| | | 1 | | #pragma warning disable CS1591 |
| | | 2 | | |
| | | 3 | | using System; |
| | | 4 | | using System.Collections.Generic; |
| | | 5 | | using System.Net; |
| | | 6 | | using System.Threading.Tasks; |
| | | 7 | | using Jellyfin.Data.Queries; |
| | | 8 | | using Jellyfin.Database.Implementations; |
| | | 9 | | using Jellyfin.Extensions; |
| | | 10 | | using MediaBrowser.Controller; |
| | | 11 | | using MediaBrowser.Controller.Configuration; |
| | | 12 | | using MediaBrowser.Controller.Devices; |
| | | 13 | | using MediaBrowser.Controller.Library; |
| | | 14 | | using MediaBrowser.Controller.Net; |
| | | 15 | | using Microsoft.AspNetCore.Http; |
| | | 16 | | using Microsoft.EntityFrameworkCore; |
| | | 17 | | using Microsoft.Net.Http.Headers; |
| | | 18 | | |
| | | 19 | | namespace Jellyfin.Server.Implementations.Security |
| | | 20 | | { |
| | | 21 | | public class AuthorizationContext : IAuthorizationContext |
| | | 22 | | { |
| | | 23 | | private readonly IDbContextFactory<JellyfinDbContext> _jellyfinDbProvider; |
| | | 24 | | private readonly IUserManager _userManager; |
| | | 25 | | private readonly IDeviceManager _deviceManager; |
| | | 26 | | private readonly IServerApplicationHost _serverApplicationHost; |
| | | 27 | | private readonly IServerConfigurationManager _configurationManager; |
| | | 28 | | |
| | | 29 | | public AuthorizationContext( |
| | | 30 | | IDbContextFactory<JellyfinDbContext> jellyfinDb, |
| | | 31 | | IUserManager userManager, |
| | | 32 | | IDeviceManager deviceManager, |
| | | 33 | | IServerApplicationHost serverApplicationHost, |
| | | 34 | | IServerConfigurationManager configurationManager) |
| | | 35 | | { |
| | 20 | 36 | | _jellyfinDbProvider = jellyfinDb; |
| | 20 | 37 | | _userManager = userManager; |
| | 20 | 38 | | _deviceManager = deviceManager; |
| | 20 | 39 | | _serverApplicationHost = serverApplicationHost; |
| | 20 | 40 | | _configurationManager = configurationManager; |
| | 20 | 41 | | } |
| | | 42 | | |
| | | 43 | | public Task<AuthorizationInfo> GetAuthorizationInfo(HttpContext requestContext) |
| | | 44 | | { |
| | 0 | 45 | | if (requestContext.Request.HttpContext.Items.TryGetValue("AuthorizationInfo", out var cached) && cached is n |
| | | 46 | | { |
| | 0 | 47 | | return Task.FromResult((AuthorizationInfo)cached); // Cache should never contain null |
| | | 48 | | } |
| | | 49 | | |
| | 0 | 50 | | return GetAuthorization(requestContext); |
| | | 51 | | } |
| | | 52 | | |
| | | 53 | | public async Task<AuthorizationInfo> GetAuthorizationInfo(HttpRequest requestContext) |
| | | 54 | | { |
| | | 55 | | var auth = GetAuthorizationDictionary(requestContext); |
| | | 56 | | var authInfo = await GetAuthorizationInfoFromDictionary(auth, requestContext.Headers, requestContext.Query). |
| | | 57 | | return authInfo; |
| | | 58 | | } |
| | | 59 | | |
| | | 60 | | /// <summary> |
| | | 61 | | /// Gets the authorization. |
| | | 62 | | /// </summary> |
| | | 63 | | /// <param name="httpContext">The HTTP context.</param> |
| | | 64 | | /// <returns>Dictionary{System.StringSystem.String}.</returns> |
| | | 65 | | private async Task<AuthorizationInfo> GetAuthorization(HttpContext httpContext) |
| | | 66 | | { |
| | | 67 | | var authInfo = await GetAuthorizationInfo(httpContext.Request).ConfigureAwait(false); |
| | | 68 | | |
| | | 69 | | httpContext.Request.HttpContext.Items["AuthorizationInfo"] = authInfo; |
| | | 70 | | return authInfo; |
| | | 71 | | } |
| | | 72 | | |
| | | 73 | | private async Task<AuthorizationInfo> GetAuthorizationInfoFromDictionary( |
| | | 74 | | Dictionary<string, string>? auth, |
| | | 75 | | IHeaderDictionary headers, |
| | | 76 | | IQueryCollection queryString) |
| | | 77 | | { |
| | | 78 | | string? deviceId = null; |
| | | 79 | | string? deviceName = null; |
| | | 80 | | string? client = null; |
| | | 81 | | string? version = null; |
| | | 82 | | string? token = null; |
| | | 83 | | |
| | | 84 | | if (auth is not null) |
| | | 85 | | { |
| | | 86 | | auth.TryGetValue("DeviceId", out deviceId); |
| | | 87 | | auth.TryGetValue("Device", out deviceName); |
| | | 88 | | auth.TryGetValue("Client", out client); |
| | | 89 | | auth.TryGetValue("Version", out version); |
| | | 90 | | auth.TryGetValue("Token", out token); |
| | | 91 | | } |
| | | 92 | | |
| | | 93 | | if (_configurationManager.Configuration.EnableLegacyAuthorization && string.IsNullOrEmpty(token)) |
| | | 94 | | { |
| | | 95 | | token = headers["X-Emby-Token"]; |
| | | 96 | | } |
| | | 97 | | |
| | | 98 | | if (_configurationManager.Configuration.EnableLegacyAuthorization && string.IsNullOrEmpty(token)) |
| | | 99 | | { |
| | | 100 | | token = headers["X-MediaBrowser-Token"]; |
| | | 101 | | } |
| | | 102 | | |
| | | 103 | | if (string.IsNullOrEmpty(token)) |
| | | 104 | | { |
| | | 105 | | token = queryString["ApiKey"]; |
| | | 106 | | } |
| | | 107 | | |
| | | 108 | | if (_configurationManager.Configuration.EnableLegacyAuthorization && string.IsNullOrEmpty(token)) |
| | | 109 | | { |
| | | 110 | | token = queryString["api_key"]; |
| | | 111 | | } |
| | | 112 | | |
| | | 113 | | var authInfo = new AuthorizationInfo |
| | | 114 | | { |
| | | 115 | | Client = client, |
| | | 116 | | Device = deviceName, |
| | | 117 | | DeviceId = deviceId, |
| | | 118 | | Version = version, |
| | | 119 | | Token = token, |
| | | 120 | | IsAuthenticated = false |
| | | 121 | | }; |
| | | 122 | | |
| | | 123 | | if (!authInfo.HasToken) |
| | | 124 | | { |
| | | 125 | | // Request doesn't contain a token. |
| | | 126 | | return authInfo; |
| | | 127 | | } |
| | | 128 | | |
| | | 129 | | var dbContext = await _jellyfinDbProvider.CreateDbContextAsync().ConfigureAwait(false); |
| | | 130 | | await using (dbContext.ConfigureAwait(false)) |
| | | 131 | | { |
| | | 132 | | var device = _deviceManager.GetDevices( |
| | | 133 | | new DeviceQuery { AccessToken = token }).Items.FirstOrDefault(); |
| | | 134 | | |
| | | 135 | | if (device is not null) |
| | | 136 | | { |
| | | 137 | | authInfo.IsAuthenticated = true; |
| | | 138 | | var updateToken = false; |
| | | 139 | | |
| | | 140 | | // TODO: Remove these checks for IsNullOrWhiteSpace |
| | | 141 | | if (string.IsNullOrWhiteSpace(authInfo.Client)) |
| | | 142 | | { |
| | | 143 | | authInfo.Client = device.AppName; |
| | | 144 | | } |
| | | 145 | | |
| | | 146 | | if (string.IsNullOrWhiteSpace(authInfo.DeviceId)) |
| | | 147 | | { |
| | | 148 | | authInfo.DeviceId = device.DeviceId; |
| | | 149 | | } |
| | | 150 | | |
| | | 151 | | // Temporary. TODO - allow clients to specify that the token has been shared with a casting device |
| | | 152 | | var allowTokenInfoUpdate = !authInfo.Client.Contains("chromecast", StringComparison.OrdinalIgnoreCas |
| | | 153 | | |
| | | 154 | | if (string.IsNullOrWhiteSpace(authInfo.Device)) |
| | | 155 | | { |
| | | 156 | | authInfo.Device = device.DeviceName; |
| | | 157 | | } |
| | | 158 | | else if (!string.Equals(authInfo.Device, device.DeviceName, StringComparison.OrdinalIgnoreCase)) |
| | | 159 | | { |
| | | 160 | | if (allowTokenInfoUpdate) |
| | | 161 | | { |
| | | 162 | | updateToken = true; |
| | | 163 | | device.DeviceName = authInfo.Device; |
| | | 164 | | } |
| | | 165 | | } |
| | | 166 | | |
| | | 167 | | if (string.IsNullOrWhiteSpace(authInfo.Version)) |
| | | 168 | | { |
| | | 169 | | authInfo.Version = device.AppVersion; |
| | | 170 | | } |
| | | 171 | | else if (!string.Equals(authInfo.Version, device.AppVersion, StringComparison.OrdinalIgnoreCase)) |
| | | 172 | | { |
| | | 173 | | if (allowTokenInfoUpdate) |
| | | 174 | | { |
| | | 175 | | updateToken = true; |
| | | 176 | | device.AppVersion = authInfo.Version; |
| | | 177 | | } |
| | | 178 | | } |
| | | 179 | | |
| | | 180 | | if ((DateTime.UtcNow - device.DateLastActivity).TotalMinutes > 3) |
| | | 181 | | { |
| | | 182 | | device.DateLastActivity = DateTime.UtcNow; |
| | | 183 | | updateToken = true; |
| | | 184 | | } |
| | | 185 | | |
| | | 186 | | authInfo.User = _userManager.GetUserById(device.UserId); |
| | | 187 | | |
| | | 188 | | if (updateToken) |
| | | 189 | | { |
| | | 190 | | await _deviceManager.UpdateDevice(device).ConfigureAwait(false); |
| | | 191 | | } |
| | | 192 | | } |
| | | 193 | | else |
| | | 194 | | { |
| | | 195 | | var key = await dbContext.ApiKeys.FirstOrDefaultAsync(apiKey => apiKey.AccessToken == token).Configu |
| | | 196 | | if (key is not null) |
| | | 197 | | { |
| | | 198 | | authInfo.IsAuthenticated = true; |
| | | 199 | | authInfo.Client = key.Name; |
| | | 200 | | authInfo.Token = key.AccessToken; |
| | | 201 | | if (string.IsNullOrWhiteSpace(authInfo.DeviceId)) |
| | | 202 | | { |
| | | 203 | | authInfo.DeviceId = _serverApplicationHost.SystemId; |
| | | 204 | | } |
| | | 205 | | |
| | | 206 | | if (string.IsNullOrWhiteSpace(authInfo.Device)) |
| | | 207 | | { |
| | | 208 | | authInfo.Device = _serverApplicationHost.Name; |
| | | 209 | | } |
| | | 210 | | |
| | | 211 | | if (string.IsNullOrWhiteSpace(authInfo.Version)) |
| | | 212 | | { |
| | | 213 | | authInfo.Version = _serverApplicationHost.ApplicationVersionString; |
| | | 214 | | } |
| | | 215 | | |
| | | 216 | | authInfo.IsApiKey = true; |
| | | 217 | | } |
| | | 218 | | } |
| | | 219 | | |
| | | 220 | | return authInfo; |
| | | 221 | | } |
| | | 222 | | } |
| | | 223 | | |
| | | 224 | | /// <summary> |
| | | 225 | | /// Gets the auth. |
| | | 226 | | /// </summary> |
| | | 227 | | /// <param name="httpReq">The HTTP request.</param> |
| | | 228 | | /// <returns>Dictionary{System.StringSystem.String}.</returns> |
| | | 229 | | private Dictionary<string, string>? GetAuthorizationDictionary(HttpRequest httpReq) |
| | | 230 | | { |
| | 187 | 231 | | var auth = httpReq.Headers[HeaderNames.Authorization]; |
| | | 232 | | |
| | 187 | 233 | | if (_configurationManager.Configuration.EnableLegacyAuthorization && string.IsNullOrEmpty(auth)) |
| | | 234 | | { |
| | 59 | 235 | | auth = httpReq.Headers["X-Emby-Authorization"]; |
| | | 236 | | } |
| | | 237 | | |
| | 187 | 238 | | return auth.Count > 0 ? GetAuthorization(auth[0]) : null; |
| | | 239 | | } |
| | | 240 | | |
| | | 241 | | /// <summary> |
| | | 242 | | /// Gets the authorization. |
| | | 243 | | /// </summary> |
| | | 244 | | /// <param name="authorizationHeader">The authorization header.</param> |
| | | 245 | | /// <returns>Dictionary{System.StringSystem.String}.</returns> |
| | | 246 | | private Dictionary<string, string>? GetAuthorization(ReadOnlySpan<char> authorizationHeader) |
| | | 247 | | { |
| | 128 | 248 | | var firstSpace = authorizationHeader.IndexOf(' '); |
| | | 249 | | |
| | | 250 | | // There should be at least two parts |
| | 128 | 251 | | if (firstSpace == -1) |
| | | 252 | | { |
| | 0 | 253 | | return null; |
| | | 254 | | } |
| | | 255 | | |
| | 128 | 256 | | var name = authorizationHeader[..firstSpace]; |
| | | 257 | | |
| | 128 | 258 | | var validName = name.Equals("MediaBrowser", StringComparison.OrdinalIgnoreCase); |
| | 128 | 259 | | validName = validName || (_configurationManager.Configuration.EnableLegacyAuthorization && name.Equals("Emby |
| | | 260 | | |
| | 128 | 261 | | if (!validName) |
| | | 262 | | { |
| | 0 | 263 | | return null; |
| | | 264 | | } |
| | | 265 | | |
| | | 266 | | // Remove up until the first space |
| | 128 | 267 | | authorizationHeader = authorizationHeader[(firstSpace + 1)..]; |
| | 128 | 268 | | return GetParts(authorizationHeader); |
| | | 269 | | } |
| | | 270 | | |
| | | 271 | | /// <summary> |
| | | 272 | | /// Get the authorization header components. |
| | | 273 | | /// </summary> |
| | | 274 | | /// <param name="authorizationHeader">The authorization header.</param> |
| | | 275 | | /// <returns>Dictionary{System.StringSystem.String}.</returns> |
| | | 276 | | public static Dictionary<string, string> GetParts(ReadOnlySpan<char> authorizationHeader) |
| | | 277 | | { |
| | 133 | 278 | | var result = new Dictionary<string, string>(); |
| | 133 | 279 | | var escaped = false; |
| | 133 | 280 | | int start = 0; |
| | 133 | 281 | | string key = string.Empty; |
| | | 282 | | |
| | | 283 | | int i; |
| | 34666 | 284 | | for (i = 0; i < authorizationHeader.Length; i++) |
| | | 285 | | { |
| | 17200 | 286 | | var token = authorizationHeader[i]; |
| | 17200 | 287 | | if (token == '"' || token == ',') |
| | | 288 | | { |
| | | 289 | | // Applying a XOR logic to evaluate whether it is opening or closing a value |
| | 1523 | 290 | | escaped = (!escaped) == (token == '"'); |
| | 1523 | 291 | | if (token == ',' && !escaped) |
| | | 292 | | { |
| | | 293 | | // Meeting a comma after a closing escape char means the value is complete |
| | 485 | 294 | | if (start < i) |
| | | 295 | | { |
| | 485 | 296 | | result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"').ToString()); |
| | 485 | 297 | | key = string.Empty; |
| | | 298 | | } |
| | | 299 | | |
| | 485 | 300 | | start = i + 1; |
| | | 301 | | } |
| | | 302 | | } |
| | 15677 | 303 | | else if (!escaped && token == '=') |
| | | 304 | | { |
| | 618 | 305 | | key = authorizationHeader[start.. i].Trim().ToString(); |
| | 618 | 306 | | start = i + 1; |
| | | 307 | | } |
| | | 308 | | } |
| | | 309 | | |
| | | 310 | | // Add last value |
| | 133 | 311 | | if (start < i) |
| | | 312 | | { |
| | 133 | 313 | | result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"').ToString()); |
| | | 314 | | } |
| | | 315 | | |
| | 133 | 316 | | return result; |
| | | 317 | | } |
| | | 318 | | } |
| | | 319 | | } |