feat: add discord oauth login

API/API.csproj

@@ -3,6 +3,7 @@
   <Import Project="../Shared.props" />
 
   <ItemGroup>
+    <PackageReference Include="AspNet.Security.OAuth.Discord" Version="9.4.0" />
     <PackageReference Include="Fluid.Core" Version="2.25.0" />
     <PackageReference Include="MailKit" Version="4.13.0" />
   </ItemGroup>

API/Controller/Account/Authenticated/ChangePassword.cs

@@ -17,7 +17,7 @@ public sealed partial class AuthenticatedAccountController
     [ProducesResponseType(StatusCodes.Status200OK)]
     public async Task<IActionResult> ChangePassword(ChangePasswordRequest data)
     {
-        if (!HashingUtils.VerifyPassword(data.OldPassword, CurrentUser.PasswordHash).Verified)
+        if (!string.IsNullOrEmpty(CurrentUser.PasswordHash) && !HashingUtils.VerifyPassword(data.OldPassword, CurrentUser.PasswordHash).Verified)
         {
             return Problem(AccountError.PasswordChangeInvalidPassword);
         }

API/Controller/Account/Authenticated/OAuthConnectionAdd.cs

@@ -0,0 +1,43 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Extensions;
+using OpenShock.Common.Constants;
+using OpenShock.Common.Errors;
+using OpenShock.Common.Problems;
+using System.Net.Mime;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// Start linking an OAuth provider to the current account.
+    /// </summary>
+    /// <remarks>
+    /// Initiates the OAuth flow (link mode) for a given provider.  
+    /// On success this returns a <c>302 Found</c> to the provider's authorization page.
+    /// After consent, the OAuth middleware will call the internal callback and finally
+    /// redirect to <c>/1/oauth/{provider}/handoff</c>.
+    /// </remarks>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <param name="schemeProvider"></param>
+    /// <response code="302">Redirect to the provider authorization page.</response>
+    /// <response code="400">Unsupported or misconfigured provider.</response>
+    [HttpGet("connections/{provider}/link")]
+    [ProducesResponseType(StatusCodes.Status302Found)]
+    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
+    public async Task<IActionResult> AddOAuthConnection([FromRoute] string provider, [FromServices] IAuthenticationSchemeProvider schemeProvider)
+    {
+        if (!await schemeProvider.IsSupportedOAuthScheme(provider))
+            return Problem(OAuthError.UnsupportedProvider);
+
+        // Kick off provider challenge in "link" mode.
+        // Redirect URI is our handoff endpoint which decides next UI step.
+        var props = new AuthenticationProperties {
+            RedirectUri = $"/1/oauth/{provider}/handoff",
+            Items = { { "flow", AuthConstants.OAuthLinkFlow } }
+        };
+
+        return Challenge(props, provider);
+    }
+}

API/Controller/Account/Authenticated/OAuthConnectionRemove.cs

@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Services.OAuthConnection;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// Remove an existing OAuth connection for the current user.
+    /// </summary>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <param name="connectionService"></param>
+    /// <response code="204">Connection removed.</response>
+    /// <response code="404">No connection found for this provider.</response>
+    [HttpDelete("connections/{provider}")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> RemoveOAuthConnection([FromRoute] string provider, [FromServices] IOAuthConnectionService connectionService)
+    {
+        var deleted = await connectionService.TryRemoveConnectionAsync(CurrentUser.Id, provider);
+
+        if (!deleted)
+            return NotFound();
+
+        return NoContent();
+    }
+}

API/Controller/Account/Authenticated/OAuthConnectionsList.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Models.Response;
+using OpenShock.API.Services.OAuthConnection;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// List OAuth connections linked to the current user.
+    /// </summary>
+    /// <returns>Array of connections with provider key, external id, display name and link time.</returns>
+    /// <response code="200">Returns the list of connections.</response>
+    [HttpGet("connections")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    public async Task<OAuthConnectionResponse[]> ListOAuthConnections([FromServices] IOAuthConnectionService connectionService)
+    {
+        var connections = await connectionService.GetConnectionsAsync(CurrentUser.Id);
+
+        return connections
+            .Select(c => new OAuthConnectionResponse
+            {
+                ProviderKey = c.ProviderKey,
+                ExternalId = c.ExternalId,
+                DisplayName = c.DisplayName,
+                LinkedAt = c.CreatedAt
+            })
+            .ToArray();
+    }
+}

API/Controller/Account/Login.cs

@@ -46,8 +46,9 @@ public async Task<IActionResult> Login(
                 HttpContext.SetSessionKeyCookie(ok.Token, "." + cookieDomainToUse);
                 return LegacyEmptyOk("Successfully logged in");
             },
-            notActivated => Problem(AccountError.AccountNotActivated),
             deactivated => Problem(AccountError.AccountDeactivated),
+            oauthOnly => Problem(AccountError.AccountOAuthOnly),
+            notActivated => Problem(AccountError.AccountNotActivated),
             notFound => Problem(LoginError.InvalidCredentials)
         );
     }

API/Controller/Account/LoginV2.cs

@@ -62,8 +62,9 @@ public async Task<IActionResult> LoginV2(
                 HttpContext.SetSessionKeyCookie(ok.Token, "." + cookieDomainToUse);
                 return Ok(LoginV2OkResponse.FromUser(ok.User));
             },
-            notActivated => Problem(AccountError.AccountNotActivated),
             deactivated => Problem(AccountError.AccountDeactivated),
+            oauthOnly => Problem(AccountError.AccountOAuthOnly),
+            notActivated => Problem(AccountError.AccountNotActivated),
             notFound => Problem(LoginError.InvalidCredentials)
         );
     }

API/Controller/Account/Signup.cs

@@ -27,7 +27,7 @@ public async Task<IActionResult> SignUp([FromBody] SignUp body)
         var creationAction = await _accountService.CreateAccountWithoutActivationFlowLegacyAsync(body.Email, body.Username, body.Password);
         return creationAction.Match<IActionResult>(
             ok => LegacyEmptyOk("Successfully signed up"),
-            alreadyExists => Problem(SignupError.EmailAlreadyExists)
+            alreadyExists => Problem(SignupError.UsernameOrEmailExists)
             );
     }
 }

API/Controller/Account/SignupV2.cs

@@ -45,7 +45,7 @@ public async Task<IActionResult> SignUpV2(
         var creationAction = await _accountService.CreateAccountWithActivationFlowAsync(body.Email, body.Username, body.Password);
         return creationAction.Match<IActionResult>(
             _ => Ok(),
-            _ => Problem(SignupError.EmailAlreadyExists)
+            _ => Problem(SignupError.UsernameOrEmailExists)
         );
     }
 }

API/Controller/OAuth/Authorize.cs

@@ -0,0 +1,42 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
+using OpenShock.API.Extensions;
+using OpenShock.Common.Constants;
+using OpenShock.Common.Errors;
+using OpenShock.Common.Problems;
+using System.Net.Mime;
+
+namespace OpenShock.API.Controller.OAuth;
+
+public sealed partial class OAuthController
+{
+    /// <summary>
+    /// Start OAuth authorization for a given provider (login-or-create flow).
+    /// </summary>
+    /// <remarks>
+    /// Initiates an OAuth challenge in "login-or-create" mode.  
+    /// Returns <c>302</c> redirect to the provider authorization page.
+    /// </remarks>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <response code="302">Redirect to the provider authorization page.</response>
+    /// <response code="400">Unsupported or misconfigured provider.</response>
+    [EnableRateLimiting("auth")]
+    [HttpGet("{provider}/authorize")]
+    [ProducesResponseType(StatusCodes.Status302Found)]
+    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
+    public async Task<IActionResult> OAuthAuthorize([FromRoute] string provider)
+    {
+        if (!await _schemeProvider.IsSupportedOAuthScheme(provider))
+            return Problem(OAuthError.UnsupportedProvider);
+
+        // Kick off provider challenge in "login-or-create" mode.
+        var props = new AuthenticationProperties
+        {
+            RedirectUri = $"/1/oauth/{provider}/handoff",
+            Items = { { "flow", AuthConstants.OAuthLoginOrCreateFlow } }
+        };
+
+        return Challenge(props, provider);
+    }
+}