Cutlery/Kavita
1
0
Fork 0
mirror of https://github.com/Kareadita/Kavita.git synced 2026-06-05 22:35:17 -04:00
Code Issues Packages Projects Releases Wiki Activity

Progress Overhaul + Profile Page and a LOT more! (#4262)

Browse Source 
Co-authored-by: Amelia <77553571+Fesaa@users.noreply.github.com>
Co-authored-by: Robbie Davis <robbie@therobbiedavis.com>
This commit is contained in:
Joe Milazzo
2025-12-09 10:00:11 -07:00
committed by GitHub
parent 4ac13f1f25
commit 9f29fa593d
645 changed files with 25585 additions and 4805 deletions
Download Patch File Download Diff File Expand all files Collapse all files
API/Extensions/IdentityServiceExtensions.cs
+66 -174
View File
@@ -1,33 +1,29 @@
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using System.Threading.Tasks;
using API.Constants;
using API.Data;
using API.Entities;
using API.Helpers;
using API.Services;
using Kavita.Common;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Protocols;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.IdentityModel.Tokens;
using Serilog;
using MessageReceivedContext = Microsoft.AspNetCore.Authentication.JwtBearer.MessageReceivedContext;
using TokenValidatedContext = Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext;
namespace API.Extensions;
#nullable enable
@@ -75,41 +71,34 @@ public static class IdentityServiceExtensions
var oidcSettings = Configuration.OidcSettings;
var auth = services.AddAuthentication(DynamicHybrid)
.AddPolicyScheme(DynamicHybrid, JwtBearerDefaults.AuthenticationScheme, options =>
{
var enabled = oidcSettings.Enabled;
var auth = services.AddAuthentication(DynamicHybrid);
var enableOidc = oidcSettings.Enabled && services.SetupOpenIdConnectAuthentication(auth, oidcSettings, environment);
options.ForwardDefaultSelector = ctx =>
{
if (!enabled) return LocalIdentity;
if (ctx.Request.Path.StartsWithSegments(OidcCallback) ||
ctx.Request.Path.StartsWithSegments(OidcLogoutCallback))
{
return OpenIdConnect;
}
if (ctx.Request.Headers.Authorization.Count != 0)
{
return LocalIdentity;
}
if (ctx.Request.Cookies.ContainsKey(OidcService.CookieName))
{
return OpenIdConnect;
}
return LocalIdentity;
};
});
if (oidcSettings.Enabled)
auth.AddPolicyScheme(DynamicHybrid, JwtBearerDefaults.AuthenticationScheme, options =>
{
services.SetupOpenIdConnectAuthentication(auth, oidcSettings, environment);
}
options.ForwardDefaultSelector = ctx =>
{
if (!enableOidc) return LocalIdentity;
if (ctx.Request.Path.StartsWithSegments(OidcCallback) ||
ctx.Request.Path.StartsWithSegments(OidcLogoutCallback))
{
return OpenIdConnect;
}
if (ctx.Request.Headers.Authorization.Count != 0)
{
return LocalIdentity;
}
if (ctx.Request.Cookies.ContainsKey(OidcService.CookieName))
{
return OpenIdConnect;
}
return LocalIdentity;
};
});
auth.AddJwtBearer(LocalIdentity, options =>
{
@@ -130,27 +119,26 @@ public static class IdentityServiceExtensions
services.AddAuthorizationBuilder()
.AddPolicy("RequireAdminRole", policy => policy.RequireRole(PolicyConstants.AdminRole))
.AddPolicy("RequireDownloadRole", policy => policy.RequireRole(PolicyConstants.DownloadRole, PolicyConstants.AdminRole))
.AddPolicy("RequireChangePasswordRole", policy => policy.RequireRole(PolicyConstants.ChangePasswordRole, PolicyConstants.AdminRole));
.AddPolicy(PolicyGroups.AdminPolicy, policy => policy.RequireRole(PolicyConstants.AdminRole))
.AddPolicy(PolicyGroups.DownloadPolicy,
policy => policy.RequireRole(PolicyConstants.DownloadRole, PolicyConstants.AdminRole))
.AddPolicy(PolicyGroups.ChangePasswordPolicy,
policy => policy.RequireRole(PolicyConstants.ChangePasswordRole, PolicyConstants.AdminRole));
return services;
}
private static void SetupOpenIdConnectAuthentication(this IServiceCollection services, AuthenticationBuilder auth,
private static bool SetupOpenIdConnectAuthentication(this IServiceCollection services, AuthenticationBuilder auth,
Configuration.OpenIdConnectSettings settings, IWebHostEnvironment environment)
{
var isDevelopment = environment.IsEnvironment(Environments.Development);
var baseUrl = Configuration.BaseUrl;
const string apiPrefix = "/api";
const string hubsPrefix = "/hubs";
var authority = Configuration.OidcSettings.Authority;
if (!isDevelopment && !authority.StartsWith("https"))
{
Log.Error("OpenIdConnect authority is not using https, you must configure tls for your idp.");
return;
return false;
}
var hasTrailingSlash = authority.EndsWith('/');
@@ -164,33 +152,6 @@ public static class IdentityServiceExtensions
services.AddSingleton(configurationManager);
ICollection<string> supportedScopes;
try
{
supportedScopes = configurationManager.GetConfigurationAsync()
.ConfigureAwait(false)
.GetAwaiter()
.GetResult()
.ScopesSupported;
}
catch (Exception ex)
{
// Do not interrupt startup if OIDC fails (Network outage should still allow Kavita to run)
Log.Error(ex, "Failed to load OIDC configuration, OIDC will not be enabled. Restart to retry");
return;
}
List<string> scopes = ["openid", "profile", "offline_access", "roles", "email"];
scopes.AddRange(settings.CustomScopes);
var validScopes = scopes.Where(scope =>
{
if (supportedScopes.Contains(scope))
return true;
Log.Warning("Scope {Scope} is configured, but not supported by your OIDC provider. Skipping", scope);
return false;
}).ToList();
services.AddOptions<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme).Configure<ITicketStore>((options, store) =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(7);
@@ -216,7 +177,7 @@ public static class IdentityServiceExtensions
if (user != null)
{
var claims = await OidcService.ConstructNewClaimsList(ctx.HttpContext.RequestServices, ctx.Principal, user!, false);
var claims = await OidcService.ConstructNewClaimsList(ctx.HttpContext.RequestServices, ctx.Principal, user, false);
ctx.ReplacePrincipal(new ClaimsPrincipal(new ClaimsIdentity(claims, ctx.Scheme.Name)));
}
},
@@ -253,119 +214,50 @@ public static class IdentityServiceExtensions
options.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
options.Scope.Clear();
foreach (var scope in validScopes)
foreach (var scope in GetValidScopes(configurationManager, settings))
{
options.Scope.Add(scope);
}
options.Events = new OpenIdConnectEvents
{
OnTicketReceived = async ctx =>
{
try
{
await OidcClaimsPrincipalConverter(ctx);
}
catch (KavitaException ex)
{
Log.Error(ex, "An exception occured during initial OIDC flow");
ctx.Response.Redirect(baseUrl + "login?skipAutoLogin=true&error=" + Uri.EscapeDataString(ex.Message));
ctx.HandleResponse();
}
},
OnUserInformationReceived = ctx =>
{
if (ctx.Principal?.Identity == null)
{
return Task.CompletedTask;
}
var identity = (ClaimsIdentity) ctx.Principal.Identity;
// Copy all claims over as in, the ones we need mapped to something specific are above
foreach (var property in ctx.User.RootElement.EnumerateObject())
{
var claimType = property.Name;
if (property.Value.ValueKind == JsonValueKind.Array)
{
foreach (var element in property.Value.EnumerateArray())
{
identity.AddClaim(new Claim(claimType, element.ToString(), ClaimValueTypes.String, OpenIdConnect));
}
}
else
{
identity.AddClaim(new Claim(claimType, property.Value.ToString(), ClaimValueTypes.String, OpenIdConnect));
}
}
return Task.CompletedTask;
},
OnAuthenticationFailed = ctx =>
{
ctx.Response.Redirect(baseUrl + "login?skipAutoLogin=true&error=" + Uri.EscapeDataString(ctx.Exception.Message));
ctx.HandleResponse();
return Task.CompletedTask;
},
OnRedirectToIdentityProviderForSignOut = ctx =>
{
if (!isDevelopment && !string.IsNullOrEmpty(ctx.ProtocolMessage.PostLogoutRedirectUri))
{
ctx.ProtocolMessage.PostLogoutRedirectUri = ctx.ProtocolMessage.PostLogoutRedirectUri.Replace("http://", "https://");
}
return Task.CompletedTask;
},
OnRedirectToIdentityProvider = ctx =>
{
// Intercept redirects on API requests and instead return 401
// These redirects are auto login when .NET finds a cookie that it can't match inside the cookie store. I.e. after a restart
if (ctx.Request.Path.StartsWithSegments(apiPrefix) || ctx.Request.Path.StartsWithSegments(hubsPrefix))
{
ctx.Response.StatusCode = StatusCodes.Status401Unauthorized;
ctx.HandleResponse();
return Task.CompletedTask;
}
if (!isDevelopment && !string.IsNullOrEmpty(ctx.ProtocolMessage.RedirectUri))
{
ctx.ProtocolMessage.RedirectUri = ctx.ProtocolMessage.RedirectUri.Replace("http://", "https://");
}
return Task.CompletedTask;
},
};
options.Events = new OpenIdConnectEventsHelper(baseUrl, isDevelopment);
});
return true;
}
/// <summary>
/// Called after the redirect from the OIDC provider, tries matching the user and update the principal
/// to have the correct claims and properties. This is required to later auto refresh; and ensure .NET knows which
/// Kavita roles the user has
/// </summary>
/// <param name="ctx"></param>
private static async Task OidcClaimsPrincipalConverter(TicketReceivedContext ctx)
private static IList<string> GetValidScopes(
ConfigurationManager<OpenIdConnectConfiguration> configurationManager,
Configuration.OpenIdConnectSettings settings
)
{
if (ctx.Principal == null) return;
var scopes = OidcService.DefaultScopes;
scopes.AddRange(settings.CustomScopes);
var oidcService = ctx.HttpContext.RequestServices.GetRequiredService<IOidcService>();
var user = await oidcService.LoginOrCreate(ctx.Request, ctx.Principal);
if (user == null)
ICollection<string> supportedScopes;
try
{
throw new KavitaException("errors.oidc.no-account");
supportedScopes = configurationManager.GetConfigurationAsync()
.ConfigureAwait(false)
.GetAwaiter()
.GetResult()
.ScopesSupported;
}
catch (Exception ex)
{
// Most idps will safely ignore invalid scopes (all except Authelia as far as I know), so we return them here
// to have the least amount of impact on users
Log.Error(ex, "Failed to load OIDC configuration, scopes will not be filtered. This may cause issues with some idps.");
return scopes;
}
var claims = await OidcService.ConstructNewClaimsList(ctx.HttpContext.RequestServices, ctx.Principal, user);
return scopes.Where(scope =>
{
if (supportedScopes.Contains(scope))
return true;
var identity = new ClaimsIdentity(claims, ctx.Scheme.Name);
var principal = new ClaimsPrincipal(identity);
ctx.HttpContext.User = principal;
ctx.Principal = principal;
ctx.Success();
Log.Warning("Scope {Scope} is configured, but not supported by your OIDC provider. Skipping", scope);
return false;
}).ToList();
}
private static Task SetTokenFromQuery(MessageReceivedContext context)