feat(auth): support API keys (#230)

* feat(auth): initial draft for static API keys

* fix(auth): api key authentification

The ApiKeys section of the appsettings.json is now loaded correctly

* fix(static): we're in Hamburg now

* feat(auth): allow api key for sending PMs & fix NRE

---------

Co-authored-by: Maakinoh <info@maakinoh.de>

src/Eurofurence.App.Server.Web/Controllers/CommunicationController.cs

@@ -7,6 +7,8 @@
 using Eurofurence.App.Server.Services.Abstractions.Communication;
 using Eurofurence.App.Server.Services.Abstractions.Security;
 using Eurofurence.App.Server.Web.Extensions;
+using Eurofurence.App.Server.Web.Identity;
+using IdentityModel.AspNetCore.OAuth2Introspection;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -86,7 +88,7 @@ public async Task<ActionResult> MarkMyPrivateMessageAsReadAsync(
         /// <param name="Request"></param>
         /// <returns>The `Id` of the message that has been delivered.</returns>
         /// <response code="400">Unable to parse `Request`</response>
-        [Authorize(Roles = "Admin,PrivateMessageSender")]
+        [Authorize(AuthenticationSchemes = $"{ApiKeyAuthenticationDefaults.AuthenticationScheme},{OAuth2IntrospectionDefaults.AuthenticationScheme}", Roles = "Admin,PrivateMessageSender")]
         [HttpPost("PrivateMessages")]
         [HttpPost("PrivateMessages/:byRegistrationId")]
         [ProducesResponseType(typeof(Guid), 200)]
@@ -119,7 +121,7 @@ public async Task<ActionResult> SendPrivateMessageAsync(
         /// <param name="Request"></param>
         /// <returns>The `Id` of the message that has been delivered.</returns>
         /// <response code="400">Unable to parse `Request`</response>
-        [Authorize(Roles = "Admin,PrivateMessageSender")]
+        [Authorize(AuthenticationSchemes = $"{ApiKeyAuthenticationDefaults.AuthenticationScheme},{OAuth2IntrospectionDefaults.AuthenticationScheme}", Roles = "Admin,PrivateMessageSender")]
         [HttpPost("PrivateMessages/:byIdentityId")]
         [ProducesResponseType(typeof(Guid), 200)]
         public async Task<ActionResult> SendPrivateMessageIdentityAsync(
@@ -141,7 +143,6 @@ public async Task<ActionResult> SendPrivateMessageIdentityAsync(
         }
 
         [HttpGet("PrivateMessages/{messageId}/Status")]
-        [Authorize(Roles = "Admin,PrivateMessageSender")]
         [ProducesResponseType(typeof(PrivateMessageStatus), 200)]
         [ProducesResponseType(typeof(string), 404)]
         public async Task<PrivateMessageStatus> GetPrivateMessageStatusAsync(

src/Eurofurence.App.Server.Web/Identity/ApiKeyAuthenticationDefaults.cs

@@ -0,0 +1,15 @@
+namespace Eurofurence.App.Server.Web.Identity;
+
+public class ApiKeyAuthenticationDefaults
+{
+
+    /// <summary>
+    /// The default authentication scheme.
+    /// </summary>
+    public const string AuthenticationScheme = "ApiKey";
+
+    /// <summary>
+    /// Header name for the API keys.
+    /// </summary>
+    public const string HeaderName = "X-API-Key";
+}

src/Eurofurence.App.Server.Web/Identity/ApiKeyAuthenticationHandler.cs

@@ -0,0 +1,47 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Eurofurence.App.Server.Web.Identity;
+
+public class ApiKeyAuthenticationHandler : AuthenticationHandler<ApiKeyAuthenticationOptions>
+{
+    public ApiKeyAuthenticationHandler(IOptionsMonitor<ApiKeyAuthenticationOptions> options, ILoggerFactory logger, UrlEncoder encoder) : base(options, logger, encoder) { }
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var requestApiKey = Context.Request.Headers[ApiKeyAuthenticationDefaults.HeaderName].FirstOrDefault();
+
+        if (Options.ApiKeys is null || Options.ApiKeys.Count == 0 || requestApiKey is null) return Task.FromResult(AuthenticateResult.Fail("Invalid X-API-Key."));
+
+        Logger.LogDebug("Attempting API key authentication…");
+
+        if (Options.ApiKeys.FirstOrDefault(apiKey => apiKey.Key == requestApiKey && DateTime.Now.CompareTo(apiKey.ValidUntil) <= 0) is { } apiKeyOptions)
+        {
+            Logger.LogInformation($"Configured API key for {apiKeyOptions.PrincipalName} with roles {string.Join(',', apiKeyOptions.Roles)} valid until {apiKeyOptions.ValidUntil}.");
+
+            var claims = new List<Claim>
+            {
+                new Claim(ClaimTypes.Name, apiKeyOptions.PrincipalName)
+            };
+
+            foreach (var role in apiKeyOptions.Roles)
+            {
+                claims.Add(new Claim(ClaimTypes.Role, role));
+            }
+
+            var identity = new ClaimsIdentity(claims, Scheme.Name);
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, Scheme.Name);
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+
+        return Task.FromResult(AuthenticateResult.Fail("Invalid X-API-Key."));
+    }
+}

src/Eurofurence.App.Server.Web/Identity/ApiKeyAuthenticationOptions.cs

@@ -0,0 +1,16 @@
+using System;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Authentication;
+
+namespace Eurofurence.App.Server.Web.Identity;
+
+public class ApiKeyAuthenticationOptions : AuthenticationSchemeOptions
+{
+    public IList<ApiKeyOptions> ApiKeys { get; set; }
+    public class ApiKeyOptions {
+        public string Key { get; set;}
+        public string PrincipalName { get; set;}
+        public DateTime ValidUntil { get; set;}
+        public IList<string> Roles { get; set;}
+    }
+}

src/Eurofurence.App.Server.Web/Startup.cs

@@ -38,6 +38,7 @@
 using Microsoft.Extensions.Options;
 using Telegram.Bot;
 using dotAPNS.AspNetCore;
+using System.Collections.Generic;
 
 namespace Eurofurence.App.Server.Web
 {
@@ -133,6 +134,14 @@ public void ConfigureServices(IServiceCollection services)
                     Type = SecuritySchemeType.Http
                 });
 
+                options.AddSecurityDefinition(ApiKeyAuthenticationDefaults.AuthenticationScheme, new OpenApiSecurityScheme
+                {
+                    Name = ApiKeyAuthenticationDefaults.HeaderName,
+                    Description = "Authenticate with a static API key",
+                    In = ParameterLocation.Header,
+                    Type = SecuritySchemeType.ApiKey
+                });
+
                 //options.DescribeAllEnumsAsStrings();
                 options.IncludeXmlComments($@"{AppContext.BaseDirectory}/Eurofurence.App.Server.Web.xml");
                 options.IncludeXmlComments($@"{AppContext.BaseDirectory}/Eurofurence.App.Domain.Model.xml");
@@ -168,10 +177,17 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddTransient<IClaimsTransformation, RolesClaimsTransformation>();
             services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
-                .AddOAuth2Introspection(options =>
-                {
-                    options.EnableCaching = true;
-                });
+                .AddOAuth2Introspection(options => { options.EnableCaching = true; })
+                .AddScheme<ApiKeyAuthenticationOptions, ApiKeyAuthenticationHandler>
+                (ApiKeyAuthenticationDefaults.AuthenticationScheme,
+                    options =>
+                    {
+                        options.ApiKeys = Configuration.GetSection("ApiKeys")
+                            .Get<IList<ApiKeyAuthenticationOptions.ApiKeyOptions>>();
+                        foreach (var apiKey in options.ApiKeys ?? []) {
+                            _logger.LogInformation($"Configured API key for {apiKey.PrincipalName} with roles {string.Join(',', apiKey.Roles)} valid until {apiKey.ValidUntil}.");
+                        }
+                    });
 
             services.AddControllersWithViews()
                 .AddRazorRuntimeCompilation();
@@ -423,4 +439,4 @@ IHostApplicationLifetime appLifetime
             _logger.LogInformation($"Startup complete ({env.EnvironmentName})");
         }
     }
-}
+}

src/Eurofurence.App.Server.Web/Swagger/AddAuthorizationHeaderParameterOperationFilter.cs

@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using Autofac;
+using Eurofurence.App.Server.Web.Identity;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc.Controllers;
 using Microsoft.OpenApi.Models;
@@ -51,7 +52,24 @@ public void Apply(OpenApiOperation operation, OperationFilterContext context)
                     }
                 };
 
+            var apiKeyRequirements =
+               new OpenApiSecurityRequirement()
+                {
+                    {
+                        new OpenApiSecurityScheme
+                        {
+                            Reference = new OpenApiReference
+                            {
+                                Type = ReferenceType.SecurityScheme,
+                                Id = ApiKeyAuthenticationDefaults.AuthenticationScheme
+                            }
+                        },
+                        new List<string>()
+                    }
+                };
+
             operation.Security.Add(oAuthRequirements);
+            operation.Security.Add(apiKeyRequirements);
             operation.Parameters = operation.Parameters ?? new List<OpenApiParameter>();
 
             var existingDescription = operation.Description;

src/Eurofurence.App.Server.Web/appsettings.sample.json

@@ -15,6 +15,16 @@
     "FursuitBadgeSystem": [],
     "Admin": []
   },
+  "ApiKeys": [
+    {
+      "Key": "<128 character long api key>",
+      "PrincipalName": "<who is calling>",
+      "Roles": [
+        "PrivateMessageSender"
+      ],
+      "ValidUntil": "1970-01-01T00:00:00Z"
+    }
+  ],
   "global": {
     "conventionNumber": 99,
     "conventionIdentifier": "EFXX",