| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 |
- using System;
- using System.Diagnostics.CodeAnalysis;
- using System.Globalization;
- using System.Threading.Tasks;
- using Jellyfin.Data.Entities;
- using MediaBrowser.Controller.Authentication;
- using MediaBrowser.Model.Cryptography;
- using Microsoft.Extensions.Logging;
- namespace Jellyfin.Server.Implementations.Users
- {
- /// <summary>
- /// The default authentication provider.
- /// </summary>
- public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
- {
- private readonly ILogger<DefaultAuthenticationProvider> _logger;
- private readonly ICryptoProvider _cryptographyProvider;
- /// <summary>
- /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
- /// </summary>
- /// <param name="logger">The logger.</param>
- /// <param name="cryptographyProvider">The cryptography provider.</param>
- public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptographyProvider)
- {
- _logger = logger;
- _cryptographyProvider = cryptographyProvider;
- }
- /// <inheritdoc />
- public string Name => "Default";
- /// <inheritdoc />
- public bool IsEnabled => true;
- /// <inheritdoc />
- // This is dumb and an artifact of the backwards way auth providers were designed.
- // This version of authenticate was never meant to be called, but needs to be here for interface compat
- // Only the providers that don't provide local user support use this
- public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
- {
- throw new NotImplementedException();
- }
- /// <inheritdoc />
- // This is the version that we need to use for local users. Because reasons.
- public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser)
- {
- [DoesNotReturn]
- static void ThrowAuthenticationException()
- {
- throw new AuthenticationException("Invalid username or password");
- }
- if (resolvedUser is null)
- {
- ThrowAuthenticationException();
- }
- // As long as jellyfin supports password-less users, we need this little block here to accommodate
- if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
- {
- return Task.FromResult(new ProviderAuthenticationResult
- {
- Username = username
- });
- }
- // Handle the case when the stored password is null, but the user tried to login with a password
- if (resolvedUser.Password is null)
- {
- ThrowAuthenticationException();
- }
- PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
- if (!_cryptographyProvider.Verify(readyHash, password))
- {
- ThrowAuthenticationException();
- }
- // Migrate old hashes to the new default
- if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)
- || int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)
- {
- _logger.LogInformation("Migrating password hash of {User} to the latest default", username);
- ChangePassword(resolvedUser, password);
- }
- return Task.FromResult(new ProviderAuthenticationResult
- {
- Username = username
- });
- }
- /// <inheritdoc />
- public bool HasPassword(User user)
- => !string.IsNullOrEmpty(user?.Password);
- /// <inheritdoc />
- public Task ChangePassword(User user, string newPassword)
- {
- if (string.IsNullOrEmpty(newPassword))
- {
- user.Password = null;
- return Task.CompletedTask;
- }
- PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
- user.Password = newPasswordHash.ToString();
- return Task.CompletedTask;
- }
- }
- }
|
