feat: add authentication & authorization

2022-07-17 21:11:36 +03:00 · 2022-07-17 21:11:36 +03:00 · 3dc782d76a
commit 3dc782d76a
parent 514f0771aa
9 changed files with 254 additions and 21 deletions
--- a/DatabaseModels/Requests/AuthenticationRequest.cs
+++ b/DatabaseModels/Requests/AuthenticationRequest.cs
@ -0,0 +1,7 @@
+namespace DatabaseModels.Requests;
+
+public class AuthenticationRequest
+{
+    public string Username { get; set; } = null!;
+    public string Password { get; set; } = null!;
+}
--- a/DatabaseModels/Responses/AuthenticationResponse.cs
+++ b/DatabaseModels/Responses/AuthenticationResponse.cs
@ -0,0 +1,6 @@
+namespace DatabaseModels.Responses;
+
+public class AuthenticationResponse
+{
+    public string Token { get; set; } = null!;
+}
--- a/Server/Controllers/AuthenticationController.cs
+++ b/Server/Controllers/AuthenticationController.cs
@ -0,0 +1,46 @@
+using DatabaseModels.Requests;
+using DatabaseModels.Responses;
+using Server.Services;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Server.Controllers;
+
+[Route("auth")]
+[ApiController]
+public class AuthenticationController : ControllerBase
+{
+    private readonly AuthenticationService _authenticationService;
+
+    public AuthenticationController(AuthenticationService authenticationService)
+    {
+        _authenticationService = authenticationService;
+    }
+    
+    // POST: /authentication/register
+    [HttpPost("register")]
+    public async Task<ActionResult<AuthenticationResponse>> Register([FromBody] AuthenticationRequest request)
+    {
+        var (success, content) = await _authenticationService.Register(request);
+        
+        if (!success)
+        {
+            return BadRequest(content);
+        }
+
+        return await Login(request);
+    }
+    
+    // POST: /authentication/login
+    [HttpPost("login")]
+    public async Task<ActionResult<AuthenticationResponse>> Login([FromBody] AuthenticationRequest request)
+    {
+        var (success, content) = await _authenticationService.Login(request);
+        
+        if (!success)
+        {
+            return BadRequest("Username or password is incorrect.");
+        }
+
+        return Ok(new AuthenticationResponse { Token = content } );
+    }
+}
--- a/Server/Controllers/ScoreboardController.cs
+++ b/Server/Controllers/ScoreboardController.cs
@ -1,11 +1,15 @@
+using System.Security.Claims;
 using DatabaseModels.DataTransferObjets;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Server.Services;

 namespace Server.Controllers;

-[Route("[controller]")]
+[Authorize]
+[Route("api/[controller]")]
 [ApiController]
 public class ScoreboardController : ControllerBase
 {
@ -18,35 +22,57 @@ public class ScoreboardController : ControllerBase
    
    // GET: /scoreboard
    [HttpGet]
+    [AllowAnonymous]
    public async Task<ActionResult<ScoreboardRecordDto[]>> Get()
    {
-        return await _sbService.GetScoreboard();
-    }
+        var (success, content, sbRecordsDto) = await _sbService.GetScoreboard();

-    // GET: /scoreboard/cuqmbr
-    [HttpGet("{username}", Name = "Get")]
-    public async Task<ActionResult<ScoreboardRecordDto>> Get(string username)
-    {
-        var sbRecordDto = await _sbService.GetUserHighScore(username);
-
-        if (sbRecordDto == null)
+        if (!success)
        {
            return NotFound();
        }
        
-        return sbRecordDto;
+        return sbRecordsDto;
+    }
+
+    // GET: /scoreboard/cuqmbr
+    [HttpGet("{username}", Name = "Get")]
+    [AllowAnonymous]
+    public async Task<ActionResult<ScoreboardRecordDto>> Get(string username)
+    {
+        var (success, content, sbRecordDto) = await _sbService.GetUserHighScore(username);
+
+        if (!success)
+        {
+            return NotFound(content);
+        }
+        
+        return sbRecordDto!;
    }

    // POST: /scoreboard
    [HttpPost]
+    [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Default, Administrator")]
    public async Task<ActionResult> Post([FromBody] ScoreboardRecordDto sbRecordDto)
    {
-        await _sbService.AddUserHighScore(sbRecordDto);
+        var (success, content) = await _sbService.AddUserHighScore(sbRecordDto);
+
+        if (!success && content.Equals("User id is not yours"))
+        {
+            return Forbid();
+        }
+
+        if (!success && content.Contains("You can not post score lower than"))
+        {
+            return BadRequest(content);
+        }
+        
        return CreatedAtAction(nameof(Get), new {sbRecordDto}, sbRecordDto);
    }
    
    // PUT: /scoreboard/id
    [HttpPut("{id}", Name = "Put")]
+    [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")]
    public async Task<ActionResult> Put(int id, [FromBody] ScoreboardRecordDto sbRecordDto)
    {
        if (id != sbRecordDto.Id)
@ -73,6 +99,7 @@ public class ScoreboardController : ControllerBase
    
    // DELETE: /scoreboard/id
    [HttpDelete("{id}", Name = "Delete")]
+    [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme, Roles = "Administrator")]
    public async Task<ActionResult> Delete(int id)
    {
        if (!await _sbService.ScoreboardRecordExists(id))
--- a/Server/Models/Jwt.cs
+++ b/Server/Models/Jwt.cs
@ -0,0 +1,8 @@
+namespace Server.Models;
+
+public class Jwt
+{
+    public string Key { get; set; } = null!;
+    public string Issuer { get; set; } = null!;
+    public string Audience { get; set; } = null!;
+}
--- a/Server/Program.cs
+++ b/Server/Program.cs
@ -6,6 +6,7 @@ using Microsoft.OpenApi.Models;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Serialization;
 using Server.Data;
+using Server.Models;
 using Server.Services;

 var builder = WebApplication.CreateBuilder(args);
@ -17,6 +18,7 @@ builder.Services.AddControllers().AddNewtonsoftJson(o => {
    o.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
 });
 builder.Services.AddEndpointsApiExplorer();
+builder.Services.AddHttpContextAccessor();

 builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o => {
    o.TokenValidationParameters = new TokenValidationParameters {
@ -57,7 +59,13 @@ builder.Services.AddSwaggerGen(o => {

 builder.Services.AddDbContext<ServerDbContext>(o => 
    o.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection")));
+
 builder.Services.AddScoped<ScoreboardService>();
+builder.Services.AddScoped<AuthenticationService>();
+
+var jwt = new Jwt();
+builder.Configuration.Bind("Jwt", jwt);
+builder.Services.AddSingleton(jwt);

 var app = builder.Build();

--- a/Server/Server.csproj
+++ b/Server/Server.csproj
@ -21,7 +21,6 @@
    </ItemGroup>

    <ItemGroup>
-      <Folder Include="Controllers" />
      <Folder Include="Migrations" />
    </ItemGroup>

--- a/Server/Services/AuthenticationService.cs
+++ b/Server/Services/AuthenticationService.cs
@ -0,0 +1,111 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
+using DatabaseModels.InitialObjects;
+using DatabaseModels.Requests;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Tokens;
+using Server.Data;
+using Server.Models;
+
+namespace Server.Services;
+
+public class AuthenticationService
+{
+    private readonly ServerDbContext _dbContext;
+    private readonly Jwt _jwt;
+
+    public AuthenticationService(ServerDbContext dbContext, Jwt jwt)
+    {
+        _dbContext = dbContext;
+        _jwt = jwt;
+    }
+
+    public async Task<(bool success, string content)> Register(AuthenticationRequest request)
+    {
+        if (await _dbContext.Users.AnyAsync(u => u.Username == request.Username))
+        {
+            return (false, "Username is taken.");
+        }
+
+        var user = new User {
+            Username = request.Username,
+            PasswordHash = request.Password,
+            Role = "Default"
+        };
+        ProvideSaltAndHash(user);
+
+        await _dbContext.Users.AddAsync(user);
+        await _dbContext.SaveChangesAsync();
+
+        return (true, "");
+    }
+
+    public async Task<(bool success, string content)> Login(AuthenticationRequest request)
+    {
+        var user = await _dbContext.Users.SingleOrDefaultAsync(u => u.Username == request.Username);
+
+        if (user == null)
+        {
+            return (false, "Invalid username.");
+        }
+
+        if (user.PasswordHash != ComputeHash(request.Password, user.PasswordSalt))
+        {
+            return (false, "Invalid password.");
+        }
+
+        return (true, GenerateJwtToken(AssembleClaimsIdentity(user)));
+    }
+
+    private ClaimsIdentity AssembleClaimsIdentity(User user)
+    {
+        var subject = new ClaimsIdentity(new[] {
+            new Claim("Id", user.Id.ToString()),
+            new Claim(ClaimTypes.Role, user.Role),
+        });
+
+        return subject;
+    }
+    
+    private string GenerateJwtToken(ClaimsIdentity subject)
+    {
+        var tokenHandler = new JwtSecurityTokenHandler();
+        var key = Encoding.ASCII.GetBytes(_jwt.Key);
+        var tokenDescriptor = new SecurityTokenDescriptor {
+            Subject = subject,
+            Audience = _jwt.Audience,
+            Issuer = _jwt.Issuer,
+            Expires = DateTime.UtcNow.AddMinutes(15),
+            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
+        };
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        return tokenHandler.WriteToken(token);
+    }
+
+    private void ProvideSaltAndHash(User user)
+    {
+        var salt = GenerateSalt();
+        user.PasswordSalt = Convert.ToBase64String(salt);
+        user.PasswordHash = ComputeHash(user.PasswordHash, user.PasswordSalt);
+    }
+
+    private byte[] GenerateSalt()
+    {
+        var rng = RandomNumberGenerator.Create();
+        var salt = new byte[24];
+        rng.GetBytes(salt);
+        return salt;
+    }
+
+    private string ComputeHash(string password, string saltString)
+    {
+        var salt = Convert.FromBase64String(saltString);
+
+        using var hashGenerator = new Rfc2898DeriveBytes(password, salt);
+        hashGenerator.IterationCount = 10101;
+        var bytes = hashGenerator.GetBytes(24);
+        return Convert.ToBase64String(bytes);
+    }
+}
--- a/Server/Services/ScoreboardService.cs
+++ b/Server/Services/ScoreboardService.cs
@ -8,15 +8,17 @@ namespace Server.Services;
 public class ScoreboardService
 {
    private readonly ServerDbContext _dbContext;
+    private readonly IHttpContextAccessor _httpContextAccessor;

-    public ScoreboardService(ServerDbContext dbContext)
+    public ScoreboardService(ServerDbContext dbContext, IHttpContextAccessor httpContextAccessor)
    {
        _dbContext = dbContext;
+        _httpContextAccessor = httpContextAccessor;
    }

    // GET
    
-    public async Task<ScoreboardRecordDto[]> GetScoreboard()
+    public async Task<(bool success, string content, ScoreboardRecordDto[])> GetScoreboard()
    {
        var sbRecords = await _dbContext.Scoreboard
            .Include(sbr => sbr.User)
@ -26,40 +28,59 @@ public class ScoreboardService
        sbRecords = sbRecords.DistinctBy(sbr => sbr.User.Id).ToList();

        var dto = new List<ScoreboardRecordDto>(sbRecords.Count);
-
        foreach (var sbr in sbRecords)
        {
            dto.Add(sbr.ToDto());
        }
        
-        return dto.ToArray();
+        return (true, "", dto.ToArray());
    }

-    public async Task<ScoreboardRecordDto?> GetUserHighScore(string username)
+    public async Task<(bool success, string content, ScoreboardRecordDto? sbRecordDto)> GetUserHighScore(string username)
    {
        var userScoreboardRecords = await _dbContext.Scoreboard
            .Include(sbr => sbr.User)
            .Where(sbr => sbr.User.Username == username)
            .ToListAsync();

-        return userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto();
+        if (userScoreboardRecords.Count == 0)
+        {
+            return (false, "Username invalid or scoreboard records are absent", null);
+        }
+
+        return (true, "", userScoreboardRecords.MaxBy(sbr => sbr.Score)?.ToDto());
    }

    // POST
    
-    public async Task AddUserHighScore(ScoreboardRecordDto sbRecordDto)
+    public async Task<(bool success, string content)> AddUserHighScore(ScoreboardRecordDto sbRecordDto)
    {
+        if (sbRecordDto.User.Id != Int32.Parse(_httpContextAccessor.HttpContext!.User.Claims.First(c => c.Type == "Id").Value))
+        {
+            return (false, "User id is not yours");
+        }
+
+        var sbHighScoreRecordDto = (await GetUserHighScore(sbRecordDto.User.Username)).sbRecordDto;
+        
+        if (sbHighScoreRecordDto != null &&
+            sbRecordDto.Score <= sbHighScoreRecordDto.Score)
+        {
+            return (false, $"You can not post score lower than {sbHighScoreRecordDto.Score}");
+        }
+
        var sbRecord = new ScoreboardRecord {
            Score = sbRecordDto.Score,
            PostTime = sbRecordDto.PostTime
        };
        var dbUser = await _dbContext.Users.FindAsync(sbRecordDto.User.Id);
-        sbRecord.User = dbUser;
+        sbRecord.User = dbUser!;
        
        await _dbContext.AddAsync(sbRecord);
        await _dbContext.SaveChangesAsync();
        
        sbRecordDto.Id = _dbContext.ChangeTracker.Entries<ScoreboardRecord>().First().Entity.Id;
+
+        return (true, "");
    }
    
    // PUT