jellyfin/Jellyfin.Server.Implementations/Users/DefaultPasswordResetProvider.cs

using System;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography;
using System.Text.Json;
using System.Threading.Tasks;
using Jellyfin.Data.Entities;
using MediaBrowser.Common;
using MediaBrowser.Common.Extensions;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Library;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Users;

namespace Jellyfin.Server.Implementations.Users
{
    /// <summary>
    /// The default password reset provider.
    /// </summary>
    public class DefaultPasswordResetProvider : IPasswordResetProvider
    {
        private const string BaseResetFileName = "passwordreset";

        private readonly IApplicationHost _appHost;

        private readonly string _passwordResetFileBase;
        private readonly string _passwordResetFileBaseDir;

        /// <summary>
        /// Initializes a new instance of the <see cref="DefaultPasswordResetProvider"/> class.
        /// </summary>
        /// <param name="configurationManager">The configuration manager.</param>
        /// <param name="appHost">The application host.</param>
        public DefaultPasswordResetProvider(IServerConfigurationManager configurationManager, IApplicationHost appHost)
        {
            _passwordResetFileBaseDir = configurationManager.ApplicationPaths.ProgramDataPath;
            _passwordResetFileBase = Path.Combine(_passwordResetFileBaseDir, BaseResetFileName);
            _appHost = appHost;
            // TODO: Remove the circular dependency on UserManager
        }

        /// <inheritdoc />
        public string Name => "Default Password Reset Provider";

        /// <inheritdoc />
        public bool IsEnabled => true;

        /// <inheritdoc />
        public async Task<PinRedeemResult> RedeemPasswordResetPin(string pin)
        {
            var userManager = _appHost.Resolve<IUserManager>();
            var usersReset = new List<string>();
            foreach (var resetFile in Directory.EnumerateFiles(_passwordResetFileBaseDir, $"{BaseResetFileName}*"))
            {
                SerializablePasswordReset spr;
                var str = AsyncFile.OpenRead(resetFile);
                await using (str.ConfigureAwait(false))
                {
                    spr = await JsonSerializer.DeserializeAsync<SerializablePasswordReset>(str).ConfigureAwait(false)
                        ?? throw new ResourceNotFoundException($"Provided path ({resetFile}) is not valid.");
                }

                if (spr.ExpirationDate < DateTime.UtcNow)
                {
                    File.Delete(resetFile);
                }
                else if (string.Equals(
                    spr.Pin.Replace("-", string.Empty, StringComparison.Ordinal),
                    pin.Replace("-", string.Empty, StringComparison.Ordinal),
                    StringComparison.Ordinal))
                {
                    var resetUser = userManager.GetUserByName(spr.UserName)
                        ?? throw new ResourceNotFoundException($"User with a username of {spr.UserName} not found");

                    await userManager.ChangePassword(resetUser, pin).ConfigureAwait(false);
                    usersReset.Add(resetUser.Username);
                    File.Delete(resetFile);
                }
            }

            if (usersReset.Count < 1)
            {
                throw new ResourceNotFoundException($"No Users found with a password reset request matching pin {pin}");
            }

            return new PinRedeemResult
            {
                Success = true,
                UsersReset = usersReset.ToArray()
            };
        }

        /// <inheritdoc />
        public async Task<ForgotPasswordResult> StartForgotPasswordProcess(User user, bool isInNetwork)
        {
            byte[] bytes = new byte[4];
            RandomNumberGenerator.Fill(bytes);
            string pin = BitConverter.ToString(bytes);

            DateTime expireTime = DateTime.UtcNow.AddMinutes(30);
            string filePath = _passwordResetFileBase + user.Id + ".json";
            SerializablePasswordReset spr = new SerializablePasswordReset
            {
                ExpirationDate = expireTime,
                Pin = pin,
                PinFile = filePath,
                UserName = user.Username
            };

            FileStream fileStream = AsyncFile.OpenWrite(filePath);
            await using (fileStream.ConfigureAwait(false))
            {
                await JsonSerializer.SerializeAsync(fileStream, spr).ConfigureAwait(false);
            }

            return new ForgotPasswordResult
            {
                Action = ForgotPasswordAction.PinCode,
                PinExpirationDate = expireTime,
                PinFile = filePath
            };
        }

#nullable disable
        private class SerializablePasswordReset : PasswordPinCreationResult
        {
            public string Pin { get; set; }

            public string UserName { get; set; }
        }
    }
}
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`using System;`
			`using System.Collections.Generic;`
			`using System.IO;`
Improvements to UserManager 2019-06-09 22:08:01 +02:00			`using System.Security.Cryptography;`
Use System.Text.Json in DefaultPasswordResetProvider 2020-07-24 03:50:41 +02:00			`using System.Text.Json;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`using System.Threading.Tasks;`
Migrate User DB to EF Core 2020-05-15 23:24:01 +02:00			`using Jellyfin.Data.Entities;`
Fix circular dependency 2020-06-20 23:58:09 +02:00			`using MediaBrowser.Common;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`using MediaBrowser.Common.Extensions;`
			`using MediaBrowser.Controller.Authentication;`
			`using MediaBrowser.Controller.Configuration;`
			`using MediaBrowser.Controller.Library;`
Use async FileStreams where it makes sense 2021-06-12 22:20:35 +02:00			`using MediaBrowser.Model.IO;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`using MediaBrowser.Model.Users;`

Migrate User DB to EF Core 2020-05-15 23:24:01 +02:00			`namespace Jellyfin.Server.Implementations.Users`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// The default password reset provider.`
			`/// </summary>`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`public class DefaultPasswordResetProvider : IPasswordResetProvider`
			`{`
Improvements to UserManager 2019-06-09 22:08:01 +02:00			`private const string BaseResetFileName = "passwordreset";`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
Fix circular dependency 2020-06-20 23:58:09 +02:00			`private readonly IApplicationHost _appHost;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
			`private readonly string _passwordResetFileBase;`
			`private readonly string _passwordResetFileBaseDir;`

Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// Initializes a new instance of the <see cref="DefaultPasswordResetProvider"/> class.`
			`/// </summary>`
			`/// <param name="configurationManager">The configuration manager.</param>`
Fix circular dependency 2020-06-20 23:58:09 +02:00			`/// <param name="appHost">The application host.</param>`
Use System.Text.Json in DefaultPasswordResetProvider 2020-07-24 03:50:41 +02:00			`public DefaultPasswordResetProvider(IServerConfigurationManager configurationManager, IApplicationHost appHost)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
			`_passwordResetFileBaseDir = configurationManager.ApplicationPaths.ProgramDataPath;`
Improvements to UserManager 2019-06-09 22:08:01 +02:00			`_passwordResetFileBase = Path.Combine(_passwordResetFileBaseDir, BaseResetFileName);`
Fix circular dependency 2020-06-20 23:58:09 +02:00			`_appHost = appHost;`
			`// TODO: Remove the circular dependency on UserManager`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`

Improvements to UserManager 2019-06-09 22:08:01 +02:00			`/// <inheritdoc />`
			`public string Name => "Default Password Reset Provider";`

			`/// <inheritdoc />`
			`public bool IsEnabled => true;`

			`/// <inheritdoc />`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`public async Task<PinRedeemResult> RedeemPasswordResetPin(string pin)`
			`{`
Fix circular dependency 2020-06-20 23:58:09 +02:00			`var userManager = _appHost.Resolve<IUserManager>();`
Reimplement password resetting 2020-05-30 06:19:36 +02:00			`var usersReset = new List<string>();`
Initial migration code 2020-05-13 04:10:35 +02:00			`foreach (var resetFile in Directory.EnumerateFiles(_passwordResetFileBaseDir, $"{BaseResetFileName}*"))`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Suggestions from review 2020-11-15 19:35:36 +01:00			`SerializablePasswordReset spr;`
Fix all warnings in Jellyfin.Server.Implementations 2023-01-11 09:55:05 +01:00			`var str = AsyncFile.OpenRead(resetFile);`
			`await using (str.ConfigureAwait(false))`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Use null coalescing when possible 2020-11-13 19:24:46 +01:00			`spr = await JsonSerializer.DeserializeAsync<SerializablePasswordReset>(str).ConfigureAwait(false)`
Updated based on review feedback 2020-11-14 02:04:06 +01:00			`?? throw new ResourceNotFoundException($"Provided path ({resetFile}) is not valid.");`
Fix nullability errors in Jellyfin.Server.Implementations 2020-11-13 16:32:24 +01:00			`}`

Reimplement password resetting 2020-05-30 06:19:36 +02:00			`if (spr.ExpirationDate < DateTime.UtcNow)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Initial migration code 2020-05-13 04:10:35 +02:00			`File.Delete(resetFile);`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`
Improvements to UserManager 2019-06-09 22:08:01 +02:00			`else if (string.Equals(`
Fix more warnings 2019-11-01 18:38:54 +01:00			`spr.Pin.Replace("-", string.Empty, StringComparison.Ordinal),`
			`pin.Replace("-", string.Empty, StringComparison.Ordinal),`
Make Password Reset case sensitive 2022-09-09 13:36:27 +02:00			`StringComparison.Ordinal))`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Fix circular dependency 2020-06-20 23:58:09 +02:00			`var resetUser = userManager.GetUserByName(spr.UserName)`
Reimplement password resetting 2020-05-30 06:19:36 +02:00			`?? throw new ResourceNotFoundException($"User with a username of {spr.UserName} not found");`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
Fix circular dependency 2020-06-20 23:58:09 +02:00			`await userManager.ChangePassword(resetUser, pin).ConfigureAwait(false);`
Initial migration code 2020-05-13 04:10:35 +02:00			`usersReset.Add(resetUser.Username);`
			`File.Delete(resetFile);`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`
			`}`

Initial migration code 2020-05-13 04:10:35 +02:00			`if (usersReset.Count < 1)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
			`throw new ResourceNotFoundException($"No Users found with a password reset request matching pin {pin}");`
			`}`
Initial migration code 2020-05-13 04:10:35 +02:00
			`return new PinRedeemResult`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Initial migration code 2020-05-13 04:10:35 +02:00			`Success = true,`
			`UsersReset = usersReset.ToArray()`
			`};`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`}`

Improvements to UserManager 2019-06-09 22:08:01 +02:00			`/// <inheritdoc />`
Migrate User DB to EF Core 2020-05-15 23:24:01 +02:00			`public async Task<ForgotPasswordResult> StartForgotPasswordProcess(User user, bool isInNetwork)`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`{`
Use static crypto rng 2021-10-08 15:02:58 +02:00			`byte[] bytes = new byte[4];`
			`RandomNumberGenerator.Fill(bytes);`
			`string pin = BitConverter.ToString(bytes);`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
Reimplement password resetting 2020-05-30 06:19:36 +02:00			`DateTime expireTime = DateTime.UtcNow.AddMinutes(30);`
			`string filePath = _passwordResetFileBase + user.Id + ".json";`
			`SerializablePasswordReset spr = new SerializablePasswordReset`
			`{`
			`ExpirationDate = expireTime,`
			`Pin = pin,`
			`PinFile = filePath,`
			`UserName = user.Username`
			`};`

Fix all warnings in Jellyfin.Server.Implementations 2023-01-11 09:55:05 +01:00			`FileStream fileStream = AsyncFile.OpenWrite(filePath);`
			`await using (fileStream.ConfigureAwait(false))`
Reimplement password resetting 2020-05-30 06:19:36 +02:00			`{`
Use async json serialization. 2020-07-25 19:07:12 +02:00			`await JsonSerializer.SerializeAsync(fileStream, spr).ConfigureAwait(false);`
Reimplement password resetting 2020-05-30 06:19:36 +02:00			`}`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00
			`return new ForgotPasswordResult`
			`{`
			`Action = ForgotPasswordAction.PinCode,`
			`PinExpirationDate = expireTime,`
Return the path to the pinfile in forgot password 2021-10-07 23:20:54 +02:00			`PinFile = filePath`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`};`
			`}`

Enable nullable annotations 2020-06-09 18:21:21 +02:00			`#nullable disable`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`private class SerializablePasswordReset : PasswordPinCreationResult`
			`{`
			`public string Pin { get; set; }`

			`public string UserName { get; set; }`
			`}`
			`}`
			`}`