| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 |
- using System;
- using System.Linq;
- using System.Text;
- using System.Threading.Tasks;
- using MediaBrowser.Common;
- using MediaBrowser.Common.Cryptography;
- using MediaBrowser.Controller.Authentication;
- using MediaBrowser.Model.Cryptography;
- namespace Jellyfin.Server.Implementations.Users
- {
- /// <summary>
- /// The default authentication provider.
- /// </summary>
- public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
- {
- private readonly ICryptoProvider _cryptographyProvider;
- /// <summary>
- /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
- /// </summary>
- /// <param name="cryptographyProvider">The cryptography provider.</param>
- public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
- {
- _cryptographyProvider = cryptographyProvider;
- }
- /// <inheritdoc />
- public string Name => "Default";
- /// <inheritdoc />
- public bool IsEnabled => true;
- /// <inheritdoc />
- // This is dumb and an artifact of the backwards way auth providers were designed.
- // This version of authenticate was never meant to be called, but needs to be here for interface compat
- // Only the providers that don't provide local user support use this
- public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
- {
- throw new NotImplementedException();
- }
- /// <inheritdoc />
- // This is the version that we need to use for local users. Because reasons.
- public Task<ProviderAuthenticationResult> Authenticate(string username, string password, Data.Entities.User resolvedUser)
- {
- if (resolvedUser == null)
- {
- throw new AuthenticationException("Specified user does not exist.");
- }
- bool success = false;
- // As long as jellyfin supports passwordless users, we need this little block here to accommodate
- if (!HasPassword(resolvedUser))
- {
- return Task.FromResult(new ProviderAuthenticationResult
- {
- Username = username
- });
- }
- byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
- PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
- if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
- || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
- {
- byte[] calculatedHash = _cryptographyProvider.ComputeHash(
- readyHash.Id,
- passwordBytes,
- readyHash.Salt.ToArray());
- if (readyHash.Hash.SequenceEqual(calculatedHash))
- {
- success = true;
- }
- }
- else
- {
- throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");
- }
- if (!success)
- {
- throw new AuthenticationException("Invalid username or password");
- }
- return Task.FromResult(new ProviderAuthenticationResult
- {
- Username = username
- });
- }
- /// <inheritdoc />
- public bool HasPassword(Data.Entities.User user)
- => !string.IsNullOrEmpty(user.Password);
- /// <inheritdoc />
- public Task ChangePassword(Data.Entities.User user, string newPassword)
- {
- if (string.IsNullOrEmpty(newPassword))
- {
- user.Password = null;
- return Task.CompletedTask;
- }
- PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
- user.Password = newPasswordHash.ToString();
- return Task.CompletedTask;
- }
- /// <inheritdoc />
- public void ChangeEasyPassword(Data.Entities.User user, string newPassword, string newPasswordHash)
- {
- if (newPassword != null)
- {
- newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();
- }
- if (string.IsNullOrWhiteSpace(newPasswordHash))
- {
- throw new ArgumentNullException(nameof(newPasswordHash));
- }
- user.EasyPassword = newPasswordHash;
- }
- /// <inheritdoc />
- public string GetEasyPasswordHash(Data.Entities.User user)
- {
- return string.IsNullOrEmpty(user.EasyPassword)
- ? null
- : Hex.Encode(PasswordHash.Parse(user.EasyPassword).Hash);
- }
- /// <summary>
- /// Hashes the provided string.
- /// </summary>
- /// <param name="user">The user.</param>
- /// <param name="str">The string to hash.</param>
- /// <returns>The hashed string.</returns>
- public string GetHashedString(Data.Entities.User user, string str)
- {
- if (string.IsNullOrEmpty(user.Password))
- {
- return _cryptographyProvider.CreatePasswordHash(str).ToString();
- }
- // TODO: make use of iterations parameter?
- PasswordHash passwordHash = PasswordHash.Parse(user.Password);
- var salt = passwordHash.Salt.ToArray();
- return new PasswordHash(
- passwordHash.Id,
- _cryptographyProvider.ComputeHash(
- passwordHash.Id,
- Encoding.UTF8.GetBytes(str),
- salt),
- salt,
- passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();
- }
- /// <summary>
- /// Hashes the provided string.
- /// </summary>
- /// <param name="user">The user.</param>
- /// <param name="str">The string to hash.</param>
- /// <returns>The hashed string.</returns>
- public ReadOnlySpan<byte> GetHashed(Data.Entities.User user, string str)
- {
- if (string.IsNullOrEmpty(user.Password))
- {
- return _cryptographyProvider.CreatePasswordHash(str).Hash;
- }
- // TODO: make use of iterations parameter?
- PasswordHash passwordHash = PasswordHash.Parse(user.Password);
- return _cryptographyProvider.ComputeHash(
- passwordHash.Id,
- Encoding.UTF8.GetBytes(str),
- passwordHash.Salt.ToArray());
- }
- }
- }
|
