mirror of
https://github.com/zoriya/Kyoo.git
synced 2025-11-29 17:55:08 -05:00
150 lines
5.1 KiB
C#
150 lines
5.1 KiB
C#
// Kyoo - A portable and vast media library solution.
|
|
// Copyright (c) Kyoo.
|
|
//
|
|
// See AUTHORS.md and LICENSE file in the project root for full license information.
|
|
//
|
|
// Kyoo is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// any later version.
|
|
//
|
|
// Kyoo is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Kyoo. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Globalization;
|
|
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Linq;
|
|
using System.Security.Claims;
|
|
using System.Text;
|
|
using System.Threading.Tasks;
|
|
using Kyoo.Abstractions;
|
|
using Kyoo.Abstractions.Models;
|
|
using Kyoo.Authentication.Models;
|
|
using Microsoft.Extensions.Configuration;
|
|
using Microsoft.Extensions.Options;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
namespace Kyoo.Authentication;
|
|
|
|
/// <summary>
|
|
/// The service that controls jwt creation and validation.
|
|
/// </summary>
|
|
public class TokenController : ITokenController
|
|
{
|
|
/// <summary>
|
|
/// The options that this controller will use.
|
|
/// </summary>
|
|
private readonly IOptions<AuthenticationOption> _options;
|
|
|
|
/// <summary>
|
|
/// The configuration used to retrieve the public URL of kyoo.
|
|
/// </summary>
|
|
private readonly IConfiguration _configuration;
|
|
|
|
/// <summary>
|
|
/// Create a new <see cref="TokenController"/>.
|
|
/// </summary>
|
|
/// <param name="options">The options that this controller will use.</param>
|
|
/// <param name="configuration">The configuration used to retrieve the public URL of kyoo.</param>
|
|
public TokenController(IOptions<AuthenticationOption> options, IConfiguration configuration)
|
|
{
|
|
_options = options;
|
|
_configuration = configuration;
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public string CreateAccessToken(User user, out TimeSpan expireIn)
|
|
{
|
|
if (user == null)
|
|
throw new ArgumentNullException(nameof(user));
|
|
|
|
expireIn = new TimeSpan(1, 0, 0);
|
|
|
|
SymmetricSecurityKey key = new(Encoding.UTF8.GetBytes(_options.Value.Secret));
|
|
SigningCredentials credential = new(key, SecurityAlgorithms.HmacSha256Signature);
|
|
string permissions = user.Permissions != null
|
|
? string.Join(',', user.Permissions)
|
|
: string.Empty;
|
|
List<Claim> claims = new()
|
|
{
|
|
new Claim(ClaimTypes.NameIdentifier, user.ID.ToString(CultureInfo.InvariantCulture)),
|
|
new Claim(ClaimTypes.Name, user.Username),
|
|
new Claim(ClaimTypes.Role, permissions),
|
|
new Claim("type", "access")
|
|
};
|
|
if (user.Email != null)
|
|
claims.Add(new Claim(ClaimTypes.Email, user.Email));
|
|
JwtSecurityToken token = new(
|
|
signingCredentials: credential,
|
|
issuer: _configuration.GetPublicUrl().ToString(),
|
|
audience: _configuration.GetPublicUrl().ToString(),
|
|
claims: claims,
|
|
expires: DateTime.UtcNow.Add(expireIn)
|
|
);
|
|
return new JwtSecurityTokenHandler().WriteToken(token);
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public Task<string> CreateRefreshToken(User user)
|
|
{
|
|
if (user == null)
|
|
throw new ArgumentNullException(nameof(user));
|
|
|
|
SymmetricSecurityKey key = new(Encoding.UTF8.GetBytes(_options.Value.Secret));
|
|
SigningCredentials credential = new(key, SecurityAlgorithms.HmacSha256Signature);
|
|
JwtSecurityToken token = new(
|
|
signingCredentials: credential,
|
|
issuer: _configuration.GetPublicUrl().ToString(),
|
|
audience: _configuration.GetPublicUrl().ToString(),
|
|
claims: new[]
|
|
{
|
|
new Claim(ClaimTypes.NameIdentifier, user.ID.ToString(CultureInfo.InvariantCulture)),
|
|
new Claim("guid", Guid.NewGuid().ToString()),
|
|
new Claim("type", "refresh")
|
|
},
|
|
expires: DateTime.UtcNow.AddYears(1)
|
|
);
|
|
// TODO refresh keys are unique (thanks to the guid) but we could store them in DB to invalidate them if requested by the user.
|
|
return Task.FromResult(new JwtSecurityTokenHandler().WriteToken(token));
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public int GetRefreshTokenUserID(string refreshToken)
|
|
{
|
|
SymmetricSecurityKey key = new(Encoding.UTF8.GetBytes(_options.Value.Secret));
|
|
JwtSecurityTokenHandler tokenHandler = new();
|
|
ClaimsPrincipal principal;
|
|
try
|
|
{
|
|
principal = tokenHandler.ValidateToken(refreshToken, new TokenValidationParameters
|
|
{
|
|
ValidateIssuer = true,
|
|
ValidateAudience = true,
|
|
ValidateIssuerSigningKey = true,
|
|
ValidateLifetime = true,
|
|
ValidIssuer = _configuration.GetPublicUrl().ToString(),
|
|
ValidAudience = _configuration.GetPublicUrl().ToString(),
|
|
IssuerSigningKey = key
|
|
}, out SecurityToken _);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
throw new SecurityTokenException(ex.Message);
|
|
}
|
|
|
|
if (principal.Claims.First(x => x.Type == "type").Value != "refresh")
|
|
throw new SecurityTokenException("Invalid token type. The token should be a refresh token.");
|
|
Claim identifier = principal.Claims.First(x => x.Type == ClaimTypes.NameIdentifier);
|
|
if (int.TryParse(identifier.Value, out int id))
|
|
return id;
|
|
throw new SecurityTokenException("Token not associated to any user.");
|
|
}
|
|
}
|