder = builder;
await PrintVersion();
await SetupLogging();
await SetupLogging();
await LoadConfiguration();
await InitializePlugins();

534
Moonlight.Client/Styles/MoonCore.Blazor.FlyonUi/mooncore.map Normal file
View File

@@ -0,0 +1,534 @@
!bg-base-100
!border-base-content/40
!border-none
!flex
!font-medium
!font-semibold
!h-2.5
!justify-between
!me-1.5
!ms-auto
!px-2.5
!py-0.5
!rounded-full
!rounded-xs
!text-sm
!w-2.5
*:[grid-area:1/1]
*:first:rounded-tl-lg
*:last:rounded-tr-lg
-left-4
-ml-4
-translate-x-full
-translate-y-1/2
absolute
accordion
accordion-bordered
accordion-content
accordion-toggle
active
active-tab:bg-primary
active-tab:hover:text-primary-content
active-tab:text-primary-content
advance-select-menu
advance-select-option
advance-select-tag
advance-select-toggle
alert
alert-error
alert-outline
alert-soft
align-bottom
align-middle
animate-bounce
animate-ping
aria-[current='page']:text-bg-soft-primary
avatar
badge
badge-error
badge-info
badge-outline
badge-primary
badge-soft
badge-success
bg-background
bg-background/60
bg-base-100
bg-base-150
bg-base-200
bg-base-200!
bg-base-200/50
bg-base-300
bg-base-300/45
bg-base-300/50
bg-base-300/60
bg-error
bg-info
bg-primary
bg-primary/5
bg-success
bg-transparent
bg-warning
block
blur
border
border-0
border-2
border-b
border-base-content
border-base-content/20
border-base-content/25
border-base-content/40
border-base-content/5
border-dashed
border-t
border-transparent
bottom-0
bottom-full
break-words
btn
btn-accent
btn-active
btn-circle
btn-disabled
btn-error
btn-info
btn-outline
btn-primary
btn-secondary
btn-sm
btn-soft
btn-square
btn-success
btn-text
btn-warning
card
card-alert
card-body
card-border
card-footer
card-header
card-title
carousel
carousel-body
carousel-next
carousel-prev
carousel-slide
chat
chat-avatar
chat-bubble
chat-footer
chat-header
chat-receiver
chat-sender
checkbox
checkbox-primary
checkbox-xs
col-span-1
collapse
combo-box-selected:block
combo-box-selected:dropdown-active
complete
container
contents
cursor-default
cursor-not-allowed
cursor-pointer
diff
disabled
divide-base-150/60
divide-y
divider
drop-shadow
dropdown
dropdown-active
dropdown-disabled
dropdown-item
dropdown-menu
dropdown-open:opacity-100
dropdown-open:rotate-180
dropdown-toggle
duration-300
duration-500
ease-in-out
ease-linear
end-3
file-upload-complete:progress-success
fill-base-content
fill-black
fill-gray-200
filter
filter-reset
fixed
flex
flex-1
flex-col
flex-grow
flex-nowrap
flex-row
flex-shrink-0
flex-wrap
focus-visible:outline-none
focus-within:border-primary
focus:border-primary
focus:outline-1
focus:outline-none
focus:outline-primary
focus:ring-0
font-bold
font-inter
font-medium
font-normal
font-semibold
gap-0.5
gap-1
gap-1.5
gap-2
gap-3
gap-4
gap-5
gap-6
gap-x-1
gap-x-2
gap-x-3
gap-y-1
gap-y-2.5
gap-y-3
grid
grid-cols-1
grid-cols-4
grid-flow-col
grow
grow-0
h-12
h-2
h-3
h-32
h-64
h-8
h-auto
h-full
h-screen
helper-text
hidden
hover:bg-primary/5
hover:bg-transparent
hover:text-base-content
hover:text-base-content/60
hover:text-primary
image-full
inline
inline-block
inline-flex
inline-grid
input
input-floating
input-floating-label
input-lg
input-md
input-sm
input-xl
inset-0
inset-y-0
inset-y-2
invisible
is-invalid
is-valid
isolate
italic
items-center
items-end
items-start
join
join-item
justify-between
justify-center
justify-end
justify-start
justify-stretch
label-text
leading-3
leading-3.5
leading-6
leading-none
left-0
lg:bg-base-100/20
lg:flex
lg:gap-y-0
lg:grid-cols-2
lg:hidden
lg:justify-end
lg:justify-start
lg:min-w-0
lg:p-10
lg:pb-5
lg:pl-64
lg:pr-3.5
lg:pt-5
lg:ring-1
lg:ring-base-content/10
lg:rounded-lg
lg:shadow-xs
link
link-animated
link-hover
list-disc
list-inside
list-none
loading
loading-lg
loading-sm
loading-spinner
loading-xl
loading-xs
lowercase
m-10
mask
max-h-52
max-lg:flex-col
max-lg:hidden
max-w-7xl
max-w-80
max-w-full
max-w-lg
max-w-sm
max-w-xl
mb-0.5
mb-1
mb-1.5
mb-2
mb-2.5
mb-3
mb-4
mb-5
md:min-w-md
md:table-cell
md:text-3xl
me-1
me-1.5
me-2
me-2.5
me-5
menu
menu-active
menu-disabled
menu-dropdown
menu-dropdown-show
menu-horizontal
menu-title
min-h-0
min-h-svh
min-w-0
min-w-28
min-w-48
min-w-60
min-w-[100px]
min-w-sm
ml-3
ml-4
modal
modal-content
modal-dialog
modal-middle
modal-title
mr-4
ms-0.5
ms-1
ms-2
ms-3
ms-auto
mt-1
mt-1.5
mt-10
mt-12
mt-2
mt-2.5
mt-3
mt-3.5
mt-4
mt-5
mt-8
mx-1
mx-auto
my-3
my-auto
object-cover
opacity-0
opacity-100
open
origin-top-left
outline
outline-0
overflow-hidden
overflow-x-auto
overflow-y-auto
overlay-open:duration-50
overlay-open:opacity-100
p-0.5
p-1
p-2
p-3
p-4
p-5
p-6
p-8
pin-input
placeholder-base-content/60
pointer-events-auto
pointer-events-none
progress
progress-bar
progress-indeterminate
progress-primary
pt-0
pt-0.5
pt-3
px-1.5
px-2
px-2.5
px-3
px-4
px-5
py-0.5
py-1.5
py-2
py-2.5
py-6
radial-progress
radio
range
relative
resize
ring-0
ring-1
ring-white/10
rounded-box
rounded-field
rounded-full
rounded-lg
rounded-md
rounded-t-lg
row-active
row-hover
rtl:!mr-0
select
select-disabled:opacity-40
select-disabled:pointer-events-none
select-floating
select-floating-label
selected
selected:select-active
shadow-base-300/20
shadow-lg
shadow-md
shadow-xs
shrink-0
size-10
size-4
size-5
size-8
skeleton
skeleton-animated
sm:auto-cols-max
sm:flex
sm:items-center
sm:items-end
sm:justify-between
sm:justify-end
sm:max-w-2xl
sm:max-w-3xl
sm:max-w-4xl
sm:max-w-5xl
sm:max-w-6xl
sm:max-w-7xl
sm:max-w-lg
sm:max-w-md
sm:max-w-xl
sm:mb-0
sm:mt-5
sm:mt-6
sm:p-6
sm:py-2
sm:text-sm/5
space-x-1
space-y-1
space-y-4
sr-only
static
status
status-error
sticky
switch
tab
tab-active
table
table-pin-cols
table-pin-rows
tabs
tabs-bordered
tabs-lg
tabs-lifted
tabs-md
tabs-sm
tabs-xl
tabs-xs
text-2xl
text-4xl
text-accent
text-base
text-base-content
text-base-content/40
text-base-content/50
text-base-content/60
text-base-content/70
text-base-content/80
text-base/6
text-center
text-error
text-error-content
text-gray-400
text-info
text-info-content
text-left
text-lg
text-primary
text-primary-content
text-sm
text-sm/5
text-success
text-success-content
text-warning
text-warning-content
text-xl
text-xs
text-xs/5
textarea
textarea-floating
textarea-floating-label
theme-controller
tooltip
tooltip-content
top-0
top-1/2
top-full
transform
transition
transition-all
transition-opacity
translate-x-0
truncate
underline
uppercase
validate
w-0
w-0.5
w-12
w-4
w-56
w-64
w-fit
w-full
whitespace-nowrap
z-10
z-40
z-50

7
Moonlight.Client/UI/App.razor
View File

@@ -1,8 +1,13 @@
@using Moonlight.Client.UI.Layouts
@using Moonlight.Client.Services
@using Moonlight.Client.UI.Partials
@inject ApplicationAssemblyService ApplicationAssemblyService
<ApplicationRouter DefaultLayout="@typeof(MainLayout)"
AppAssembly="@typeof(App).Assembly"
AdditionalAssemblies="ApplicationAssemblyService.Assemblies" />
AdditionalAssemblies="ApplicationAssemblyService.Assemblies">
<LoginTemplate>
<LoginSelector />
</LoginTemplate>
</ApplicationRouter>

6
Moonlight.Client/UI/Components/WelcomeOverviewElement.razor
View File

@@ -1,4 +1,5 @@
@using Microsoft.AspNetCore.Components.Authorization
@using System.Security.Claims
@using Microsoft.AspNetCore.Components.Authorization
<div class="col-span-12 md:col-span-6">
<div class="font-medium leading-[1.1] tracking-tight">
@@ -18,7 +19,6 @@
protected override async Task OnInitializedAsync()
{
var identity = await AuthState;
var usernameClaim = identity.User.Claims.ToArray().First(x => x.Type == "username");
Username = usernameClaim.Value;
Username = identity.User.FindFirst(ClaimTypes.Name)!.Value;
}
}

11
Moonlight.Client/UI/Partials/AppSidebar.razor
View File

@@ -1,13 +1,11 @@
@using System.Security.Claims
@using Microsoft.AspNetCore.Authorization
@using Microsoft.AspNetCore.Components.Authorization
@using MoonCore.Blazor.FlyonUi.Auth
@using Moonlight.Client.Interfaces
@using Moonlight.Client.Models
@using Moonlight.Client.UI.Layouts
@inject NavigationManager Navigation
@inject AuthenticationStateManager AuthStateManager
@inject IEnumerable<ISidebarItemProvider> SidebarItemProviders
@inject IAuthorizationService AuthorizationService
@@ -210,8 +208,8 @@
var authState = await AuthState;
Identity = authState.User;
Username = Identity.Claims.First(x => x.Type == "username").Value;
Email = Identity.Claims.First(x => x.Type == "email").Value;
Username = Identity.FindFirst(ClaimTypes.Name)!.Value;
Email = Identity.FindFirst(ClaimTypes.Email)!.Value;
var sidebarItems = new List<SidebarItem>();
@@ -260,8 +258,9 @@
return Task.CompletedTask;
}
private async Task Logout()
private Task Logout()
{
await AuthStateManager.Logout();
Navigation.NavigateTo("/api/auth/logout", true);
return Task.CompletedTask;
}
}

101
Moonlight.Client/UI/Partials/LoginSelector.razor Normal file
View File

@@ -0,0 +1,101 @@
@using MoonCore.Helpers
@using Moonlight.Shared.Http.Responses.Auth
@inject HttpApiClient ApiClient
@inject NavigationManager Navigation
<div class="flex h-screen justify-center items-center">
<div class="sm:min-w-md">
<div class="bg-base-100 shadow-base-300/20 z-1 w-full space-y-6 rounded-xl p-6 shadow-md lg:p-8">
<LazyLoader EnableDefaultSpacing="false" Load="Load">
@if (ShowSelection)
{
<div class="flex justify-center items-center gap-3">
<img src="/_content/Moonlight.Client/svg/logo.svg" class="size-12" alt="brand-logo"/>
</div>
<div class="text-center">
<h3 class="text-base-content mb-1.5 text-2xl font-semibold">Login into your account</h3>
<p class="text-base-content/80">Chose a login method to continue</p>
</div>
<div class="space-y-4">
@if (AuthSchemes.Length == 0)
{
<div class="alert alert-error text-center">
No auth schemes enabled/available
</div>
}
<div class="mb-4 space-y-4">
@foreach (var scheme in AuthSchemes)
{
var config = Configs.GetValueOrDefault(scheme.Identifier);
if (config == null) // Ignore all schemes which have no ui configured
continue;
<button @onclick="() => Start(scheme)" class="btn btn-text w-full"
style="background-color: @(config.Color)">
<img src="@config.IconUrl"
alt="scheme icon"
class="size-5 object-cover fill-base-content"/>
Sign in with @scheme.DisplayName
</button>
}
</div>
</div>
}
else
{
<div class="flex justify-center">
<span class="loading loading-spinner loading-xl"></span>
</div>
}
</LazyLoader>
</div>
</div>
</div>
@code
{
private AuthSchemeResponse[] AuthSchemes;
private Dictionary<string, AuthSchemeConfig> Configs = new();
private bool ShowSelection = false;
protected override void OnInitialized()
{
Configs["LocalAuth"] = new AuthSchemeConfig()
{
Color = "#7636e3",
IconUrl = "/placeholder.jpg"
};
}
private async Task Load(LazyLoader arg)
{
AuthSchemes = await ApiClient.GetJson<AuthSchemeResponse[]>(
"api/auth"
);
// If we only have one auth scheme available
// we want to auto redirect the user without
// showing the selection screen
if (AuthSchemes.Length == 1)
await Start(AuthSchemes[0]);
else
ShowSelection = true;
}
private Task Start(AuthSchemeResponse scheme)
{
Navigation.NavigateTo($"/api/auth/{scheme.Identifier}", true);
return Task.CompletedTask;
}
record AuthSchemeConfig
{
public string Color { get; set; }
public string IconUrl { get; set; }
}
}

16
Moonlight.Client/UI/Views/Admin/Sys/Files.razor
View File

@@ -4,6 +4,7 @@
@using MoonCore.Helpers
@using Moonlight.Client.Implementations
@using MoonCore.Blazor.FlyonUi.Files.Manager
@using MoonCore.Blazor.FlyonUi.Files.Manager.Operations
@attribute [Authorize(Policy = "permissions:admin.system.overview")]
@@ -13,7 +14,8 @@
<NavTabs Index="2" Names="UiConstants.AdminNavNames" Links="UiConstants.AdminNavLinks"/>
</div>
<FileManager FsAccess="FsAccess" TransferChunkSize="TransferChunkSize" UploadLimit="UploadLimit"/>
<FileManager OnConfigure="OnConfigure" FsAccess="FsAccess" TransferChunkSize="TransferChunkSize"
UploadLimit="UploadLimit"/>
@code
{
@@ -26,4 +28,16 @@
{
FsAccess = new SystemFsAccess(ApiClient);
}
private void OnConfigure(FileManagerOptions options)
{
options.AddMultiOperation<DeleteOperation>();
options.AddMultiOperation<MoveOperation>();
options.AddMultiOperation<DownloadOperation>();
options.AddSingleOperation<RenameOperation>();
options.AddToolbarOperation<CreateFileOperation>();
options.AddToolbarOperation<CreateFolderOperation>();
}
}

9
Moonlight.Shared/Http/Requests/Auth/LoginCompleteRequest.cs
View File

@@ -1,9 +0,0 @@
using System.ComponentModel.DataAnnotations;
namespace Moonlight.Shared.Http.Requests.Auth;
public class LoginCompleteRequest
{
[Required(ErrorMessage = "You need to provide a code")]
public string Code { get; set; }
}

20
Moonlight.Shared/Http/Responses/Auth/AuthClaimResponse.cs Normal file
View File

@@ -0,0 +1,20 @@
namespace Moonlight.Shared.Http.Responses.Auth;
public class AuthClaimResponse
{
// ReSharper disable once UnusedMember.Global
// Its used by the json serializer ^^
public AuthClaimResponse()
{
}
public AuthClaimResponse(string type, string value)
{
Type = type;
Value = value;
}
public string Type { get; set; }
public string Value { get; set; }
}

7
Moonlight.Shared/Http/Responses/Auth/AuthSchemeResponse.cs Normal file
View File

@@ -0,0 +1,7 @@
namespace Moonlight.Shared.Http.Responses.Auth;
public class AuthSchemeResponse
{
public string DisplayName { get; set; }
public string Identifier { get; set; }
}

8
Moonlight.Shared/Http/Responses/Auth/CheckResponse.cs
View File

@@ -1,8 +0,0 @@
namespace Moonlight.Shared.Http.Responses.Auth;
public class CheckResponse
{
public string Username { get; set; }
public string Email { get; set; }
public string[] Permissions { get; set; }
}

6
Moonlight.Shared/Http/Responses/Auth/LoginCompleteResponse.cs
View File

@@ -1,6 +0,0 @@
namespace Moonlight.Shared.Http.Responses.Auth;
public class LoginCompleteResponse
{
public string AccessToken { get; set; }
}

6
Moonlight.Shared/Http/Responses/Auth/LoginStartResponse.cs
View File

@@ -1,6 +0,0 @@
namespace Moonlight.Shared.Http.Responses.Auth;
public class LoginStartResponse
{
public string Url { get; set; }
}

6
Moonlight.Shared/Http/Responses/OAuth2/OAuth2HandleResponse.cs
View File

@@ -1,6 +0,0 @@
namespace Moonlight.Shared.Http.Responses.OAuth2;
public class OAuth2HandleResponse
{
public int UserId { get; set; }
}