Refactoring using Claims more, add Server Side Messaging (#20)

* add some refactoring based on claims, handle chara ident inside claim, fix discord userid in log * improve authentication responses, add server side messaging * update server to mainline api Co-authored-by: rootdarkarchon <root.darkarchon@outlook.com>
2025-12-30 12:43:38 +01:00 · 2023-01-04 15:49:18 +01:00 · 2023-01-04 15:49:18 +01:00 · 74b7fcdf89
commit 74b7fcdf89
parent 5f0c12ecfa
25 changed files with 350 additions and 204 deletions
--- a/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyAuthReply.cs
+++ b/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyAuthReply.cs
@ -0,0 +1,3 @@
+namespace MareSynchronosServer.Authentication;
+
+public record SecretKeyAuthReply(bool Success, string Uid, bool TempBan);
--- a/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyAuthenticatorService.cs
+++ b/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyAuthenticatorService.cs
@ -0,0 +1,102 @@
+using System.Collections.Concurrent;
+using MareSynchronosShared.Data;
+using MareSynchronosShared.Metrics;
+using MareSynchronosShared.Services;
+using MareSynchronosShared.Utils;
+using Microsoft.EntityFrameworkCore;
+
+namespace MareSynchronosServer.Authentication;
+
+public class SecretKeyAuthenticatorService
+{
+    private readonly MareMetrics _metrics;
+    private readonly IServiceScopeFactory _serviceScopeFactory;
+    private readonly IConfigurationService<MareConfigurationAuthBase> _configurationService;
+    private readonly ILogger<SecretKeyAuthenticatorService> _logger;
+    private readonly ConcurrentDictionary<string, SecretKeyAuthReply> _cachedPositiveResponses = new(StringComparer.Ordinal);
+    private readonly ConcurrentDictionary<string, SecretKeyFailedAuthorization> _failedAuthorizations = new(StringComparer.Ordinal);
+
+    public SecretKeyAuthenticatorService(MareMetrics metrics, IServiceScopeFactory serviceScopeFactory, IConfigurationService<MareConfigurationAuthBase> configuration, ILogger<SecretKeyAuthenticatorService> logger)
+    {
+        _logger = logger;
+        _configurationService = configuration;
+        _metrics = metrics;
+        _serviceScopeFactory = serviceScopeFactory;
+    }
+
+    public async Task<SecretKeyAuthReply> AuthorizeAsync(string ip, string hashedSecretKey)
+    {
+        _metrics.IncCounter(MetricsAPI.CounterAuthenticationRequests);
+
+        if (_cachedPositiveResponses.TryGetValue(hashedSecretKey, out var cachedPositiveResponse))
+        {
+            _metrics.IncCounter(MetricsAPI.CounterAuthenticationCacheHits);
+            return cachedPositiveResponse;
+        }
+
+        if (_failedAuthorizations.TryGetValue(ip, out var existingFailedAuthorization)
+            && existingFailedAuthorization.FailedAttempts > _configurationService.GetValueOrDefault(nameof(MareConfigurationAuthBase.FailedAuthForTempBan), 5))
+        {
+            if (existingFailedAuthorization.ResetTask == null)
+            {
+                _logger.LogWarning("TempBan {ip} for authorization spam", ip);
+
+                existingFailedAuthorization.ResetTask = Task.Run(async () =>
+                {
+                    await Task.Delay(TimeSpan.FromMinutes(_configurationService.GetValueOrDefault(nameof(MareConfigurationAuthBase.TempBanDurationInMinutes), 5))).ConfigureAwait(false);
+
+                }).ContinueWith((t) =>
+                {
+                    _failedAuthorizations.Remove(ip, out _);
+                });
+            }
+            return new(Success: false, Uid: null, TempBan: true);
+        }
+
+        using var scope = _serviceScopeFactory.CreateScope();
+        using var context = scope.ServiceProvider.GetService<MareDbContext>();
+        var authReply = await context.Auth.AsNoTracking().SingleOrDefaultAsync(u => u.HashedKey == hashedSecretKey).ConfigureAwait(false);
+
+        SecretKeyAuthReply reply = new(authReply != null, authReply?.UserUID, false);
+
+        if (reply.Success)
+        {
+            _metrics.IncCounter(MetricsAPI.CounterAuthenticationSuccesses);
+
+            _cachedPositiveResponses[hashedSecretKey] = reply;
+            _ = Task.Run(async () =>
+            {
+                await Task.Delay(TimeSpan.FromMinutes(5)).ConfigureAwait(false);
+                _cachedPositiveResponses.TryRemove(hashedSecretKey, out _);
+            });
+
+        }
+        else
+        {
+            return AuthenticationFailure(ip);
+        }
+
+        return reply;
+    }
+
+    private SecretKeyAuthReply AuthenticationFailure(string ip)
+    {
+        _metrics.IncCounter(MetricsAPI.CounterAuthenticationFailures);
+
+        _logger.LogWarning("Failed authorization from {ip}", ip);
+        var whitelisted = _configurationService.GetValueOrDefault(nameof(MareConfigurationAuthBase.WhitelistedIps), new List<string>());
+        if (!whitelisted.Any(w => ip.Contains(w, StringComparison.OrdinalIgnoreCase)))
+        {
+            if (_failedAuthorizations.TryGetValue(ip, out var auth))
+            {
+                auth.IncreaseFailedAttempts();
+            }
+            else
+            {
+                _failedAuthorizations[ip] = new SecretKeyFailedAuthorization();
+            }
+        }
+
+        return new(Success: false, Uid: null, TempBan: false);
+    }
+}
--- a/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyFailedAuthorization.cs
+++ b/MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyFailedAuthorization.cs
@ -0,0 +1,12 @@
+namespace MareSynchronosServer.Authentication;
+
+internal record SecretKeyFailedAuthorization
+{
+    private int failedAttempts = 1;
+    public int FailedAttempts => failedAttempts;
+    public Task ResetTask { get; set; }
+    public void IncreaseFailedAttempts()
+    {
+        Interlocked.Increment(ref failedAttempts);
+    }
+}