| | | 1 | | using System; |
| | | 2 | | using System.Diagnostics.CodeAnalysis; |
| | | 3 | | using System.Globalization; |
| | | 4 | | using System.Threading.Tasks; |
| | | 5 | | using Jellyfin.Database.Implementations.Entities; |
| | | 6 | | using MediaBrowser.Controller.Authentication; |
| | | 7 | | using MediaBrowser.Model.Cryptography; |
| | | 8 | | using Microsoft.Extensions.Logging; |
| | | 9 | | |
| | | 10 | | namespace Jellyfin.Server.Implementations.Users |
| | | 11 | | { |
| | | 12 | | /// <summary> |
| | | 13 | | /// The default authentication provider. |
| | | 14 | | /// </summary> |
| | | 15 | | public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser |
| | | 16 | | { |
| | | 17 | | private readonly ILogger<DefaultAuthenticationProvider> _logger; |
| | | 18 | | private readonly ICryptoProvider _cryptographyProvider; |
| | | 19 | | |
| | | 20 | | /// <summary> |
| | | 21 | | /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class. |
| | | 22 | | /// </summary> |
| | | 23 | | /// <param name="logger">The logger.</param> |
| | | 24 | | /// <param name="cryptographyProvider">The cryptography provider.</param> |
| | | 25 | | public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptography |
| | | 26 | | { |
| | 21 | 27 | | _logger = logger; |
| | 21 | 28 | | _cryptographyProvider = cryptographyProvider; |
| | 21 | 29 | | } |
| | | 30 | | |
| | | 31 | | /// <inheritdoc /> |
| | 0 | 32 | | public string Name => "Default"; |
| | | 33 | | |
| | | 34 | | /// <inheritdoc /> |
| | 56 | 35 | | public bool IsEnabled => true; |
| | | 36 | | |
| | | 37 | | /// <inheritdoc /> |
| | | 38 | | // This is dumb and an artifact of the backwards way auth providers were designed. |
| | | 39 | | // This version of authenticate was never meant to be called, but needs to be here for interface compat |
| | | 40 | | // Only the providers that don't provide local user support use this |
| | | 41 | | public Task<ProviderAuthenticationResult> Authenticate(string username, string password) |
| | | 42 | | { |
| | 0 | 43 | | throw new NotImplementedException(); |
| | | 44 | | } |
| | | 45 | | |
| | | 46 | | /// <inheritdoc /> |
| | | 47 | | // This is the version that we need to use for local users. Because reasons. |
| | | 48 | | public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser) |
| | | 49 | | { |
| | | 50 | | [DoesNotReturn] |
| | | 51 | | static void ThrowAuthenticationException() |
| | | 52 | | { |
| | | 53 | | throw new AuthenticationException("Invalid username or password"); |
| | | 54 | | } |
| | | 55 | | |
| | 15 | 56 | | if (resolvedUser is null) |
| | | 57 | | { |
| | 0 | 58 | | ThrowAuthenticationException(); |
| | | 59 | | } |
| | | 60 | | |
| | | 61 | | // As long as jellyfin supports password-less users, we need this little block here to accommodate |
| | 15 | 62 | | if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password)) |
| | | 63 | | { |
| | 15 | 64 | | return Task.FromResult(new ProviderAuthenticationResult |
| | 15 | 65 | | { |
| | 15 | 66 | | Username = username |
| | 15 | 67 | | }); |
| | | 68 | | } |
| | | 69 | | |
| | | 70 | | // Handle the case when the stored password is null, but the user tried to login with a password |
| | 0 | 71 | | if (resolvedUser.Password is null) |
| | | 72 | | { |
| | 0 | 73 | | ThrowAuthenticationException(); |
| | | 74 | | } |
| | | 75 | | |
| | 0 | 76 | | PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password); |
| | 0 | 77 | | if (!_cryptographyProvider.Verify(readyHash, password)) |
| | | 78 | | { |
| | 0 | 79 | | ThrowAuthenticationException(); |
| | | 80 | | } |
| | | 81 | | |
| | | 82 | | // Migrate old hashes to the new default |
| | 0 | 83 | | if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal) |
| | 0 | 84 | | || int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultItera |
| | | 85 | | { |
| | 0 | 86 | | _logger.LogInformation("Migrating password hash of {User} to the latest default", username); |
| | 0 | 87 | | ChangePassword(resolvedUser, password); |
| | | 88 | | } |
| | | 89 | | |
| | 0 | 90 | | return Task.FromResult(new ProviderAuthenticationResult |
| | 0 | 91 | | { |
| | 0 | 92 | | Username = username |
| | 0 | 93 | | }); |
| | | 94 | | } |
| | | 95 | | |
| | | 96 | | /// <inheritdoc /> |
| | | 97 | | public bool HasPassword(User user) |
| | 53 | 98 | | => !string.IsNullOrEmpty(user?.Password); |
| | | 99 | | |
| | | 100 | | /// <inheritdoc /> |
| | | 101 | | public Task ChangePassword(User user, string newPassword) |
| | | 102 | | { |
| | 3 | 103 | | if (string.IsNullOrEmpty(newPassword)) |
| | | 104 | | { |
| | 1 | 105 | | user.Password = null; |
| | 1 | 106 | | return Task.CompletedTask; |
| | | 107 | | } |
| | | 108 | | |
| | 2 | 109 | | PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword); |
| | 2 | 110 | | user.Password = newPasswordHash.ToString(); |
| | | 111 | | |
| | 2 | 112 | | return Task.CompletedTask; |
| | | 113 | | } |
| | | 114 | | } |
| | | 115 | | } |