Moonlight/Moonlight.Api/Services/UserAuthService.cs

using System.Security.Claims;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Hybrid;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moonlight.Api.Configuration;
using Moonlight.Api.Database;
using Moonlight.Api.Database.Entities;
using Moonlight.Api.Interfaces;
using Moonlight.Shared;

namespace Moonlight.Api.Services;

public class UserAuthService
{
    private readonly DatabaseRepository<User> UserRepository;
    private readonly ILogger<UserAuthService> Logger;
    private readonly IOptions<UserOptions> Options;
    private readonly IEnumerable<IUserAuthHook> Hooks;
    private readonly HybridCache HybridCache;

    private const string UserIdClaim = "UserId";
    private const string IssuedAtClaim = "IssuedAt";

    public const string CacheKeyPattern = $"Moonlight.{nameof(UserAuthService)}.{nameof(ValidateAsync)}-{{0}}";

    public UserAuthService(
        DatabaseRepository<User> userRepository,
        ILogger<UserAuthService> logger,
        IOptions<UserOptions> options,
        IEnumerable<IUserAuthHook> hooks,
        HybridCache hybridCache
    )
    {
        UserRepository = userRepository;
        Logger = logger;
        Options = options;
        Hooks = hooks;
        HybridCache = hybridCache;
    }

    public async Task<bool> SyncAsync(ClaimsPrincipal? principal)
    {
        if (principal is null)
            return false;

        var username = principal.FindFirstValue(ClaimTypes.Name);
        var email = principal.FindFirstValue(ClaimTypes.Email);

        if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(email))
        {
            Logger.LogWarning("Unable to sync user to database as name and/or email claims are missing");
            return false;
        }

        // We use email as the primary identifier here
        var user = await UserRepository
            .Query()
            .FirstOrDefaultAsync(user => user.Email == email);

        if (user == null) // Sync user if not already existing in the database
        {
            user = await UserRepository.AddAsync(new User()
            {
                Username = username,
                Email = email,
                InvalidateTimestamp = DateTimeOffset.UtcNow.AddMinutes(-1)
            });
        }
        else // Update properties of existing user
        {
            user.Username = username;

            await UserRepository.UpdateAsync(user);
        }

        principal.Identities.First().AddClaims([
            new Claim(UserIdClaim, user.Id.ToString()),
            new Claim(IssuedAtClaim, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString())
        ]);

        foreach (var hook in Hooks)
        {
            // Run every hook, and if any returns false, we return false as well
            if (!await hook.SyncAsync(principal, user))
                return false;
        }

        return true;
    }

    public async Task<bool> ValidateAsync(ClaimsPrincipal? principal)
    {
        // Ignore malformed claims principal
        if (principal is not { Identity.IsAuthenticated: true })
            return false;

        var userIdString = principal.FindFirstValue(UserIdClaim);

        if (!int.TryParse(userIdString, out var userId))
            return false;

        var cacheKey = string.Format(CacheKeyPattern, userId);

        var user = await HybridCache.GetOrCreateAsync<UserSession?>(
            cacheKey,
            async ct =>
            {
                return await UserRepository
                    .Query()
                    .AsNoTracking()
                    .Where(u => u.Id == userId)
                    .Select(u => new UserSession(
                        u.InvalidateTimestamp,
                        u.RoleMemberships.SelectMany(x => x.Role.Permissions).ToArray())
                    )
                    .FirstOrDefaultAsync(cancellationToken: ct);
            },
            new HybridCacheEntryOptions()
            {
                LocalCacheExpiration = Options.Value.ValidationCacheL1Expiry,
                Expiration = Options.Value.ValidationCacheL2Expiry
            }
        );

        if (user == null)
            return false;

        var issuedAtString = principal.FindFirstValue(IssuedAtClaim);

        if (!long.TryParse(issuedAtString, out var issuedAtUnix))
            return false;

        var issuedAt = DateTimeOffset.FromUnixTimeSeconds(issuedAtUnix).ToUniversalTime();

        // If the issued at timestamp is greater than the token validation timestamp,
        // everything is fine. If not, it means that the token should be invalidated
        // as it is too old

        if (issuedAt < user.InvalidateTimestamp)
            return false;

        // Load every permission as claim
        principal.Identities.First().AddClaims(
            user.Permissions.Select(x => new Claim(Permissions.ClaimType, x))
        );

        foreach (var hook in Hooks)
        {
            // Run every hook, and if any returns false we return false as well
            if (!await hook.ValidateAsync(principal, userId))
                return false;
        }

        return true;
    }

    // A small model which contains data queried per session validation after the defined cache time.
    // Used for projection
    private record UserSession(DateTimeOffset InvalidateTimestamp, string[] Permissions);
}