jellyfin/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs

using System;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MediaBrowser.Common;
using MediaBrowser.Common.Cryptography;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Model.Cryptography;

namespace Jellyfin.Server.Implementations.Users
{
    /// <summary>
    /// The default authentication provider.
    /// </summary>
    public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
    {
        private readonly ICryptoProvider _cryptographyProvider;

        /// <summary>
        /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
        /// </summary>
        /// <param name="cryptographyProvider">The cryptography provider.</param>
        public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
        {
            _cryptographyProvider = cryptographyProvider;
        }

        /// <inheritdoc />
        public string Name => "Default";

        /// <inheritdoc />
        public bool IsEnabled => true;

        /// <inheritdoc />
        // This is dumb and an artifact of the backwards way auth providers were designed.
        // This version of authenticate was never meant to be called, but needs to be here for interface compat
        // Only the providers that don't provide local user support use this
        public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
        {
            throw new NotImplementedException();
        }

        /// <inheritdoc />
        // This is the version that we need to use for local users. Because reasons.
        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, Data.Entities.User resolvedUser)
        {
            if (resolvedUser == null)
            {
                throw new AuthenticationException("Specified user does not exist.");
            }

            bool success = false;

            // As long as jellyfin supports passwordless users, we need this little block here to accommodate
            if (!HasPassword(resolvedUser))
            {
                return Task.FromResult(new ProviderAuthenticationResult
                {
                    Username = username
                });
            }

            byte[] passwordBytes = Encoding.UTF8.GetBytes(password);

            PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
            if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
                || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
            {
                byte[] calculatedHash = _cryptographyProvider.ComputeHash(
                    readyHash.Id,
                    passwordBytes,
                    readyHash.Salt.ToArray());

                if (readyHash.Hash.SequenceEqual(calculatedHash))
                {
                    success = true;
                }
            }
            else
            {
                throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");
            }

            if (!success)
            {
                throw new AuthenticationException("Invalid username or password");
            }

            return Task.FromResult(new ProviderAuthenticationResult
            {
                Username = username
            });
        }

        /// <inheritdoc />
        public bool HasPassword(Data.Entities.User user)
            => !string.IsNullOrEmpty(user.Password);

        /// <inheritdoc />
        public Task ChangePassword(Data.Entities.User user, string newPassword)
        {
            if (string.IsNullOrEmpty(newPassword))
            {
                user.Password = null;
                return Task.CompletedTask;
            }

            PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
            user.Password = newPasswordHash.ToString();

            return Task.CompletedTask;
        }

        /// <inheritdoc />
        public void ChangeEasyPassword(Data.Entities.User user, string newPassword, string newPasswordHash)
        {
            if (newPassword != null)
            {
                newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();
            }

            if (string.IsNullOrWhiteSpace(newPasswordHash))
            {
                throw new ArgumentNullException(nameof(newPasswordHash));
            }

            user.EasyPassword = newPasswordHash;
        }

        /// <inheritdoc />
        public string GetEasyPasswordHash(Data.Entities.User user)
        {
            return string.IsNullOrEmpty(user.EasyPassword)
                ? null
                : Hex.Encode(PasswordHash.Parse(user.EasyPassword).Hash);
        }

        /// <summary>
        /// Hashes the provided string.
        /// </summary>
        /// <param name="user">The user.</param>
        /// <param name="str">The string to hash.</param>
        /// <returns>The hashed string.</returns>
        public string GetHashedString(Data.Entities.User user, string str)
        {
            if (string.IsNullOrEmpty(user.Password))
            {
                return _cryptographyProvider.CreatePasswordHash(str).ToString();
            }

            // TODO: make use of iterations parameter?
            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
            var salt = passwordHash.Salt.ToArray();
            return new PasswordHash(
                passwordHash.Id,
                _cryptographyProvider.ComputeHash(
                    passwordHash.Id,
                    Encoding.UTF8.GetBytes(str),
                    salt),
                salt,
                passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();
        }

        /// <summary>
        /// Hashes the provided string.
        /// </summary>
        /// <param name="user">The user.</param>
        /// <param name="str">The string to hash.</param>
        /// <returns>The hashed string.</returns>
        public ReadOnlySpan<byte> GetHashed(Data.Entities.User user, string str)
        {
            if (string.IsNullOrEmpty(user.Password))
            {
                return _cryptographyProvider.CreatePasswordHash(str).Hash;
            }

            // TODO: make use of iterations parameter?
            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
            return _cryptographyProvider.ComputeHash(
                    passwordHash.Id,
                    Encoding.UTF8.GetBytes(str),
                    passwordHash.Salt.ToArray());
        }
    }
}
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`using System;`
			`using System.Linq;`
			`using System.Text;`
			`using System.Threading.Tasks;`
Rewrite hex encoder/decoder 2019-10-19 00:22:08 +02:00			`using MediaBrowser.Common;`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`using MediaBrowser.Common.Cryptography;`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`using MediaBrowser.Controller.Authentication;`
			`using MediaBrowser.Model.Cryptography;`

Migrate User DB to EF Core 2020-05-15 23:24:01 +02:00			`namespace Jellyfin.Server.Implementations.Users`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// The default authentication provider.`
			`/// </summary>`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser`
			`{`
			`private readonly ICryptoProvider _cryptographyProvider;`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.`
			`/// </summary>`
			`/// <param name="cryptographyProvider">The cryptography provider.</param>`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`_cryptographyProvider = cryptographyProvider;`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`public string Name => "Default";`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`public bool IsEnabled => true;`
Fix pin bug introduced in 10.3.z. The issue is that the new easyPassword format prepends the hash function. This PR extract the hash from "$SHA1$_hash_". 2019-05-12 01:32:20 +02:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
minor style fixes 2019-03-05 08:58:25 +01:00			`// This is dumb and an artifact of the backwards way auth providers were designed.`
			`// This version of authenticate was never meant to be called, but needs to be here for interface compat`
			`// Only the providers that don't provide local user support use this`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`public Task<ProviderAuthenticationResult> Authenticate(string username, string password)`
			`{`
			`throw new NotImplementedException();`
			`}`
Fix pin bug introduced in 10.3.z. The issue is that the new easyPassword format prepends the hash function. This PR extract the hash from "$SHA1$_hash_". 2019-05-12 01:32:20 +02:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`// This is the version that we need to use for local users. Because reasons.`
Initial migration code 2020-05-13 04:10:35 +02:00			`public Task<ProviderAuthenticationResult> Authenticate(string username, string password, Data.Entities.User resolvedUser)`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
			`if (resolvedUser == null)`
			`{`
Initial migration code 2020-05-13 04:10:35 +02:00			`throw new AuthenticationException("Specified user does not exist.");`
added justaman notes, fixed new bug from emty has removals 2019-02-18 10:26:01 +01:00			`}`

Fix more warnings 2019-11-01 18:38:54 +01:00			`bool success = false;`

Fix login 2019-08-28 14:45:46 +02:00			`// As long as jellyfin supports passwordless users, we need this little block here to accommodate`
Initial migration code 2020-05-13 04:10:35 +02:00			`if (!HasPassword(resolvedUser))`
added justaman notes, fixed new bug from emty has removals 2019-02-18 10:26:01 +01:00			`{`
			`return Task.FromResult(new ProviderAuthenticationResult`
			`{`
			`Username = username`
			`});`
			`}`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00
Initial migration code 2020-05-13 04:10:35 +02:00			`byte[] passwordBytes = Encoding.UTF8.GetBytes(password);`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)`
			`\|\| _cryptographyProvider.DefaultHashMethod == readyHash.Id)`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
Add clearer exceptions, warnings and docs 2019-10-20 21:12:03 +02:00			`byte[] calculatedHash = _cryptographyProvider.ComputeHash(`
			`readyHash.Id,`
Initial migration code 2020-05-13 04:10:35 +02:00			`passwordBytes,`
More warnings (removed) 2019-12-11 00:13:57 +01:00			`readyHash.Salt.ToArray());`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00
More warnings (removed) 2019-12-11 00:13:57 +01:00			`if (readyHash.Hash.SequenceEqual(calculatedHash))`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
			`success = true;`
			`}`
			`}`
			`else`
			`{`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`

			`if (!success)`
			`{`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`throw new AuthenticationException("Invalid username or password");`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`

			`return Task.FromResult(new ProviderAuthenticationResult`
			`{`
			`Username = username`
			`});`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Initial migration code 2020-05-13 04:10:35 +02:00			`public bool HasPassword(Data.Entities.User user)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`=> !string.IsNullOrEmpty(user.Password);`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Initial migration code 2020-05-13 04:10:35 +02:00			`public Task ChangePassword(Data.Entities.User user, string newPassword)`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`if (string.IsNullOrEmpty(newPassword))`
added justaman notes, fixed new bug from emty has removals 2019-02-18 10:26:01 +01:00			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`user.Password = null;`
added justaman notes, fixed new bug from emty has removals 2019-02-18 10:26:01 +01:00			`return Task.CompletedTask;`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);`
			`user.Password = newPasswordHash.ToString();`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00
			`return Task.CompletedTask;`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Initial migration code 2020-05-13 04:10:35 +02:00			`public void ChangeEasyPassword(Data.Entities.User user, string newPassword, string newPasswordHash)`
Format correctly the PIN when updating it 2019-05-25 19:46:55 +02:00			`{`
			`if (newPassword != null)`
			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();`
Format correctly the PIN when updating it 2019-05-25 19:46:55 +02:00			`}`

			`if (string.IsNullOrWhiteSpace(newPasswordHash))`
			`{`
			`throw new ArgumentNullException(nameof(newPasswordHash));`
			`}`

			`user.EasyPassword = newPasswordHash;`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Initial migration code 2020-05-13 04:10:35 +02:00			`public string GetEasyPasswordHash(Data.Entities.User user)`
Format correctly the PIN when updating it 2019-05-25 19:46:55 +02:00			`{`
			`return string.IsNullOrEmpty(user.EasyPassword)`
			`? null`
Rewrite hex encoder/decoder 2019-10-19 00:22:08 +02:00			`: Hex.Encode(PasswordHash.Parse(user.EasyPassword).Hash);`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`

			`/// <summary>`
Initial migration code 2020-05-13 04:10:35 +02:00			`/// Hashes the provided string.`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`/// </summary>`
Initial migration code 2020-05-13 04:10:35 +02:00			`/// <param name="user">The user.</param>`
			`/// <param name="str">The string to hash.</param>`
			`/// <returns>The hashed string.</returns>`
			`public string GetHashedString(Data.Entities.User user, string str)`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
minor style fixes 2019-03-05 08:58:25 +01:00			`if (string.IsNullOrEmpty(user.Password))`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`return _cryptographyProvider.CreatePasswordHash(str).ToString();`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`// TODO: make use of iterations parameter?`
			`PasswordHash passwordHash = PasswordHash.Parse(user.Password);`
More warnings (removed) 2019-12-11 00:13:57 +01:00			`var salt = passwordHash.Salt.ToArray();`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`return new PasswordHash(`
			`passwordHash.Id,`
			`_cryptographyProvider.ComputeHash(`
			`passwordHash.Id,`
			`Encoding.UTF8.GetBytes(str),`
More warnings (removed) 2019-12-11 00:13:57 +01:00			`salt),`
			`salt,`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
Initial migration code 2020-05-13 04:10:35 +02:00			`/// <summary>`
			`/// Hashes the provided string.`
			`/// </summary>`
			`/// <param name="user">The user.</param>`
			`/// <param name="str">The string to hash.</param>`
			`/// <returns>The hashed string.</returns>`
			`public ReadOnlySpan<byte> GetHashed(Data.Entities.User user, string str)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
			`if (string.IsNullOrEmpty(user.Password))`
			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`return _cryptographyProvider.CreatePasswordHash(str).Hash;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`// TODO: make use of iterations parameter?`
			`PasswordHash passwordHash = PasswordHash.Parse(user.Password);`
			`return _cryptographyProvider.ComputeHash(`
			`passwordHash.Id,`
			`Encoding.UTF8.GetBytes(str),`
More warnings (removed) 2019-12-11 00:13:57 +01:00			`passwordHash.Salt.ToArray());`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`
made newlines into linux newlines 2019-02-20 10:17:30 +01:00			`}`
			`}`