Moonlight-Panel/Moonlight
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01c86406dc7ba9d26e3ac6aa6701ad76c84e730e
Moonlight/Moonlight.Api/Services/UserAuthService.cs

144 lines
4.6 KiB
C#
Raw Blame History

using System.Security.Claims;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moonlight.Api.Configuration;
using Moonlight.Api.Database;
using Moonlight.Api.Database.Entities;
using Moonlight.Shared;
namespace Moonlight.Api.Services;
public class UserAuthService
{
private readonly DatabaseRepository<User> UserRepository;
private readonly IMemoryCache Cache;
private readonly ILogger<UserAuthService> Logger;
private readonly IOptions<SessionOptions> Options;
private const string UserIdClaim = "UserId";
private const string IssuedAtClaim = "IssuedAt";
public const string ValidationCacheKeyPattern = $"Moonlight.{nameof(UserAuthService)}.{nameof(ValidateAsync)}-{{0}}";
public UserAuthService(
DatabaseRepository<User> userRepository,
ILogger<UserAuthService> logger,
IMemoryCache cache, IOptions<SessionOptions> options)
{
UserRepository = userRepository;
Logger = logger;
Cache = cache;
Options = options;
}
public async Task<bool> SyncAsync(ClaimsPrincipal? principal)
{
if (principal is null)
return false;
var username = principal.FindFirstValue(ClaimTypes.Name);
var email = principal.FindFirstValue(ClaimTypes.Email);
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(email))
{
Logger.LogWarning("Unable to sync user to database as name and/or email claims are missing");
return false;
}
// We use email as the primary identifier here
var user = await UserRepository
.Query()
.AsNoTracking()
.FirstOrDefaultAsync(user => user.Email == email);
if (user == null) // Sync user if not already existing in the database
{
user = await UserRepository.AddAsync(new User()
{
Username = username,
Email = email,
InvalidateTimestamp = DateTimeOffset.UtcNow.AddMinutes(-1)
});
}
else // Update properties of existing user
{
user.Username = username;
await UserRepository.UpdateAsync(user);
}
principal.Identities.First().AddClaims([
new Claim(UserIdClaim, user.Id.ToString()),
new Claim(IssuedAtClaim, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString())
]);
return true;
}
public async Task<bool> ValidateAsync(ClaimsPrincipal? principal)
{
// Ignore malformed claims principal
if (principal is not { Identity.IsAuthenticated: true })
return false;
var userIdString = principal.FindFirstValue(UserIdClaim);
if (!int.TryParse(userIdString, out var userId))
return false;
var cacheKey = $"Moonlight.{nameof(UserAuthService)}.{nameof(ValidateAsync)}-{userId}";
if (!Cache.TryGetValue<UserSession>(cacheKey, out var user))
{
user = await UserRepository
.Query()
.AsNoTracking()
.Where(u => u.Id == userId)
.Select(u => new UserSession(
u.InvalidateTimestamp,
u.RoleMemberships.SelectMany(x => x.Role.Permissions).ToArray())
)
.FirstOrDefaultAsync();
if (user == null)
return false;
Cache.Set(
cacheKey,
user,
TimeSpan.FromMinutes(Options.Value.ValidationCacheMinutes)
);
}
else
{
if (user == null)
return false;
}
var issuedAtString = principal.FindFirstValue(IssuedAtClaim);
if (!long.TryParse(issuedAtString, out var issuedAtUnix))
return false;
var issuedAt = DateTimeOffset.FromUnixTimeSeconds(issuedAtUnix).ToUniversalTime();
// If the issued at timestamp is greater than the token validation timestamp,
// everything is fine. If not, it means that the token should be invalidated
// as it is too old
if (issuedAt < user.InvalidateTimestamp)
return false;
principal.Identities.First().AddClaims(
user.Permissions.Select(x => new Claim(Permissions.ClaimType, x))
);
return true;
}
// A small model which contains data queried per session validation after the defined cache time.
// Used for projection
private record UserSession(DateTimeOffset InvalidateTimestamp, string[] Permissions);
}
Reference in New Issue View Git Blame Copy Permalink