aboutsummaryrefslogtreecommitdiff
path: root/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
diff options
context:
space:
mode:
Diffstat (limited to 'Emby.Server.Implementations/HttpServer/Security/AuthService.cs')
-rw-r--r--Emby.Server.Implementations/HttpServer/Security/AuthService.cs234
1 files changed, 19 insertions, 215 deletions
diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
index 499a334fc..e2ad07177 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
@@ -1,239 +1,43 @@
-using System;
-using System.Linq;
-using MediaBrowser.Common.Net;
-using MediaBrowser.Controller.Configuration;
-using MediaBrowser.Controller.Entities;
-using MediaBrowser.Controller.Library;
+#pragma warning disable CS1591
+
+using System.Threading.Tasks;
+using Jellyfin.Data.Enums;
+using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Net;
-using MediaBrowser.Controller.Security;
-using MediaBrowser.Controller.Session;
-using MediaBrowser.Model.Services;
+using Microsoft.AspNetCore.Http;
namespace Emby.Server.Implementations.HttpServer.Security
{
public class AuthService : IAuthService
{
- private readonly IServerConfigurationManager _config;
-
- public AuthService(IUserManager userManager, IAuthorizationContext authorizationContext, IServerConfigurationManager config, ISessionManager sessionManager, INetworkManager networkManager)
- {
- AuthorizationContext = authorizationContext;
- _config = config;
- SessionManager = sessionManager;
- UserManager = userManager;
- NetworkManager = networkManager;
- }
-
- public IUserManager UserManager { get; private set; }
- public IAuthorizationContext AuthorizationContext { get; private set; }
- public ISessionManager SessionManager { get; private set; }
- public INetworkManager NetworkManager { get; private set; }
-
- /// <summary>
- /// Redirect the client to a specific URL if authentication failed.
- /// If this property is null, simply `401 Unauthorized` is returned.
- /// </summary>
- public string HtmlRedirect { get; set; }
+ private readonly IAuthorizationContext _authorizationContext;
- public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)
+ public AuthService(
+ IAuthorizationContext authorizationContext)
{
- ValidateUser(request, authAttribtues);
+ _authorizationContext = authorizationContext;
}
- private void ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
+ public async Task<AuthorizationInfo> Authenticate(HttpRequest request)
{
- // This code is executed before the service
- var auth = AuthorizationContext.GetAuthorizationInfo(request);
+ var auth = await _authorizationContext.GetAuthorizationInfo(request).ConfigureAwait(false);
- if (!IsExemptFromAuthenticationToken(auth, authAttribtues, request))
+ if (!auth.HasToken)
{
- ValidateSecurityToken(request, auth.Token);
+ throw new AuthenticationException("Request does not contain a token.");
}
- if (authAttribtues.AllowLocalOnly && !request.IsLocal)
+ if (!auth.IsAuthenticated)
{
- throw new SecurityException("Operation not found.");
+ throw new SecurityException("Invalid token.");
}
- var user = auth.User;
-
- if (user == null & !auth.UserId.Equals(Guid.Empty))
+ if (auth.User?.HasPermission(PermissionKind.IsDisabled) ?? false)
{
- throw new SecurityException("User with Id " + auth.UserId + " not found");
+ throw new SecurityException("User account has been disabled.");
}
- if (user != null)
- {
- ValidateUserAccess(user, request, authAttribtues, auth);
- }
-
- var info = GetTokenInfo(request);
-
- if (!IsExemptFromRoles(auth, authAttribtues, request, info))
- {
- var roles = authAttribtues.GetRoles();
-
- ValidateRoles(roles, user);
- }
-
- if (!string.IsNullOrEmpty(auth.DeviceId) &&
- !string.IsNullOrEmpty(auth.Client) &&
- !string.IsNullOrEmpty(auth.Device))
- {
- SessionManager.LogSessionActivity(auth.Client,
- auth.Version,
- auth.DeviceId,
- auth.Device,
- request.RemoteIp,
- user);
- }
- }
-
- private void ValidateUserAccess(User user, IRequest request,
- IAuthenticationAttributes authAttribtues,
- AuthorizationInfo auth)
- {
- if (user.Policy.IsDisabled)
- {
- throw new SecurityException("User account has been disabled.")
- {
- SecurityExceptionType = SecurityExceptionType.Unauthenticated
- };
- }
-
- if (!user.Policy.EnableRemoteAccess && !NetworkManager.IsInLocalNetwork(request.RemoteIp))
- {
- throw new SecurityException("User account has been disabled.")
- {
- SecurityExceptionType = SecurityExceptionType.Unauthenticated
- };
- }
-
- if (!user.Policy.IsAdministrator &&
- !authAttribtues.EscapeParentalControl &&
- !user.IsParentalScheduleAllowed())
- {
- request.Response.AddHeader("X-Application-Error-Code", "ParentalControl");
-
- throw new SecurityException("This user account is not allowed access at this time.")
- {
- SecurityExceptionType = SecurityExceptionType.ParentalControl
- };
- }
- }
-
- private bool IsExemptFromAuthenticationToken(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request)
- {
- if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocal && request.IsLocal)
- {
- return true;
- }
- if (authAttribtues.AllowLocalOnly && request.IsLocal)
- {
- return true;
- }
-
- return false;
- }
-
- private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
- {
- if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocal && request.IsLocal)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocalOnly && request.IsLocal)
- {
- return true;
- }
-
- if (string.IsNullOrEmpty(auth.Token))
- {
- return true;
- }
-
- if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))
- {
- return true;
- }
-
- return false;
- }
-
- private static void ValidateRoles(string[] roles, User user)
- {
- if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.Policy.IsAdministrator)
- {
- throw new SecurityException("User does not have admin access.")
- {
- SecurityExceptionType = SecurityExceptionType.Unauthenticated
- };
- }
- }
- if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.Policy.EnableContentDeletion)
- {
- throw new SecurityException("User does not have delete access.")
- {
- SecurityExceptionType = SecurityExceptionType.Unauthenticated
- };
- }
- }
- if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.Policy.EnableContentDownloading)
- {
- throw new SecurityException("User does not have download access.")
- {
- SecurityExceptionType = SecurityExceptionType.Unauthenticated
- };
- }
- }
- }
-
- private static AuthenticationInfo GetTokenInfo(IRequest request)
- {
- request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);
- return info as AuthenticationInfo;
- }
-
- private void ValidateSecurityToken(IRequest request, string token)
- {
- if (string.IsNullOrEmpty(token))
- {
- throw new SecurityException("Access token is required.");
- }
-
- var info = GetTokenInfo(request);
-
- if (info == null)
- {
- throw new SecurityException("Access token is invalid or expired.");
- }
-
- //if (!string.IsNullOrEmpty(info.UserId))
- //{
- // var user = _userManager.GetUserById(info.UserId);
-
- // if (user == null || user.Configuration.IsDisabled)
- // {
- // throw new SecurityException("User account has been disabled.");
- // }
- //}
+ return auth;
}
}
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-07 16:48:22 +0000