cuqmbr/scoreboard-api
1
0
Fork 0
Code Issues Pull Requests Activity

feat: add authentication & authorization

Browse Source
This commit is contained in:
cuqmbr 2022-07-17 21:11:36 +03:00
parent 514f0771aa
commit 3dc782d76a
9 changed files with 254 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
DatabaseModels/Requests/AuthenticationRequest.cs Normal file
View File

@ -0,0 +1,7 @@
namespace DatabaseModels.Requests;
public class AuthenticationRequest
{
public string Username { get; set; } = null!;
public string Password { get; set; } = null!;
}

6
DatabaseModels/Responses/AuthenticationResponse.cs Normal file
View File

@ -0,0 +1,6 @@
namespace DatabaseModels.Responses;
public class AuthenticationResponse
{
public string Token { get; set; } = null!;
}

46
Server/Controllers/AuthenticationController.cs Normal file
View File

@ -0,0 +1,46 @@
using DatabaseModels.Requests;
using DatabaseModels.Responses;
using Server.Services;
using Microsoft.AspNetCore.Mvc;
namespace Server.Controllers;
[Route("auth")]
[ApiController]
public class AuthenticationController : ControllerBase
{
private readonly AuthenticationService _authenticationService;
public AuthenticationController(AuthenticationService authenticationService)
{
_authenticationService = authenticationService;
}
// POST: /authentication/register
[HttpPost("register")]
public async Task<ActionResult<AuthenticationResponse>> Register([FromBody] AuthenticationRequest request)
{
var (success, content) = await _authenticationService.Register(request);
if (!success)
{
return BadRequest(content);
}
return await Login(request);
}
// POST: /authentication/login
[HttpPost("login")]
public async Task<ActionResult<AuthenticationResponse>> Login([FromBody] AuthenticationRequest request)
{
var (success, content) = await _authenticationService.Login(request);
if (!success)
{
return BadRequest("Username or password is incorrect.");
}
return Ok(new AuthenticationResponse { Token = content } );
}
}

51
Server/Controllers/ScoreboardController.cs
View File

@ -1,11 +1,15 @@
using System.Security.Claims;
using DatabaseModels.DataTransferObjets; using DatabaseModels.DataTransferObjets;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using Server.Services; using Server.Services;
namespace Server.Controllers; namespace Server.Controllers;
[Route("[controller]")] [Authorize]
[Route("api/[controller]")]
[ApiController] [ApiController]
public class ScoreboardController : ControllerBase public class ScoreboardController : ControllerBase
{ {
@ -18,35 +22,57 @@ public class ScoreboardController : ControllerBase
// GET: /scoreboard // GET: /scoreboard
[HttpGet] [HttpGet]
[AllowAnonymous]
public async Task<ActionResult<ScoreboardRecordDto[]>> Get() public async Task<ActionResult<ScoreboardRecordDto[]>> Get()
{ {
return await _sbService.GetScoreboard(); var (success, content, sbRecordsDto) = await _sbService.GetScoreboard();
}
// GET: /scoreboard/cuqmbr if (!success)
[HttpGet("{username}", Name = "Get")]
public async Task<ActionResult<ScoreboardRecordDto>> Get(string username)
{
var sbRecordDto = await _sbService.GetUserHighScore(username);
if (sbRecordDto == null)
{ {
return NotFound(); return NotFound();
} }
return sbRecordDto; return sbRecordsDto;
}
// GET: /scoreboard/cuqmbr
[HttpGet("{username}", Name = "Get")]
[AllowAnonymous]
public async Task<ActionResult<ScoreboardRecordDto>> Get(string username)
{
var (success, content, sbRecordDto) = await _sbService.GetUserHighScore(username);
if (!success)
{
return NotFound(content);
}
return sbRecordDto!;
} }
// POST: /scoreboard // POST: /scoreboard
[HttpPost] [HttpPost]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Default, Administrator")]
public async Task<ActionResult> Post([FromBody] ScoreboardRecordDto sbRecordDto) public async Task<ActionResult> Post([FromBody] ScoreboardRecordDto sbRecordDto)
{ {
await _sbService.AddUserHighScore(sbRecordDto); var (success, content) = await _sbService.AddUserHighScore(sbRecordDto);
if (!success && content.Equals("User id is not yours"))
{
return Forbid();
}
if (!success && content.Contains("You can not post score lower than"))
{
return BadRequest(content);
}
return CreatedAtAction(nameof(Get), new {sbRecordDto}, sbRecordDto); return CreatedAtAction(nameof(Get), new {sbRecordDto}, sbRecordDto);
} }
// PUT: /scoreboard/id // PUT: /scoreboard/id
[HttpPut("{id}", Name = "Put")] [HttpPut("{id}", Name = "Put")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")]
public async Task<ActionResult> Put(int id, [FromBody] ScoreboardRecordDto sbRecordDto) public async Task<ActionResult> Put(int id, [FromBody] ScoreboardRecordDto sbRecordDto)
{ {
if (id != sbRecordDto.Id) if (id != sbRecordDto.Id)
@ -73,6 +99,7 @@ public class ScoreboardController : ControllerBase
// DELETE: /scoreboard/id // DELETE: /scoreboard/id
[HttpDelete("{id}", Name = "Delete")] [HttpDelete("{id}", Name = "Delete")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")]
public async Task<ActionResult> Delete(int id) public async Task<ActionResult> Delete(int id)
{ {
if (!await _sbService.ScoreboardRecordExists(id)) if (!await _sbService.ScoreboardRecordExists(id))

8
Server/Models/Jwt.cs Normal file
View File

@ -0,0 +1,8 @@
namespace Server.Models;
public class Jwt
{
public string Key { get; set; } = null!;
public string Issuer { get; set; } = null!;
public string Audience { get; set; } = null!;
}

8
Server/Program.cs
View File

@ -6,6 +6,7 @@ using Microsoft.OpenApi.Models;
using Newtonsoft.Json; using Newtonsoft.Json;
using Newtonsoft.Json.Serialization; using Newtonsoft.Json.Serialization;
using Server.Data; using Server.Data;
using Server.Models;
using Server.Services; using Server.Services;
var builder = WebApplication.CreateBuilder(args); var builder = WebApplication.CreateBuilder(args);
@ -17,6 +18,7 @@ builder.Services.AddControllers().AddNewtonsoftJson(o => {
o.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore; o.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
}); });
builder.Services.AddEndpointsApiExplorer(); builder.Services.AddEndpointsApiExplorer();
builder.Services.AddHttpContextAccessor();
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o => { builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o => {
o.TokenValidationParameters = new TokenValidationParameters { o.TokenValidationParameters = new TokenValidationParameters {
@ -57,7 +59,13 @@ builder.Services.AddSwaggerGen(o => {
builder.Services.AddDbContext<ServerDbContext>(o => builder.Services.AddDbContext<ServerDbContext>(o =>
o.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection"))); o.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection")));
builder.Services.AddScoped<ScoreboardService>(); builder.Services.AddScoped<ScoreboardService>();
builder.Services.AddScoped<AuthenticationService>();
var jwt = new Jwt();
builder.Configuration.Bind("Jwt", jwt);
builder.Services.AddSingleton(jwt);
var app = builder.Build(); var app = builder.Build();

1
Server/Server.csproj
View File

@ -21,7 +21,6 @@
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<Folder Include="Controllers" />
<Folder Include="Migrations" /> <Folder Include="Migrations" />
</ItemGroup> </ItemGroup>

111
Server/Services/AuthenticationService.cs Normal file
View File

@ -0,0 +1,111 @@
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using DatabaseModels.InitialObjects;
using DatabaseModels.Requests;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens;
using Server.Data;
using Server.Models;
namespace Server.Services;
public class AuthenticationService
{
private readonly ServerDbContext _dbContext;
private readonly Jwt _jwt;
public AuthenticationService(ServerDbContext dbContext, Jwt jwt)
{
_dbContext = dbContext;
_jwt = jwt;
}
public async Task<(bool success, string content)> Register(AuthenticationRequest request)
{
if (await _dbContext.Users.AnyAsync(u => u.Username == request.Username))
{
return (false, "Username is taken.");
}
var user = new User {
Username = request.Username,
PasswordHash = request.Password,
Role = "Default"
};
ProvideSaltAndHash(user);
await _dbContext.Users.AddAsync(user);
await _dbContext.SaveChangesAsync();
return (true, "");
}
public async Task<(bool success, string content)> Login(AuthenticationRequest request)
{
var user = await _dbContext.Users.SingleOrDefaultAsync(u => u.Username == request.Username);
if (user == null)
{
return (false, "Invalid username.");
}
if (user.PasswordHash != ComputeHash(request.Password, user.PasswordSalt))
{
return (false, "Invalid password.");
}
return (true, GenerateJwtToken(AssembleClaimsIdentity(user)));
}
private ClaimsIdentity AssembleClaimsIdentity(User user)
{
var subject = new ClaimsIdentity(new[] {
new Claim("Id", user.Id.ToString()),
new Claim(ClaimTypes.Role, user.Role),
});
return subject;
}
private string GenerateJwtToken(ClaimsIdentity subject)
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_jwt.Key);
var tokenDescriptor = new SecurityTokenDescriptor {
Subject = subject,
Audience = _jwt.Audience,
Issuer = _jwt.Issuer,
Expires = DateTime.UtcNow.AddMinutes(15),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
private void ProvideSaltAndHash(User user)
{
var salt = GenerateSalt();
user.PasswordSalt = Convert.ToBase64String(salt);
user.PasswordHash = ComputeHash(user.PasswordHash, user.PasswordSalt);
}
private byte[] GenerateSalt()
{
var rng = RandomNumberGenerator.Create();
var salt = new byte[24];
rng.GetBytes(salt);
return salt;
}
private string ComputeHash(string password, string saltString)
{
var salt = Convert.FromBase64String(saltString);
using var hashGenerator = new Rfc2898DeriveBytes(password, salt);
hashGenerator.IterationCount = 10101;
var bytes = hashGenerator.GetBytes(24);
return Convert.ToBase64String(bytes);
}
}

37
Server/Services/ScoreboardService.cs
View File

@ -8,15 +8,17 @@ namespace Server.Services;
public class ScoreboardService public class ScoreboardService
{ {
private readonly ServerDbContext _dbContext; private readonly ServerDbContext _dbContext;
private readonly IHttpContextAccessor _httpContextAccessor;
public ScoreboardService(ServerDbContext dbContext) public ScoreboardService(ServerDbContext dbContext, IHttpContextAccessor httpContextAccessor)
{ {
_dbContext = dbContext; _dbContext = dbContext;
_httpContextAccessor = httpContextAccessor;
} }
// GET // GET
public async Task<ScoreboardRecordDto[]> GetScoreboard() public async Task<(bool success, string content, ScoreboardRecordDto[])> GetScoreboard()
{ {
var sbRecords = await _dbContext.Scoreboard var sbRecords = await _dbContext.Scoreboard
.Include(sbr => sbr.User) .Include(sbr => sbr.User)
@ -26,40 +28,59 @@ public class ScoreboardService
sbRecords = sbRecords.DistinctBy(sbr => sbr.User.Id).ToList(); sbRecords = sbRecords.DistinctBy(sbr => sbr.User.Id).ToList();
var dto = new List<ScoreboardRecordDto>(sbRecords.Count); var dto = new List<ScoreboardRecordDto>(sbRecords.Count);
foreach (var sbr in sbRecords) foreach (var sbr in sbRecords)
{ {
dto.Add(sbr.ToDto()); dto.Add(sbr.ToDto());
} }
return dto.ToArray(); return (true, "", dto.ToArray());
} }
public async Task<ScoreboardRecordDto?> GetUserHighScore(string username) public async Task<(bool success, string content, ScoreboardRecordDto? sbRecordDto)> GetUserHighScore(string username)
{ {
var userScoreboardRecords = await _dbContext.Scoreboard var userScoreboardRecords = await _dbContext.Scoreboard
.Include(sbr => sbr.User) .Include(sbr => sbr.User)
.Where(sbr => sbr.User.Username == username) .Where(sbr => sbr.User.Username == username)
.ToListAsync(); .ToListAsync();
return userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto(); if (userScoreboardRecords.Count == 0)
{
return (false, "Username invalid or scoreboard records are absent", null);
}
return (true, "", userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto());
} }
// POST // POST
public async Task AddUserHighScore(ScoreboardRecordDto sbRecordDto) public async Task<(bool success, string content)> AddUserHighScore(ScoreboardRecordDto sbRecordDto)
{ {
if (sbRecordDto.User.Id != Int32.Parse(_httpContextAccessor.HttpContext!.User.Claims.First(c => c.Type == "Id").Value))
{
return (false, "User id is not yours");
}
var sbHighScoreRecordDto = (await GetUserHighScore(sbRecordDto.User.Username)).sbRecordDto;
if (sbHighScoreRecordDto != null &&
sbRecordDto.Score <= sbHighScoreRecordDto.Score)
{
return (false, $"You can not post score lower than {sbHighScoreRecordDto.Score}");
}
var sbRecord = new ScoreboardRecord { var sbRecord = new ScoreboardRecord {
Score = sbRecordDto.Score, Score = sbRecordDto.Score,
PostTime = sbRecordDto.PostTime PostTime = sbRecordDto.PostTime
}; };
var dbUser = await _dbContext.Users.FindAsync(sbRecordDto.User.Id); var dbUser = await _dbContext.Users.FindAsync(sbRecordDto.User.Id);
sbRecord.User = dbUser; sbRecord.User = dbUser!;
await _dbContext.AddAsync(sbRecord); await _dbContext.AddAsync(sbRecord);
await _dbContext.SaveChangesAsync(); await _dbContext.SaveChangesAsync();
sbRecordDto.Id = _dbContext.ChangeTracker.Entries<ScoreboardRecord>().First().Entity.Id; sbRecordDto.Id = _dbContext.ChangeTracker.Entries<ScoreboardRecord>().First().Entity.Id;
return (true, "");
} }
// PUT // PUT