Improved jwt handling for node access tokens. Switched to di plugin system

2025-02-24 21:03:23 +01:00
parent 67efe71247
commit a8d867c3c7
11 changed files with 101 additions and 48 deletions
--- a/MoonlightServers.ApiServer/Http/Controllers/Users/ServerPowerController.cs
+++ b/MoonlightServers.ApiServer/Http/Controllers/Users/ServerPowerController.cs
@@ -4,6 +4,7 @@ using Microsoft.EntityFrameworkCore;
 using MoonCore.Exceptions;
 using MoonCore.Extended.Abstractions;
 using MoonCore.Extensions;
+using MoonCore.Helpers;
 using MoonlightServers.ApiServer.Database.Entities;
 using MoonlightServers.ApiServer.Services;

@@ -117,7 +118,9 @@ public class ServerPowerController : Controller
        if (server.OwnerId == userId) // The current user is the owner
            return server;

-        if (User.HasPermission("admin.servers.get")) // The current user is an admin
+        var permissions = User.Claims.First(x => x.Type == "permissions").Value.Split(";", StringSplitOptions.RemoveEmptyEntries);
+        
+        if (PermissionHelper.HasPermission(permissions, "admin.servers.get")) // The current user is an admin
            return server;

        throw new HttpApiException("No server with this id found", 404);
--- a/MoonlightServers.ApiServer/Http/Controllers/Users/ServersController.cs
+++ b/MoonlightServers.ApiServer/Http/Controllers/Users/ServersController.cs
@@ -5,6 +5,7 @@ using MoonCore.Extended.PermFilter;
 using MoonCore.Exceptions;
 using MoonCore.Extended.Abstractions;
 using MoonCore.Extensions;
+using MoonCore.Helpers;
 using MoonCore.Models;
 using Moonlight.ApiServer.Database.Entities;
 using MoonlightServers.ApiServer.Database.Entities;
@@ -198,7 +199,9 @@ public class ServersController : Controller
        if (server.OwnerId == userId) // The current user is the owner
            return server;

-        if (User.HasPermission("admin.servers.get")) // The current user is an admin
+        var permissions = User.Claims.First(x => x.Type == "permissions").Value.Split(";", StringSplitOptions.RemoveEmptyEntries);
+        
+        if (PermissionHelper.HasPermission(permissions, "admin.servers.get")) // The current user is an admin
            return server;

        throw new HttpApiException("No server with this id found", 404);
--- a/MoonlightServers.ApiServer/Services/NodeService.cs
+++ b/MoonlightServers.ApiServer/Services/NodeService.cs
@@ -1,3 +1,7 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.IdentityModel.Tokens;
 using MoonCore.Attributes;
 using MoonCore.Extended.Helpers;
 using MoonCore.Helpers;
@@ -32,7 +36,30 @@ public class NodeService
    }

    public string CreateAccessToken(Node node, Action<Dictionary<string, object>> parameters, TimeSpan duration)
-        => JwtHelper.Encode(node.Token, parameters, duration);
+    {
+        var claims = new Dictionary<string, object>();
+        parameters.Invoke(claims);
+
+        var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
+
+        var securityTokenDescriptor = new SecurityTokenDescriptor()
+        {
+            Expires = DateTime.UtcNow.Add(duration),
+            NotBefore = DateTime.UtcNow.AddSeconds(-1),
+            Claims = claims,
+            IssuedAt = DateTime.UtcNow,
+            SigningCredentials = new SigningCredentials(
+                new SymmetricSecurityKey(Encoding.UTF8.GetBytes(
+                    node.Token
+                )),
+                SecurityAlgorithms.HmacSha256
+            )
+        };
+
+        var securityToken = jwtSecurityTokenHandler.CreateJwtSecurityToken(securityTokenDescriptor);
+
+        return jwtSecurityTokenHandler.WriteToken(securityToken);
+    }

    public async Task<SystemStatusResponse> GetSystemStatus(Node node)
    {
--- a/MoonlightServers.ApiServer/Startup/DatabaseStartup.cs
+++ b/MoonlightServers.ApiServer/Startup/DatabaseStartup.cs
@@ -1,15 +0,0 @@
-using Moonlight.ApiServer.Helpers;
-using Moonlight.ApiServer.Interfaces.Startup;
-using MoonlightServers.ApiServer.Database;
-
-namespace MoonlightServers.ApiServer.Startup;
-
-public class DatabaseStartup : IDatabaseStartup
-{
-    public Task ConfigureDatabase(DatabaseContextCollection collection)
-    {
-        collection.Add<ServersDataContext>();
-
-        return Task.CompletedTask;
-    }
-}
--- a/MoonlightServers.ApiServer/Startup/PluginStartup.cs
+++ b/MoonlightServers.ApiServer/Startup/PluginStartup.cs
@@ -1,10 +1,12 @@
 using MoonCore.Extensions;
+using Moonlight.ApiServer.Helpers;
 using Moonlight.ApiServer.Interfaces.Startup;
 using Moonlight.ApiServer.Services;
+using MoonlightServers.ApiServer.Database;

 namespace MoonlightServers.ApiServer.Startup;

-public class PluginStartup : IAppStartup
+public class PluginStartup : IPluginStartup
 {
    private readonly BundleService BundleService;

@@ -13,7 +15,7 @@ public class PluginStartup : IAppStartup
        BundleService = bundleService;
    }

-    public Task BuildApp(IHostApplicationBuilder builder)
+    public Task BuildApplication(IHostApplicationBuilder builder)
    {
        // Scan the current plugin assembly for di services
        builder.Services.AutoAddServices<PluginStartup>();
@@ -24,8 +26,16 @@ public class PluginStartup : IAppStartup
        return Task.CompletedTask;
    }

-    public Task ConfigureApp(IApplicationBuilder app)
+    public Task ConfigureApplication(IApplicationBuilder app)
+     => Task.CompletedTask;
+
+    public Task ConfigureDatabase(DatabaseContextCollection collection)
    {
+        collection.Add<ServersDataContext>();
+        
        return Task.CompletedTask;
    }
+
+    public Task ConfigureEndpoints(IEndpointRouteBuilder routeBuilder)
+        => Task.CompletedTask;
 }
--- a/MoonlightServers.Daemon/Abstractions/Server.Crash.cs
+++ b/MoonlightServers.Daemon/Abstractions/Server.Crash.cs
@@ -35,7 +35,7 @@ public partial class Server
    public async Task InternalError()
    {
        await LogToConsole("An unhandled error occured performing action");
-        
+        // TODO:
        Logger.LogInformation("Reporting or smth");
    }
 }
--- a/MoonlightServers.Daemon/Helpers/AccessTokenHelper.cs
+++ b/MoonlightServers.Daemon/Helpers/AccessTokenHelper.cs
@@ -1,4 +1,8 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
 using System.Text.Json;
+using Microsoft.IdentityModel.Tokens;
 using MoonCore.Attributes;
 using MoonCore.Extended.Helpers;
 using MoonlightServers.Daemon.Configuration;
@@ -15,8 +19,33 @@ public class AccessTokenHelper
        Configuration = configuration;
    }

-    public bool Process(string accessToken, out Dictionary<string, JsonElement> data)
+// TODO: Improve
+    public bool Process(string accessToken, out Claim[] claims)
    {
-        return JwtHelper.TryVerifyAndDecodePayload(Configuration.Security.Token, accessToken, out data);
+        var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
+
+        try
+        {
+            var data = jwtSecurityTokenHandler.ValidateToken(accessToken, new()
+            {
+                ClockSkew = TimeSpan.Zero,
+                ValidateLifetime = true,
+                ValidateAudience = false,
+                ValidateIssuer = false,
+                ValidateActor = false,
+                IssuerSigningKey = new SymmetricSecurityKey(
+                    Encoding.UTF8.GetBytes(Configuration.Security.Token)
+                )
+            }, out var _);
+
+            claims = data.Claims.ToArray();
+
+            return true;
+        }
+        catch (Exception e)
+        {
+            claims = [];
+            return false;
+        }
    }
 }
--- a/MoonlightServers.Daemon/Helpers/ServerWebSocketConnection.cs
+++ b/MoonlightServers.Daemon/Helpers/ServerWebSocketConnection.cs
@@ -50,7 +50,7 @@ public class ServerWebSocketConnection
        }

        // Validate access token data
-        if (!accessData.ContainsKey("type") || !accessData.ContainsKey("serverId"))
+        if (accessData.All(x => x.Type != "type") || accessData.All(x => x.Type != "serverId"))
        {
            Logger.LogDebug("Received invalid access token: Required parameters are missing");
            
@@ -63,7 +63,7 @@ public class ServerWebSocketConnection
        }

        // Validate access token type
-        var type = accessData["type"].GetString()!;
+        var type = accessData.First(x => x.Type == "type").Value;

        if (type != "websocket")
        {
@@ -77,7 +77,7 @@ public class ServerWebSocketConnection
            return;
        }

-        var serverId = accessData["serverId"].GetInt32();
+        var serverId = int.Parse(accessData.First(x => x.Type == "serverId").Value);
        
        // Check that the access token isn't for another server
        if (ServerId != -1 && ServerId == serverId)
--- a/MoonlightServers.Daemon/MoonlightServers.Daemon.csproj
+++ b/MoonlightServers.Daemon/MoonlightServers.Daemon.csproj
@@ -9,9 +9,9 @@
    <ItemGroup>
        <PackageReference Include="Docker.DotNet" Version="3.125.15" />
        <PackageReference Include="Microsoft.AspNetCore.SignalR" Version="1.1.0" />
-        <PackageReference Include="MoonCore" Version="1.8.2" />
-        <PackageReference Include="MoonCore.Extended" Version="1.2.7" />
-        <PackageReference Include="MoonCore.Unix" Version="1.0.0" />
+        <PackageReference Include="MoonCore" Version="1.8.3" />
+        <PackageReference Include="MoonCore.Extended" Version="1.2.8" />
+        <PackageReference Include="MoonCore.Unix" Version="1.0.2" />
        <PackageReference Include="Stateless" Version="5.17.0" />
        <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2"/>
    </ItemGroup>
--- a/MoonlightServers.Frontend/Startup/PluginStartup.cs
+++ b/MoonlightServers.Frontend/Startup/PluginStartup.cs
@@ -1,28 +1,24 @@
 using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
 using MoonCore.Extensions;
-using MoonCore.PluginFramework.Extensions;
 using Moonlight.Client.Interfaces;
+using MoonlightServers.Frontend.Implementations;
 using MoonlightServers.Frontend.Interfaces;

 namespace MoonlightServers.Frontend.Startup;

-public class PluginStartup : IAppStartup
+public class PluginStartup : IPluginStartup
 {
-    public Task BuildApp(WebAssemblyHostBuilder builder)
+    public Task BuildApplication(WebAssemblyHostBuilder builder)
    {
+        builder.Services.AddSingleton<ISidebarItemProvider, SidebarImplementation>();
+        builder.Services.AddSingleton<IServerTabProvider, DefaultServerTabProvider>();
+        
        builder.Services.AutoAddServices<PluginStartup>();
        
-        builder.Services.AddInterfaces(configuration =>
-        {
-            configuration.AddAssembly(GetType().Assembly);
-
-            configuration.AddInterface<IServerTabProvider>();
-        });
-        
        return Task.CompletedTask;
    }

-    public Task ConfigureApp(WebAssemblyHost app)
+    public Task ConfigureApplication(WebAssemblyHost app)
    {
        return Task.CompletedTask;
    }
--- a/MoonlightServers.Frontend/UI/Views/User/Manage.razor
+++ b/MoonlightServers.Frontend/UI/Views/User/Manage.razor
@@ -12,7 +12,7 @@
@using MoonlightServers.Frontend.UI.Components.Servers.ServerTabs

@inject HttpApiClient ApiClient
-@inject IServerTabProvider[] TabProviders
+@inject IEnumerable<IServerTabProvider> TabProviders

@implements IAsyncDisposable