using System.Security.Claims; using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.Caching.Memory; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; using Moonlight.Api.Configuration; using Moonlight.Api.Database; using Moonlight.Api.Database.Entities; using Moonlight.Api.Interfaces; using Moonlight.Shared; namespace Moonlight.Api.Services; public class UserAuthService { private readonly DatabaseRepository UserRepository; private readonly IMemoryCache Cache; private readonly ILogger Logger; private readonly IOptions Options; private readonly IEnumerable Hooks; private const string UserIdClaim = "UserId"; private const string IssuedAtClaim = "IssuedAt"; public const string CacheKeyPattern = $"Moonlight.{nameof(UserAuthService)}.{nameof(ValidateAsync)}-{{0}}"; public UserAuthService( DatabaseRepository userRepository, ILogger logger, IMemoryCache cache, IOptions options, IEnumerable hooks ) { UserRepository = userRepository; Logger = logger; Cache = cache; Options = options; Hooks = hooks; } public async Task SyncAsync(ClaimsPrincipal? principal) { if (principal is null) return false; var username = principal.FindFirstValue(ClaimTypes.Name); var email = principal.FindFirstValue(ClaimTypes.Email); if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(email)) { Logger.LogWarning("Unable to sync user to database as name and/or email claims are missing"); return false; } // We use email as the primary identifier here var user = await UserRepository .Query() .FirstOrDefaultAsync(user => user.Email == email); if (user == null) // Sync user if not already existing in the database { user = await UserRepository.AddAsync(new User() { Username = username, Email = email, InvalidateTimestamp = DateTimeOffset.UtcNow.AddMinutes(-1) }); } else // Update properties of existing user { user.Username = username; await UserRepository.UpdateAsync(user); } principal.Identities.First().AddClaims([ new Claim(UserIdClaim, user.Id.ToString()), new Claim(IssuedAtClaim, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString()) ]); foreach (var hook in Hooks) { // Run every hook and if any returns false we return false as well if(!await hook.SyncAsync(principal, user)) return false; } return true; } public async Task ValidateAsync(ClaimsPrincipal? principal) { // Ignore malformed claims principal if (principal is not { Identity.IsAuthenticated: true }) return false; var userIdString = principal.FindFirstValue(UserIdClaim); if (!int.TryParse(userIdString, out var userId)) return false; var cacheKey = string.Format(CacheKeyPattern, userId); if (!Cache.TryGetValue(cacheKey, out var user)) { user = await UserRepository .Query() .AsNoTracking() .Where(u => u.Id == userId) .Select(u => new UserSession( u.InvalidateTimestamp, u.RoleMemberships.SelectMany(x => x.Role.Permissions).ToArray()) ) .FirstOrDefaultAsync(); if (user == null) return false; Cache.Set( cacheKey, user, TimeSpan.FromMinutes(Options.Value.ValidationCacheMinutes) ); } else { if (user == null) return false; } var issuedAtString = principal.FindFirstValue(IssuedAtClaim); if (!long.TryParse(issuedAtString, out var issuedAtUnix)) return false; var issuedAt = DateTimeOffset.FromUnixTimeSeconds(issuedAtUnix).ToUniversalTime(); // If the issued at timestamp is greater than the token validation timestamp, // everything is fine. If not, it means that the token should be invalidated // as it is too old if (issuedAt < user.InvalidateTimestamp) return false; // Load every permission as claim principal.Identities.First().AddClaims( user.Permissions.Select(x => new Claim(Permissions.ClaimType, x)) ); foreach (var hook in Hooks) { // Run every hook and if any returns false we return false as well if(!await hook.ValidateAsync(principal, userId)) return false; } return true; } // A small model which contains data queried per session validation after the defined cache time. // Used for projection private record UserSession(DateTimeOffset InvalidateTimestamp, string[] Permissions); }