feat: Add oauth support

API/API.csproj

@@ -3,6 +3,7 @@
   <Import Project="../Shared.props" />
 
   <ItemGroup>
+    <PackageReference Include="AspNet.Security.OAuth.Discord" Version="9.4.0" />
     <PackageReference Include="Fluid.Core" Version="2.25.0" />
     <PackageReference Include="MailKit" Version="4.13.0" />
   </ItemGroup>

API/Controller/Account/Authenticated/ChangePassword.cs

@@ -17,7 +17,7 @@ public sealed partial class AuthenticatedAccountController
     [ProducesResponseType(StatusCodes.Status200OK)]
     public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest data)
     {
-        if (!HashingUtils.VerifyPassword(data.OldPassword, CurrentUser.PasswordHash).Verified)
+        if (!string.IsNullOrEmpty(CurrentUser.PasswordHash) && !HashingUtils.VerifyPassword(data.OldPassword, CurrentUser.PasswordHash).Verified)
         {
             return Problem(AccountError.PasswordChangeInvalidPassword);
         }

API/Controller/Account/Authenticated/OAuthConnectionAdd.cs

@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.Common.Problems;
+using System.Net.Mime;
+using OpenShock.API.OAuth;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// Start linking an OAuth provider to the current account.
+    /// </summary>
+    /// <remarks>
+    /// Initiates the OAuth flow (link mode) for a given provider.  
+    /// On success this returns a <c>302 Found</c> to the provider's authorization page.
+    /// After consent, the OAuth middleware will call the internal callback and finally
+    /// redirect to <c>/1/oauth/{provider}/handoff</c>.
+    /// </remarks>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <param name="schemeProvider"></param>
+    /// <response code="302">Redirect to the provider authorization page.</response>
+    /// <response code="400">Unsupported or misconfigured provider.</response>
+    [HttpGet("connections/{provider}/link")]
+    [ProducesResponseType(StatusCodes.Status302Found)]
+    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
+    public async Task<IActionResult> AddOAuthConnection([FromRoute] string provider, [FromServices] IAuthenticationSchemeProvider schemeProvider)
+    {
+        if (!await schemeProvider.IsSupportedOAuthScheme(provider))
+            return Problem(OAuthError.UnsupportedProvider);
+
+        return OAuthUtil.StartOAuth(provider, OAuthFlow.Link);
+    }
+}

API/Controller/Account/Authenticated/OAuthConnectionRemove.cs

@@ -0,0 +1,28 @@
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Services.OAuthConnection;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// Remove an existing OAuth connection for the current user.
+    /// </summary>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <param name="connectionService"></param>
+    /// <param name="cancellationToken"></param>
+    /// <response code="204">Connection removed.</response>
+    /// <response code="404">No connection found for this provider.</response>
+    [HttpDelete("connections/{provider}")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> RemoveOAuthConnection([FromRoute] string provider, [FromServices] IOAuthConnectionService connectionService, CancellationToken cancellationToken)
+    {
+        var deleted = await connectionService.TryRemoveConnectionAsync(CurrentUser.Id, provider, cancellationToken);
+
+        if (!deleted)
+            return NotFound();
+
+        return NoContent();
+    }
+}

API/Controller/Account/Authenticated/OAuthConnectionsList.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Models.Response;
+using OpenShock.API.Services.OAuthConnection;
+
+namespace OpenShock.API.Controller.Account.Authenticated;
+
+public sealed partial class AuthenticatedAccountController
+{
+    /// <summary>
+    /// List OAuth connections linked to the current user.
+    /// </summary>
+    /// <returns>Array of connections with provider key, external id, display name and link time.</returns>
+    /// <response code="200">Returns the list of connections.</response>
+    [HttpGet("connections")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    public async Task<OAuthConnectionResponse[]> ListOAuthConnections([FromServices] IOAuthConnectionService connectionService, CancellationToken cancellationToken)
+    {
+        var connections = await connectionService.GetConnectionsAsync(CurrentUser.Id, cancellationToken);
+
+        return connections
+            .Select(c => new OAuthConnectionResponse
+            {
+                ProviderKey = c.ProviderKey,
+                ExternalId = c.ExternalId,
+                DisplayName = c.DisplayName,
+                LinkedAt = c.CreatedAt
+            })
+            .ToArray();
+    }
+}

API/Controller/Account/Login.cs

@@ -10,6 +10,7 @@
 using OpenShock.Common.Utils;
 using System.Net.Mime;
 using Microsoft.AspNetCore.RateLimiting;
+using OpenShock.Common.Services.Session;
 
 namespace OpenShock.API.Controller.Account;
 
@@ -28,27 +29,23 @@ public sealed partial class AccountController
     [MapToApiVersion("1")]
     public async Task<IActionResult> Login(
         [FromBody] Login body,
-        [FromServices] FrontendOptions options,
         CancellationToken cancellationToken)
     {
-        var cookieDomainToUse = options.CookieDomains.FirstOrDefault(domain => Request.Headers.Host.ToString().EndsWith(domain, StringComparison.OrdinalIgnoreCase));
-        if (cookieDomainToUse is null) return Problem(LoginError.InvalidDomain);
+        var cookieDomain = GetCurrentCookieDomain();
+        if (cookieDomain is null) return Problem(LoginError.InvalidDomain);
 
-        var loginAction = await _accountService.CreateUserLoginSessionAsync(body.Email, body.Password, new LoginContext
+        var getAccountResult = await _accountService.GetAccountByCredentialsAsync(body.Email, body.Password, cancellationToken);
+        if (!getAccountResult.TryPickT0(out var account, out var errors))
         {
-            Ip = HttpContext.GetRemoteIP().ToString(),
-            UserAgent = HttpContext.GetUserAgent(),
-        }, cancellationToken);
+            return errors.Match(
+                notFound => Problem(LoginError.InvalidCredentials),
+                deactivated => Problem(AccountError.AccountDeactivated),
+                notActivated => Problem(AccountError.AccountNotActivated),
+                oauthOnly => Problem(AccountError.AccountOAuthOnly)
+            );
+        }
 
-        return loginAction.Match<IActionResult>(
-            ok =>
-            {
-                HttpContext.SetSessionKeyCookie(ok.Token, cookieDomainToUse);
-                return LegacyEmptyOk("Successfully logged in");
-            },
-            notActivated => Problem(AccountError.AccountNotActivated),
-            deactivated => Problem(AccountError.AccountDeactivated),
-            notFound => Problem(LoginError.InvalidCredentials)
-        );
+        await CreateSession(account.Id, cookieDomain);
+        return LegacyEmptyOk("Successfully logged in");
     }
 }

API/Controller/Account/LoginV2.cs

@@ -3,6 +3,7 @@
 using System.Net;
 using System.Net.Mime;
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.RateLimiting;
 using OpenShock.API.Services.Account;
 using OpenShock.Common.Errors;
@@ -14,6 +15,7 @@
 using OpenShock.API.Models.Response;
 using OpenShock.API.Services.Turnstile;
 using OpenShock.Common.Options;
+using OpenShock.Common.Services.Session;
 
 namespace OpenShock.API.Controller.Account;
 
@@ -33,39 +35,35 @@ public sealed partial class AccountController
     public async Task<IActionResult> LoginV2(
         [FromBody] LoginV2 body,
         [FromServices] ICloudflareTurnstileService turnstileService,
-        [FromServices] FrontendOptions options,
         CancellationToken cancellationToken)
     {
-        var cookieDomainToUse = options.CookieDomains.FirstOrDefault(domain => Request.Headers.Host.ToString().EndsWith(domain, StringComparison.OrdinalIgnoreCase));
-        if (cookieDomainToUse is null) return Problem(LoginError.InvalidDomain);
+        var cookieDomain = GetCurrentCookieDomain();
+        if (cookieDomain is null) return Problem(LoginError.InvalidDomain);
 
-        var remoteIP = HttpContext.GetRemoteIP();
+        var remoteIp = HttpContext.GetRemoteIP();
 
-        var turnStile = await turnstileService.VerifyUserResponseTokenAsync(body.TurnstileResponse, remoteIP, cancellationToken);
-        if (!turnStile.IsT0)
+        var turnStile = await turnstileService.VerifyUserResponseTokenAsync(body.TurnstileResponse, remoteIp, cancellationToken);
+        if (!turnStile.TryPickT0(out _, out var cfErrors))
         {
-            var cfErrors = turnStile.AsT1.Value;
-            if (cfErrors.All(err => err == CloudflareTurnstileError.InvalidResponse))
+            if (cfErrors.Value.All(err => err == CloudflareTurnstileError.InvalidResponse))
                 return Problem(TurnstileError.InvalidTurnstile);
 
             return Problem(new OpenShockProblem("InternalServerError", "Internal Server Error", HttpStatusCode.InternalServerError));
         }
-
-        var loginAction = await _accountService.CreateUserLoginSessionAsync(body.UsernameOrEmail, body.Password, new LoginContext
+
+        var getAccountResult = await _accountService.GetAccountByCredentialsAsync(body.UsernameOrEmail, body.Password, cancellationToken);
+        if (!getAccountResult.TryPickT0(out var account, out var errors))
         {
-            Ip = remoteIP.ToString(),
-            UserAgent = HttpContext.GetUserAgent(),
-        }, cancellationToken);
-
-        return loginAction.Match<IActionResult>(
-            ok =>
-            {
-                HttpContext.SetSessionKeyCookie(ok.Token, cookieDomainToUse);
-                return Ok(LoginV2OkResponse.FromUser(ok.User));
-            },
-            notActivated => Problem(AccountError.AccountNotActivated),
-            deactivated => Problem(AccountError.AccountDeactivated),
-            notFound => Problem(LoginError.InvalidCredentials)
-        );
+            return errors.Match(
+                notFound => Problem(LoginError.InvalidCredentials),
+                deactivated => Problem(AccountError.AccountDeactivated),
+                notActivated => Problem(AccountError.AccountNotActivated),
+                oauthOnly => Problem(AccountError.AccountOAuthOnly)
+            );
+        }
+
+        await CreateSession(account.Id, cookieDomain);
+
+        return Ok(LoginV2OkResponse.FromUser(account));
     }
 }

API/Controller/Account/Logout.cs

@@ -12,9 +12,7 @@ public sealed partial class AccountController
     [HttpPost("logout")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [MapToApiVersion("1")]
-    public async Task<IActionResult> Logout(
-        [FromServices] ISessionService sessionService,
-        [FromServices] FrontendOptions options)
+    public async Task<IActionResult> Logout([FromServices] ISessionService sessionService)
     {
         // Remove session if valid
         if (HttpContext.TryGetUserSessionToken(out var sessionToken))
@@ -23,18 +21,7 @@ public async Task<IActionResult> Logout(
         }
 
         // Make sure cookie is removed, no matter if authenticated or not
-        var cookieDomainToUse = options.CookieDomains.FirstOrDefault(domain => Request.Headers.Host.ToString().EndsWith(domain, StringComparison.OrdinalIgnoreCase));
-        if (cookieDomainToUse is not null)
-        {
-            HttpContext.RemoveSessionKeyCookie(cookieDomainToUse);
-        }
-        else // Fallback to all domains
-        {
-            foreach (var domain in options.CookieDomains)
-            {
-                HttpContext.RemoveSessionKeyCookie(domain);
-            }
-        }
+        RemoveSessionKeyCookie();
 
         // its always a success, logout endpoints should be idempotent
         return Ok();

API/Controller/Account/Signup.cs

@@ -27,7 +27,7 @@ public async Task<IActionResult> SignUp([FromBody] SignUp body)
         var creationAction = await _accountService.CreateAccountWithoutActivationFlowLegacyAsync(body.Email, body.Username, body.Password);
         return creationAction.Match<IActionResult>(
             ok => LegacyEmptyOk("Successfully signed up"),
-            alreadyExists => Problem(SignupError.EmailAlreadyExists)
+            alreadyExists => Problem(SignupError.UsernameOrEmailExists)
             );
     }
 }

API/Controller/Account/SignupV2.cs

@@ -46,7 +46,7 @@ public async Task<IActionResult> SignUpV2(
         var creationAction = await _accountService.CreateAccountWithActivationFlowAsync(body.Email, body.Username, body.Password);
         return creationAction.Match<IActionResult>(
             _ => Ok(),
-            _ => Problem(SignupError.EmailAlreadyExists)
+            _ => Problem(SignupError.UsernameOrEmailExists)
         );
     }
 }

API/Controller/OAuth/Authorize.cs

@@ -0,0 +1,38 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
+using OpenShock.Common.Problems;
+using System.Net.Mime;
+using OpenShock.API.OAuth;
+using OpenShock.Common.Utils;
+
+namespace OpenShock.API.Controller.OAuth;
+
+public sealed partial class OAuthController
+{
+    /// <summary>
+    /// Start OAuth authorization for a given provider (login-or-create flow).
+    /// </summary>
+    /// <remarks>
+    /// Initiates an OAuth challenge in "login-or-create" mode.  
+    /// Returns <c>302</c> redirect to the provider authorization page.
+    /// </remarks>
+    /// <param name="provider">Provider key (e.g. <c>discord</c>).</param>
+    /// <response code="302">Redirect to the provider authorization page.</response>
+    /// <response code="400">Unsupported or misconfigured provider.</response>
+    [EnableRateLimiting("auth")]
+    [HttpGet("{provider}/authorize")]
+    [ProducesResponseType(StatusCodes.Status302Found)]
+    [ProducesResponseType<OpenShockProblem>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
+    public async Task<IActionResult> OAuthAuthorize([FromRoute] string provider)
+    {
+        if (!await _schemeProvider.IsSupportedOAuthScheme(provider))
+            return Problem(OAuthError.UnsupportedProvider);
+
+        if (User.HasOpenShockUserIdentity())
+        {
+            return Problem(OAuthError.AnonymousOnlyEndpoint);
+        }
+
+        return OAuthUtil.StartOAuth(provider, OAuthFlow.LoginOrCreate);
+    }
+}