Home Explore Help
Sign In
mirrors
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin
2
0
Fork 0
Files Issues 0 Wiki
Tree: e37ccd6ec0
Branches Tags
jellyfin
/
Emby.Server.Implementations
/
Library
/
DefaultAuthenticationProvider.cs

DefaultAuthenticationProvider.cs 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 
  1. using System;
    2. 

  2. using System.Linq;
    3. 

  3. using System.Text;
    4. 

  4. using System.Threading.Tasks;
    5. 

  5. using MediaBrowser.Controller.Authentication;
    6. 

  6. using MediaBrowser.Controller.Entities;
    7. 

  7. using MediaBrowser.Model.Cryptography;
    8. 

  8. 

  9. namespace Emby.Server.Implementations.Library
    10. 

  10. {
    11. 

  11.     public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
    12. 

  12.     {
    13. 

  13.         private readonly ICryptoProvider _cryptographyProvider;
    14. 

  14.         public DefaultAuthenticationProvider(ICryptoProvider crypto)
    15. 

  15.         {
    16. 

  16.             _cryptographyProvider = crypto;
    17. 

  17.         }
    18. 

  18. 

  19.         public string Name => "Default";
    20. 

  20. 

  21.         public bool IsEnabled => true;
    22. 

  22.         
    23. 

  23.         // This is dumb and an artifact of the backwards way auth providers were designed.
    24. 

  24.         // This version of authenticate was never meant to be called, but needs to be here for interface compat
    25. 

  25.         // Only the providers that don't provide local user support use this
    26. 

  26.         public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
    27. 

  27.         {
    28. 

  28.             throw new NotImplementedException();
    29. 

  29.         }
    30. 

  30.         
    31. 

  31.         // This is the verson that we need to use for local users. Because reasons.
    32. 

  32.         public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
    33. 

  33.         {
    34. 

  34.             bool success = false;
    35. 

  35.             if (resolvedUser == null)
    36. 

  36.             {
    37. 

  37.                 throw new Exception("Invalid username or password");
    38. 

  38.             }
    39. 

  39. 

  40.             // As long as jellyfin supports passwordless users, we need this little block here to accomodate
    41. 

  41.             if (IsPasswordEmpty(resolvedUser, password))
    42. 

  42.             {
    43. 

  43.                 return Task.FromResult(new ProviderAuthenticationResult
    44. 

  44.                 {
    45. 

  45.                     Username = username
    46. 

  46.                 });
    47. 

  47.             }
    48. 

  48. 

  49.             ConvertPasswordFormat(resolvedUser);
    50. 

  50.             byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
    51. 

  51. 

  52.             PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
    53. 

  53.             byte[] calculatedHash;
    54. 

  54.             string calculatedHashString;
    55. 

  55.             if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id) || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
    56. 

  56.             {
    57. 

  57.                 if (string.IsNullOrEmpty(readyHash.Salt))
    58. 

  58.                 {
    59. 

  59.                     calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
    60. 

  60.                     calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
    61. 

  61.                 }
    62. 

  62.                 else
    63. 

  63.                 {
    64. 

  64.                     calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
    65. 

  65.                     calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
    66. 

  66.                 }
    67. 

  67. 

  68.                 if (calculatedHashString == readyHash.Hash)
    69. 

  69.                 {
    70. 

  70.                     success = true;
    71. 

  71.                     // throw new Exception("Invalid username or password");
    72. 

  72.                 }
    73. 

  73.             }
    74. 

  74.             else
    75. 

  75.             {
    76. 

  76.                 throw new Exception(string.Format($"Requested crypto method not available in provider: {readyHash.Id}"));
    77. 

  77.             }
    78. 

  78. 

  79.             // var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
    80. 

  80. 

  81.             if (!success)
    82. 

  82.             {
    83. 

  83.                 throw new Exception("Invalid username or password");
    84. 

  84.             }
    85. 

  85. 

  86.             return Task.FromResult(new ProviderAuthenticationResult
    87. 

  87.             {
    88. 

  88.                 Username = username
    89. 

  89.             });
    90. 

  90.         }
    91. 

  91. 

  92.         // This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
    93. 

  93.         // but at least they are in the new format.
    94. 

  94.         private void ConvertPasswordFormat(User user)
    95. 

  95.         {
    96. 

  96.             if (string.IsNullOrEmpty(user.Password))
    97. 

  97.             {
    98. 

  98.                 return;
    99. 

  99.             }
    100. 

  100. 

  101.             if (!user.Password.Contains("$"))
    102. 

  102.             {
    103. 

  103.                 string hash = user.Password;
    104. 

  104.                 user.Password = string.Format("$SHA1${0}", hash);
    105. 

  105.             }
    106. 

  106.             
    107. 

  107.             if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
    108. 

  108.             {
    109. 

  109.                 string hash = user.EasyPassword;
    110. 

  110.                 user.EasyPassword = string.Format("$SHA1${0}", hash);
    111. 

  111.             }
    112. 

  112.         }
    113. 

  113. 

  114.         public Task<bool> HasPassword(User user)
    115. 

  115.         {
    116. 

  116.             var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
    117. 

  117.             return Task.FromResult(hasConfiguredPassword);
    118. 

  118.         }
    119. 

  119. 

  120.         private bool IsPasswordEmpty(User user, string password)
    121. 

  121.         {
    122. 

  122.             return (string.IsNullOrEmpty(user.Password) && string.IsNullOrEmpty(password));
    123. 

  123.         }
    124. 

  124. 

  125.         public Task ChangePassword(User user, string newPassword)
    126. 

  126.         {
    127. 

  127.             ConvertPasswordFormat(user);
    128. 

  128.             // This is needed to support changing a no password user to a password user
    129. 

  129.             if (string.IsNullOrEmpty(user.Password))
    130. 

  130.             {
    131. 

  131.                 PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
    132. 

  132.                 newPasswordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
    133. 

  133.                 newPasswordHash.Salt = PasswordHash.ConvertToByteString(newPasswordHash.SaltBytes);
    134. 

  134.                 newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
    135. 

  135.                 newPasswordHash.Hash = GetHashedStringChangeAuth(newPassword, newPasswordHash);
    136. 

  136.                 user.Password = newPasswordHash.ToString();
    137. 

  137.                 return Task.CompletedTask;
    138. 

  138.             }
    139. 

  139. 

  140.             PasswordHash passwordHash = new PasswordHash(user.Password);
    141. 

  141.             if (passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
    142. 

  142.             {
    143. 

  143.                 passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
    144. 

  144.                 passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
    145. 

  145.                 passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
    146. 

  146.                 passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
    147. 

  147.             }
    148. 

  148.             else if (newPassword != null)
    149. 

  149.             {
    150. 

  150.                 passwordHash.Hash = GetHashedString(user, newPassword);
    151. 

  151.             }
    152. 

  152. 

  153.             if (string.IsNullOrWhiteSpace(passwordHash.Hash))
    154. 

  154.             {
    155. 

  155.                 throw new ArgumentNullException(nameof(passwordHash.Hash));
    156. 

  156.             }
    157. 

  157. 

  158.             user.Password = passwordHash.ToString();
    159. 

  159. 

  160.             return Task.CompletedTask;
    161. 

  161.         }
    162. 

  162. 

  163.         public string GetPasswordHash(User user)
    164. 

  164.         {
    165. 

  165.             return user.Password;
    166. 

  166.         }
    167. 

  167. 

  168.         public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
    169. 

  169.         {
    170. 

  170.             passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
    171. 

  171.             return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
    172. 

  172.         }
    173. 

  173. 

  174.         /// <summary>
    175. 

  175.         /// Gets the hashed string.
    176. 

  176.         /// </summary>
    177. 

  177.         public string GetHashedString(User user, string str)
    178. 

  178.         {
    179. 

  179.             PasswordHash passwordHash;
    180. 

  180.             if (string.IsNullOrEmpty(user.Password))
    181. 

  181.             {
    182. 

  182.                 passwordHash = new PasswordHash(_cryptographyProvider);
    183. 

  183.             }
    184. 

  184.             else
    185. 

  185.             {
    186. 

  186.                 ConvertPasswordFormat(user);
    187. 

  187.                 passwordHash = new PasswordHash(user.Password);
    188. 

  188.             }
    189. 

  189. 

  190.             if (passwordHash.SaltBytes != null)
    191. 

  191.             {
    192. 

  192.                 // the password is modern format with PBKDF and we should take advantage of that
    193. 

  193.                 passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
    194. 

  194.                 return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
    195. 

  195.             }
    196. 

  196.             else
    197. 

  197.             {
    198. 

  198.                 // the password has no salt and should be called with the older method for safety
    199. 

  199.                 return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
    200. 

  200.             }
    201. 

  201.         }
    202. 

  202.     }
    203. 

  203. }
    204.