Use Claims more for User and Device

Author: hhvrc

API/Controller/Device/GetSelf.cs

@@ -4,6 +4,8 @@
 using Microsoft.EntityFrameworkCore;
 using OpenShock.API.Controller.Users;
 using OpenShock.API.Models.Response;
+using OpenShock.Common.Authentication;
+using OpenShock.Common.Extensions;
 using OpenShock.Common.Models;
 
 namespace OpenShock.API.Controller.Device;
@@ -19,7 +21,11 @@ public sealed partial class DeviceController
     [ProducesResponseType<LegacyDataResponse<DeviceSelfResponse>>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
     public async Task<IActionResult> GetSelf()
     {
-        var shockers = await _db.Shockers.Where(x => x.DeviceId == CurrentDevice.Id).Select(x => new MinimalShocker
+        var identity = User.GetOpenShockUserIdentity();
+        var currentHubId = identity.GetClaimValueAsGuid(OpenShockAuthClaims.HubId);
+        var currentHubName = identity.GetClaimValue(OpenShockAuthClaims.HubName);
+        
+        var shockers = await _db.Shockers.Where(x => x.DeviceId == currentHubId).Select(x => new MinimalShocker
         {
             Id = x.Id,
             RfId = x.RfId,
@@ -28,8 +34,8 @@ public async Task<IActionResult> GetSelf()
 
         return LegacyDataOk(new DeviceSelfResponse
             {
-                Id = CurrentDevice.Id,
-                Name = CurrentDevice.Name,
+                Id = currentHubId,
+                Name = currentHubName,
                 Shockers = shockers
             }
         );

API/Controller/Device/_ApiController.cs

@@ -1,8 +1,8 @@
 using Asp.Versioning;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using OpenShock.Common;
 using OpenShock.Common.Authentication;
-using OpenShock.Common.Authentication.ControllerBase;
 using OpenShock.Common.OpenShockDb;
 using Redis.OM.Contracts;
 
@@ -17,7 +17,7 @@ namespace OpenShock.API.Controller.Device;
 [Tags("Hub Endpoints")]
 [Route("/{version:apiVersion}/device")]
 [Authorize(AuthenticationSchemes = OpenShockAuthSchemes.HubToken)]
-public sealed partial class DeviceController : AuthenticatedHubControllerBase
+public sealed partial class DeviceController : OpenShockControllerBase
 {
     private readonly OpenShockContext _db;
     private readonly IRedisConnectionProvider _redis;

API/Controller/OAuth/HandOff.cs

@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Authentication;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.RateLimiting;
 using OpenShock.API.Services.OAuthConnection;
@@ -81,12 +82,15 @@ public async Task<IActionResult> OAuthHandOff(
 
             case OAuthFlow.Link:
             {
-                if (!User.TryGetAuthenticatedOpenShockUserId(out var userId))
+                var identity = User.TryGetOpenShockUserIdentity();
+                if (identity is null)
                 {
                     await HttpContext.SignOutAsync(OAuthConstants.FlowScheme);
                     return RedirectFrontendError("mustBeAuthenticated");
                 }
 
+                var userId = identity.GetClaimValueAsGuid(ClaimTypes.NameIdentifier);
+
                 if (connection is not null)
                 {
                     await HttpContext.SignOutAsync(OAuthConstants.FlowScheme);

Common/Authentication/AuthenticationHandlers/HubAuthentication.cs

@@ -16,7 +16,6 @@ namespace OpenShock.Common.Authentication.AuthenticationHandlers;
 /// </summary>
 public sealed class HubAuthentication : AuthenticationHandler<AuthenticationSchemeOptions>
 {
-    private readonly IClientAuthService<Device> _authService;
     private readonly OpenShockContext _db;
 
     private OpenShockProblem? _authResultError = null;
@@ -26,38 +25,44 @@ public HubAuthentication(
         IOptionsMonitor<AuthenticationSchemeOptions> options,
         ILoggerFactory logger,
         UrlEncoder encoder,
-        IClientAuthService<Device> clientAuth,
         OpenShockContext db
         )
         : base(options, logger, encoder)
     {
-        _authService = clientAuth;
         _db = db;
     }
 
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        if (!Context.TryGetDeviceTokenFromHeader(out var sessionKey))
+        if (!Context.TryGetHubTokenFromHeader(out var hubToken))
         {
             return Fail(AuthResultError.HeaderMissingOrInvalid);
         }
 
-        var device = await _db.Devices.Include(d => d.Owner.UserDeactivation).FirstOrDefaultAsync(x => x.Token == sessionKey);
-        if (device is null)
+        var hub = await _db.Devices
+            .Where(x => x.Token == hubToken)
+            .Select(x => new
+            {
+                x.Id,
+                x.Name,
+                x.OwnerId,
+                IsDeactivated = x.Owner.UserDeactivation != null
+            })
+            .FirstOrDefaultAsync();
+        if (hub is null)
         {
             return Fail(AuthResultError.TokenInvalid);
         }
-        if (device.Owner.UserDeactivation is not null)
+        if (hub.IsDeactivated)
         {
             return Fail(AuthResultError.AccountDeactivated);
         }
 
-        _authService.CurrentClient = device;
-
         Claim[] claims = [
             new(ClaimTypes.AuthenticationMethod, OpenShockAuthSchemes.HubToken),
-            new(ClaimTypes.NameIdentifier, device.OwnerId.ToString()),
-            new(OpenShockAuthClaims.HubId, _authService.CurrentClient.Id.ToString()),
+            new(ClaimTypes.NameIdentifier, hub.OwnerId.ToString()),
+            new(OpenShockAuthClaims.HubId, hub.Id.ToString()),
+            new(OpenShockAuthClaims.HubName, hub.Name),
         ];
 
         var ident = new ClaimsIdentity(claims, OpenShockAuthSchemes.HubToken);

Common/Authentication/ControllerBase/AuthenticatedHubControllerBase.cs

@@ -5,4 +5,5 @@ public class OpenShockAuthClaims
     public const string ApiTokenId = "openshock.apiTokenId";
     public const string ApiTokenPermission = "openshock.ApiTokenPermission";
     public const string HubId = "openshock.hubId";
+    public const string HubName = "openshock.hubName";
 }

Common/Authentication/OpenShockAuthClaims.cs

@@ -6,55 +6,12 @@ namespace OpenShock.Common.Extensions;
 
 public static class ClaimsPrincipalExtensions
 {
-    public static bool HasOpenShockUserIdentity(this ClaimsPrincipal principal)
-    {
-        ArgumentNullException.ThrowIfNull(principal);
-        
-        foreach (var ident in principal.Identities)
-        {
-            if (ident is { IsAuthenticated: true, AuthenticationType: OpenShockAuthSchemes.UserSessionCookie })
-            {
-                return true;
-            }
-        }
-
-        return false;
-    }
+    private static readonly Func<ClaimsIdentity, bool> UserClaimPredicate = x => x is
+        { IsAuthenticated: true, AuthenticationType: OpenShockAuthSchemes.UserSessionCookie };
 
-    public static bool TryGetOpenShockUserIdentity(this ClaimsPrincipal principal, [NotNullWhen(true)] out ClaimsIdentity? identity)
-    {
-        ArgumentNullException.ThrowIfNull(principal);
-        
-        foreach (var ident in principal.Identities)
-        {
-            if (ident is { IsAuthenticated: true, AuthenticationType: OpenShockAuthSchemes.UserSessionCookie })
-            {
-                identity = ident;
-                return true;
-            }
-        }
-
-        identity = null;
-        return false;
-    }
-
-    public static bool TryGetAuthenticatedOpenShockUserId(this ClaimsPrincipal principal, out Guid userId)
-    {
-        ArgumentNullException.ThrowIfNull(principal);
-        
-        if (!principal.TryGetOpenShockUserIdentity(out var identity))
-        {
-            userId = Guid.Empty;
-            return false;
-        }
-        
-        var idStr = identity.Claims.SingleOrDefault(x => x.Type == ClaimTypes.NameIdentifier)?.Value;
-        if (string.IsNullOrEmpty(idStr))
-        {
-            userId = Guid.Empty;
-            return false;
-        }
-
-        return Guid.TryParse(idStr, out userId);
-    }
+    public static bool HasOpenShockUserIdentity(this ClaimsPrincipal principal) => principal.Identities.Any(UserClaimPredicate);
+    public static ClaimsIdentity GetOpenShockUserIdentity(this ClaimsPrincipal principal) => principal.Identities.Single(UserClaimPredicate);
+    public static ClaimsIdentity? TryGetOpenShockUserIdentity(this ClaimsPrincipal principal) => principal.Identities.SingleOrDefault(UserClaimPredicate);
+    public static string GetClaimValue(this ClaimsIdentity identity, string claimType) => identity.Claims.Single(x => x.Type == claimType).Value;
+    public static Guid GetClaimValueAsGuid(this ClaimsIdentity identity, string claimType) => Guid.Parse(GetClaimValue(identity, claimType));
 }

Common/Extensions/ClaimsPrincipalExtensions.cs

@@ -55,7 +55,7 @@ public static bool TryGetApiTokenFromHeader(this HttpContext context, [NotNullWh
         return false;
     }
 
-    public static bool TryGetDeviceTokenFromHeader(this HttpContext context, [NotNullWhen(true)] out string? token)
+    public static bool TryGetHubTokenFromHeader(this HttpContext context, [NotNullWhen(true)] out string? token)
     {
         ArgumentNullException.ThrowIfNull(context);
 

Common/Extensions/HttpContextExtensions.cs

@@ -109,7 +109,6 @@ public static IServiceCollection AddOpenShockServices(this IServiceCollection se
         });
 
         services.AddScoped<IClientAuthService<User>, ClientAuthService<User>>();
-        services.AddScoped<IClientAuthService<Device>, ClientAuthService<Device>>();
         services.AddScoped<IUserReferenceService, UserReferenceService>();
 
         var authBuilder = services

Common/OpenShockServiceHelper.cs

@@ -1,20 +1,20 @@
 using FlatSharp;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
-using Microsoft.Extensions.Options;
 using OneOf;
 using OneOf.Types;
-using OpenShock.Common.Authentication.Services;
 using OpenShock.Common.Constants;
 using OpenShock.Common.Errors;
-using OpenShock.Common.OpenShockDb;
 using OpenShock.Common.Problems;
 using OpenShock.Common.Utils;
 using OpenShock.LiveControlGateway.LifetimeManager;
 using OpenShock.LiveControlGateway.Options;
 using OpenShock.LiveControlGateway.Websocket;
 using OpenShock.Serialization.Gateway;
 using System.Net.WebSockets;
+using System.Security.Claims;
+using OpenShock.Common.Authentication;
+using OpenShock.Common.Extensions;
 using SemVersion = OpenShock.Common.Models.SemVersion;
 using Timer = System.Timers.Timer;
 
@@ -30,7 +30,8 @@ public abstract class HubControllerBase<TIn, TOut> : FlatbuffersWebsocketBaseCon
     /// <summary>
     /// The current hub
     /// </summary>
-    protected Device CurrentHub = null!;
+    protected Guid CurrentHubId = Guid.Empty;
+    protected Guid CurrentHubOwnerId = Guid.Empty;
 
     /// <summary>
     /// Service provider
@@ -43,7 +44,12 @@ public abstract class HubControllerBase<TIn, TOut> : FlatbuffersWebsocketBaseCon
     /// Hub lifetime
     /// </summary>
     /// <exception cref="InvalidOperationException"></exception>
-    protected HubLifetime HubLifetime => _hubLifetime ?? throw new InvalidOperationException("Hub lifetime is null but was tried to access");
+    protected HubLifetime HubLifetime
+    {
+        get => _hubLifetime ?? throw new InvalidOperationException("Hub lifetime is null but was tried to access");
+        private set => _hubLifetime = value;
+    }
+
     private readonly LcgOptions _options;
 
     private readonly HubLifetimeManager _hubLifetimeManager;
@@ -53,7 +59,7 @@ public abstract class HubControllerBase<TIn, TOut> : FlatbuffersWebsocketBaseCon
     private string? _userAgent;
 
     /// <inheritdoc cref="IHubController.Id" />
-    public override Guid Id => CurrentHub.Id;
+    public override Guid Id => CurrentHubId;
 
     /// <summary>
     /// Authentication context
@@ -62,9 +68,9 @@ public abstract class HubControllerBase<TIn, TOut> : FlatbuffersWebsocketBaseCon
     [NonAction]
     public void OnActionExecuting(ActionExecutingContext context)
     {
-        CurrentHub = ControllerContext.HttpContext.RequestServices
-            .GetRequiredService<IClientAuthService<Device>>()
-            .CurrentClient;
+        var identity = User.GetOpenShockUserIdentity();
+        CurrentHubId = identity.GetClaimValueAsGuid(OpenShockAuthClaims.HubId);
+        CurrentHubOwnerId = identity.GetClaimValueAsGuid(ClaimTypes.NameIdentifier);
     }
 
     /// <summary>
@@ -147,7 +153,7 @@ protected override async Task<OneOf<Success, Error<OpenShockProblem>>> Connectio
             return new Error<OpenShockProblem>(ExceptionError.Exception);
         }
 
-        _hubLifetime = hubLifetimeResult.AsT0;
+        HubLifetime = hubLifetimeResult.AsT0;
 
         return new Success();
     }
@@ -212,18 +218,18 @@ protected async Task<bool> SelfOnline(ulong uptimeMs, ushort? latency = null, in
         var bootedAt = GetBootedAtFromUptimeMs(uptimeMs);
         if (!bootedAt.HasValue)
         {
-            Logger.LogDebug("Client attempted to abuse reported boot time, uptime indicated that hub [{HubId}] booted prior to 2024", CurrentHub.Id);
+            Logger.LogDebug("Client attempted to abuse reported boot time, uptime indicated that hub [{HubId}] booted prior to 2024", CurrentHubId);
             return false;
         }
 
-        Logger.LogDebug("Received keep alive from hub [{HubId}]", CurrentHub.Id);
+        Logger.LogDebug("Received keep alive from hub [{HubId}]", CurrentHubId);
 
         // Reset the keep alive timeout
         _keepAliveTimeoutTimer.Interval = Duration.DeviceKeepAliveTimeout.TotalMilliseconds;
 
-        await HubLifetime.Online(CurrentHub.Id, new SelfOnlineData()
+        await HubLifetime.Online(CurrentHubId, new SelfOnlineData()
         {
-            Owner = CurrentHub.OwnerId,
+            Owner = CurrentHubOwnerId,
             Gateway = _options.Fqdn,
             FirmwareVersion = _firmwareVersion!,
             ConnectedAt = _connected,