99 lines
3.1 KiB
C#
99 lines
3.1 KiB
C#
using System.Security.Claims;
|
|
using Microsoft.EntityFrameworkCore;
|
|
using Microsoft.Extensions.Logging;
|
|
using Moonlight.Api.Database;
|
|
using Moonlight.Api.Database.Entities;
|
|
|
|
namespace Moonlight.Api.Services;
|
|
|
|
public class UserAuthService
|
|
{
|
|
private readonly DatabaseRepository<User> UserRepository;
|
|
private readonly ILogger<UserAuthService> Logger;
|
|
|
|
private const string UserIdClaim = "UserId";
|
|
private const string IssuedAtClaim = "IssuedAt";
|
|
|
|
public UserAuthService(DatabaseRepository<User> userRepository, ILogger<UserAuthService> logger)
|
|
{
|
|
UserRepository = userRepository;
|
|
Logger = logger;
|
|
}
|
|
|
|
public async Task<bool> SyncAsync(ClaimsPrincipal? principal)
|
|
{
|
|
if (principal is null)
|
|
return false;
|
|
|
|
var username = principal.FindFirstValue(ClaimTypes.Name);
|
|
var email = principal.FindFirstValue(ClaimTypes.Email);
|
|
|
|
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(email))
|
|
{
|
|
Logger.LogWarning("Unable to sync user to database as name and/or email claims are missing");
|
|
return false;
|
|
}
|
|
|
|
// We use email as the primary identifier here
|
|
var user = await UserRepository
|
|
.Query()
|
|
.AsNoTracking()
|
|
.FirstOrDefaultAsync(user => user.Email == email);
|
|
|
|
if (user == null) // Sync user if not already existing in the database
|
|
{
|
|
user = await UserRepository.AddAsync(new User()
|
|
{
|
|
Username = username,
|
|
Email = email,
|
|
InvalidateTimestamp = DateTimeOffset.UtcNow.AddMinutes(-1)
|
|
});
|
|
}
|
|
else // Update properties of existing user
|
|
{
|
|
user.Username = username;
|
|
|
|
await UserRepository.UpdateAsync(user);
|
|
}
|
|
|
|
principal.Identities.First().AddClaims([
|
|
new Claim(UserIdClaim, user.Id.ToString()),
|
|
new Claim(IssuedAtClaim, DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString())
|
|
]);
|
|
|
|
return true;
|
|
}
|
|
|
|
public async Task<bool> ValidateAsync(ClaimsPrincipal? principal)
|
|
{
|
|
// Ignore malformed claims principal
|
|
if (principal is not { Identity.IsAuthenticated: true })
|
|
return false;
|
|
|
|
var userIdString = principal.FindFirstValue(UserIdClaim);
|
|
|
|
if (!int.TryParse(userIdString, out var userId))
|
|
return false;
|
|
|
|
var user = await UserRepository
|
|
.Query()
|
|
.AsNoTracking()
|
|
.FirstOrDefaultAsync(user => user.Id == userId);
|
|
|
|
if (user == null)
|
|
return false;
|
|
|
|
var issuedAtString = principal.FindFirstValue(IssuedAtClaim);
|
|
|
|
if (!long.TryParse(issuedAtString, out var issuedAtUnix))
|
|
return false;
|
|
|
|
var issuedAt = DateTimeOffset.FromUnixTimeSeconds(issuedAtUnix).ToUniversalTime();
|
|
|
|
// If the issued at timestamp is greater than the token validation timestamp
|
|
// everything is fine. If not it means that the token should be invalidated
|
|
// as it is too old
|
|
|
|
return issuedAt > user.InvalidateTimestamp;
|
|
}
|
|
} |