From 3dc782d76a904c7ddc68083e3bea658857a349da Mon Sep 17 00:00:00 2001 From: cuqmbr Date: Sun, 17 Jul 2022 21:11:36 +0300 Subject: [PATCH] feat: add authentication & authorization --- .../Requests/AuthenticationRequest.cs | 7 ++ .../Responses/AuthenticationResponse.cs | 6 + .../Controllers/AuthenticationController.cs | 46 ++++++++ Server/Controllers/ScoreboardController.cs | 51 ++++++-- Server/Models/Jwt.cs | 8 ++ Server/Program.cs | 8 ++ Server/Server.csproj | 1 - Server/Services/AuthenticationService.cs | 111 ++++++++++++++++++ Server/Services/ScoreboardService.cs | 37 ++++-- 9 files changed, 254 insertions(+), 21 deletions(-) create mode 100644 DatabaseModels/Requests/AuthenticationRequest.cs create mode 100644 DatabaseModels/Responses/AuthenticationResponse.cs create mode 100644 Server/Controllers/AuthenticationController.cs create mode 100644 Server/Models/Jwt.cs create mode 100644 Server/Services/AuthenticationService.cs diff --git a/DatabaseModels/Requests/AuthenticationRequest.cs b/DatabaseModels/Requests/AuthenticationRequest.cs new file mode 100644 index 0000000..788e57a --- /dev/null +++ b/DatabaseModels/Requests/AuthenticationRequest.cs @@ -0,0 +1,7 @@ +namespace DatabaseModels.Requests; + +public class AuthenticationRequest +{ + public string Username { get; set; } = null!; + public string Password { get; set; } = null!; +} \ No newline at end of file diff --git a/DatabaseModels/Responses/AuthenticationResponse.cs b/DatabaseModels/Responses/AuthenticationResponse.cs new file mode 100644 index 0000000..6075a3e --- /dev/null +++ b/DatabaseModels/Responses/AuthenticationResponse.cs @@ -0,0 +1,6 @@ +namespace DatabaseModels.Responses; + +public class AuthenticationResponse +{ + public string Token { get; set; } = null!; +} \ No newline at end of file diff --git a/Server/Controllers/AuthenticationController.cs b/Server/Controllers/AuthenticationController.cs new file mode 100644 index 0000000..939c826 --- /dev/null +++ b/Server/Controllers/AuthenticationController.cs @@ -0,0 +1,46 @@ +using DatabaseModels.Requests; +using DatabaseModels.Responses; +using Server.Services; +using Microsoft.AspNetCore.Mvc; + +namespace Server.Controllers; + +[Route("auth")] +[ApiController] +public class AuthenticationController : ControllerBase +{ + private readonly AuthenticationService _authenticationService; + + public AuthenticationController(AuthenticationService authenticationService) + { + _authenticationService = authenticationService; + } + + // POST: /authentication/register + [HttpPost("register")] + public async Task> Register([FromBody] AuthenticationRequest request) + { + var (success, content) = await _authenticationService.Register(request); + + if (!success) + { + return BadRequest(content); + } + + return await Login(request); + } + + // POST: /authentication/login + [HttpPost("login")] + public async Task> Login([FromBody] AuthenticationRequest request) + { + var (success, content) = await _authenticationService.Login(request); + + if (!success) + { + return BadRequest("Username or password is incorrect."); + } + + return Ok(new AuthenticationResponse { Token = content } ); + } +} \ No newline at end of file diff --git a/Server/Controllers/ScoreboardController.cs b/Server/Controllers/ScoreboardController.cs index 0d978be..f2d11fe 100644 --- a/Server/Controllers/ScoreboardController.cs +++ b/Server/Controllers/ScoreboardController.cs @@ -1,11 +1,15 @@ +using System.Security.Claims; using DatabaseModels.DataTransferObjets; +using Microsoft.AspNetCore.Authentication.JwtBearer; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Microsoft.EntityFrameworkCore; using Server.Services; namespace Server.Controllers; -[Route("[controller]")] +[Authorize] +[Route("api/[controller]")] [ApiController] public class ScoreboardController : ControllerBase { @@ -18,35 +22,57 @@ public class ScoreboardController : ControllerBase // GET: /scoreboard [HttpGet] + [AllowAnonymous] public async Task> Get() { - return await _sbService.GetScoreboard(); - } + var (success, content, sbRecordsDto) = await _sbService.GetScoreboard(); - // GET: /scoreboard/cuqmbr - [HttpGet("{username}", Name = "Get")] - public async Task> Get(string username) - { - var sbRecordDto = await _sbService.GetUserHighScore(username); - - if (sbRecordDto == null) + if (!success) { return NotFound(); } - return sbRecordDto; + return sbRecordsDto; + } + + // GET: /scoreboard/cuqmbr + [HttpGet("{username}", Name = "Get")] + [AllowAnonymous] + public async Task> Get(string username) + { + var (success, content, sbRecordDto) = await _sbService.GetUserHighScore(username); + + if (!success) + { + return NotFound(content); + } + + return sbRecordDto!; } // POST: /scoreboard [HttpPost] + [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Default, Administrator")] public async Task Post([FromBody] ScoreboardRecordDto sbRecordDto) { - await _sbService.AddUserHighScore(sbRecordDto); + var (success, content) = await _sbService.AddUserHighScore(sbRecordDto); + + if (!success && content.Equals("User id is not yours")) + { + return Forbid(); + } + + if (!success && content.Contains("You can not post score lower than")) + { + return BadRequest(content); + } + return CreatedAtAction(nameof(Get), new {sbRecordDto}, sbRecordDto); } // PUT: /scoreboard/id [HttpPut("{id}", Name = "Put")] + [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")] public async Task Put(int id, [FromBody] ScoreboardRecordDto sbRecordDto) { if (id != sbRecordDto.Id) @@ -73,6 +99,7 @@ public class ScoreboardController : ControllerBase // DELETE: /scoreboard/id [HttpDelete("{id}", Name = "Delete")] + [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")] public async Task Delete(int id) { if (!await _sbService.ScoreboardRecordExists(id)) diff --git a/Server/Models/Jwt.cs b/Server/Models/Jwt.cs new file mode 100644 index 0000000..e3106fe --- /dev/null +++ b/Server/Models/Jwt.cs @@ -0,0 +1,8 @@ +namespace Server.Models; + +public class Jwt +{ + public string Key { get; set; } = null!; + public string Issuer { get; set; } = null!; + public string Audience { get; set; } = null!; +} \ No newline at end of file diff --git a/Server/Program.cs b/Server/Program.cs index f889335..180bbae 100644 --- a/Server/Program.cs +++ b/Server/Program.cs @@ -6,6 +6,7 @@ using Microsoft.OpenApi.Models; using Newtonsoft.Json; using Newtonsoft.Json.Serialization; using Server.Data; +using Server.Models; using Server.Services; var builder = WebApplication.CreateBuilder(args); @@ -17,6 +18,7 @@ builder.Services.AddControllers().AddNewtonsoftJson(o => { o.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore; }); builder.Services.AddEndpointsApiExplorer(); +builder.Services.AddHttpContextAccessor(); builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o => { o.TokenValidationParameters = new TokenValidationParameters { @@ -57,7 +59,13 @@ builder.Services.AddSwaggerGen(o => { builder.Services.AddDbContext(o => o.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection"))); + builder.Services.AddScoped(); +builder.Services.AddScoped(); + +var jwt = new Jwt(); +builder.Configuration.Bind("Jwt", jwt); +builder.Services.AddSingleton(jwt); var app = builder.Build(); diff --git a/Server/Server.csproj b/Server/Server.csproj index 59ef699..c7c3129 100644 --- a/Server/Server.csproj +++ b/Server/Server.csproj @@ -21,7 +21,6 @@ - diff --git a/Server/Services/AuthenticationService.cs b/Server/Services/AuthenticationService.cs new file mode 100644 index 0000000..fd8e849 --- /dev/null +++ b/Server/Services/AuthenticationService.cs @@ -0,0 +1,111 @@ +using System.IdentityModel.Tokens.Jwt; +using System.Security.Claims; +using System.Security.Cryptography; +using System.Text; +using DatabaseModels.InitialObjects; +using DatabaseModels.Requests; +using Microsoft.EntityFrameworkCore; +using Microsoft.IdentityModel.Tokens; +using Server.Data; +using Server.Models; + +namespace Server.Services; + +public class AuthenticationService +{ + private readonly ServerDbContext _dbContext; + private readonly Jwt _jwt; + + public AuthenticationService(ServerDbContext dbContext, Jwt jwt) + { + _dbContext = dbContext; + _jwt = jwt; + } + + public async Task<(bool success, string content)> Register(AuthenticationRequest request) + { + if (await _dbContext.Users.AnyAsync(u => u.Username == request.Username)) + { + return (false, "Username is taken."); + } + + var user = new User { + Username = request.Username, + PasswordHash = request.Password, + Role = "Default" + }; + ProvideSaltAndHash(user); + + await _dbContext.Users.AddAsync(user); + await _dbContext.SaveChangesAsync(); + + return (true, ""); + } + + public async Task<(bool success, string content)> Login(AuthenticationRequest request) + { + var user = await _dbContext.Users.SingleOrDefaultAsync(u => u.Username == request.Username); + + if (user == null) + { + return (false, "Invalid username."); + } + + if (user.PasswordHash != ComputeHash(request.Password, user.PasswordSalt)) + { + return (false, "Invalid password."); + } + + return (true, GenerateJwtToken(AssembleClaimsIdentity(user))); + } + + private ClaimsIdentity AssembleClaimsIdentity(User user) + { + var subject = new ClaimsIdentity(new[] { + new Claim("Id", user.Id.ToString()), + new Claim(ClaimTypes.Role, user.Role), + }); + + return subject; + } + + private string GenerateJwtToken(ClaimsIdentity subject) + { + var tokenHandler = new JwtSecurityTokenHandler(); + var key = Encoding.ASCII.GetBytes(_jwt.Key); + var tokenDescriptor = new SecurityTokenDescriptor { + Subject = subject, + Audience = _jwt.Audience, + Issuer = _jwt.Issuer, + Expires = DateTime.UtcNow.AddMinutes(15), + SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) + }; + var token = tokenHandler.CreateToken(tokenDescriptor); + return tokenHandler.WriteToken(token); + } + + private void ProvideSaltAndHash(User user) + { + var salt = GenerateSalt(); + user.PasswordSalt = Convert.ToBase64String(salt); + user.PasswordHash = ComputeHash(user.PasswordHash, user.PasswordSalt); + } + + private byte[] GenerateSalt() + { + var rng = RandomNumberGenerator.Create(); + var salt = new byte[24]; + rng.GetBytes(salt); + return salt; + } + + private string ComputeHash(string password, string saltString) + { + var salt = Convert.FromBase64String(saltString); + + using var hashGenerator = new Rfc2898DeriveBytes(password, salt); + hashGenerator.IterationCount = 10101; + var bytes = hashGenerator.GetBytes(24); + return Convert.ToBase64String(bytes); + } +} \ No newline at end of file diff --git a/Server/Services/ScoreboardService.cs b/Server/Services/ScoreboardService.cs index 4511dc9..ec8456e 100644 --- a/Server/Services/ScoreboardService.cs +++ b/Server/Services/ScoreboardService.cs @@ -8,15 +8,17 @@ namespace Server.Services; public class ScoreboardService { private readonly ServerDbContext _dbContext; + private readonly IHttpContextAccessor _httpContextAccessor; - public ScoreboardService(ServerDbContext dbContext) + public ScoreboardService(ServerDbContext dbContext, IHttpContextAccessor httpContextAccessor) { _dbContext = dbContext; + _httpContextAccessor = httpContextAccessor; } // GET - public async Task GetScoreboard() + public async Task<(bool success, string content, ScoreboardRecordDto[])> GetScoreboard() { var sbRecords = await _dbContext.Scoreboard .Include(sbr => sbr.User) @@ -26,40 +28,59 @@ public class ScoreboardService sbRecords = sbRecords.DistinctBy(sbr => sbr.User.Id).ToList(); var dto = new List(sbRecords.Count); - foreach (var sbr in sbRecords) { dto.Add(sbr.ToDto()); } - return dto.ToArray(); + return (true, "", dto.ToArray()); } - public async Task GetUserHighScore(string username) + public async Task<(bool success, string content, ScoreboardRecordDto? sbRecordDto)> GetUserHighScore(string username) { var userScoreboardRecords = await _dbContext.Scoreboard .Include(sbr => sbr.User) .Where(sbr => sbr.User.Username == username) .ToListAsync(); - return userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto(); + if (userScoreboardRecords.Count == 0) + { + return (false, "Username invalid or scoreboard records are absent", null); + } + + return (true, "", userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto()); } // POST - public async Task AddUserHighScore(ScoreboardRecordDto sbRecordDto) + public async Task<(bool success, string content)> AddUserHighScore(ScoreboardRecordDto sbRecordDto) { + if (sbRecordDto.User.Id != Int32.Parse(_httpContextAccessor.HttpContext!.User.Claims.First(c => c.Type == "Id").Value)) + { + return (false, "User id is not yours"); + } + + var sbHighScoreRecordDto = (await GetUserHighScore(sbRecordDto.User.Username)).sbRecordDto; + + if (sbHighScoreRecordDto != null && + sbRecordDto.Score <= sbHighScoreRecordDto.Score) + { + return (false, $"You can not post score lower than {sbHighScoreRecordDto.Score}"); + } + var sbRecord = new ScoreboardRecord { Score = sbRecordDto.Score, PostTime = sbRecordDto.PostTime }; var dbUser = await _dbContext.Users.FindAsync(sbRecordDto.User.Id); - sbRecord.User = dbUser; + sbRecord.User = dbUser!; await _dbContext.AddAsync(sbRecord); await _dbContext.SaveChangesAsync(); sbRecordDto.Id = _dbContext.ChangeTracker.Entries().First().Entity.Id; + + return (true, ""); } // PUT