Custom auth (#238)

* Indented * Update packages again. * Update libs again. * Custom auth. * Custom auth settings. * Tests more stable.
notifo-io · Apr 29, 2024 · f503a13 · f503a13
1 parent 814e5bf
commit f503a13
Show file tree

Hide file tree

Showing 139 changed files with 3,008 additions and 1,591 deletions.
diff --git a/backend/src/Notifo.Domain/Apps/App.cs b/backend/src/Notifo.Domain/Apps/App.cs
@@ -26,6 +26,8 @@ public sealed record App(string Id, Instant Created)
 
     public Instant LastUpdate { get; init; }
 
+    public AppAuthScheme? AuthScheme { get; init; }
+
     public ReadonlyList<string> Languages { get; init; } = DefaultLanguages;
 
     public ReadonlyDictionary<string, string> ApiKeys { get; init; } = ReadonlyDictionary.Empty<string, string>();

diff --git a/backend/src/Notifo.Domain/Apps/AppAuthScheme.cs b/backend/src/Notifo.Domain/Apps/AppAuthScheme.cs
@@ -0,0 +1,23 @@
+// ==========================================================================
+//  Notifo.io
+// ==========================================================================
+//  Copyright (c) Sebastian Stehle
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+namespace Notifo.Domain.Apps;
+
+public sealed class AppAuthScheme
+{
+    public string Domain { get; init; }
+
+    public string DisplayName { get; init; }
+
+    public string ClientId { get; init; }
+
+    public string ClientSecret { get; init; }
+
+    public string Authority { get; init; }
+
+    public string? SignoutRedirectUrl { get; init; }
+}
diff --git a/backend/src/Notifo.Domain/Apps/AppStore.cs b/backend/src/Notifo.Domain/Apps/AppStore.cs
@@ -45,6 +45,12 @@ public void Dispose()
         }
     }
 
+    public Task<bool> AnyAuthDomainAsync(
+        CancellationToken ct = default)
+    {
+        return repository.AnyAuthDomainAsync(ct);
+    }
+
     public IAsyncEnumerable<App> QueryAllAsync(
         CancellationToken ct = default)
     {
@@ -116,6 +122,18 @@ public void Dispose()
         return app;
     }
 
+    public async Task<App?> GetByAuthDomainAsync(string domain,
+        CancellationToken ct = default)
+    {
+        Guard.NotNullOrEmpty(domain);
+
+        var (app, _) = await repository.GetByAuthDomainAsync(domain, ct);
+
+        await DeliverAsync(app);
+
+        return app;
+    }
+
     public async ValueTask<App?> HandleAsync(AppCommand command,
         CancellationToken ct)
     {

diff --git a/backend/src/Notifo.Domain/Apps/DeleteAppAuthScheme.cs b/backend/src/Notifo.Domain/Apps/DeleteAppAuthScheme.cs
@@ -0,0 +1,19 @@
+// ==========================================================================
+//  Notifo.io
+// ==========================================================================
+//  Copyright (c) Sebastian Stehle
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+namespace Notifo.Domain.Apps;
+
+public sealed class DeleteAppAuthScheme : AppCommand
+{
+    public override ValueTask<App?> ExecuteAsync(App target, IServiceProvider serviceProvider,
+        CancellationToken ct)
+    {
+        target = target with { AuthScheme = null };
+
+        return new ValueTask<App?>(target);
+    }
+}
diff --git a/backend/src/Notifo.Domain/Apps/IAppRepository.cs b/backend/src/Notifo.Domain/Apps/IAppRepository.cs
@@ -26,9 +26,15 @@ public interface IAppRepository : ICounterStore<string>
     Task<(App? App, string? Etag)> GetAsync(string id,
         CancellationToken ct = default);
 
+    Task<(App? App, string? Etag)> GetByAuthDomainAsync(string domain,
+        CancellationToken ct = default);
+
     Task UpsertAsync(App app, string? oldEtag = null,
         CancellationToken ct = default);
 
     Task DeleteAsync(string id,
         CancellationToken ct = default);
+
+    Task<bool> AnyAuthDomainAsync(
+        CancellationToken ct = default);
 }
diff --git a/backend/src/Notifo.Domain/Apps/IAppStore.cs b/backend/src/Notifo.Domain/Apps/IAppStore.cs
@@ -24,6 +24,12 @@ public interface IAppStore
     Task<App?> GetAsync(string id,
         CancellationToken ct = default);
 
+    Task<App?> GetByAuthDomainAsync(string domain,
+        CancellationToken ct = default);
+
     Task<App?> GetCachedAsync(string id,
         CancellationToken ct = default);
+
+    Task<bool> AnyAuthDomainAsync(
+        CancellationToken ct = default);
 }
diff --git a/backend/src/Notifo.Domain/Apps/MongoDb/MongoDbAppRepository.cs b/backend/src/Notifo.Domain/Apps/MongoDb/MongoDbAppRepository.cs
@@ -109,6 +109,19 @@ await Collection.Find(x => x.ContributorIds.Contains(contributorId))
         }
     }
 
+    public async Task<(App? App, string? Etag)> GetByAuthDomainAsync(string domain,
+        CancellationToken ct = default)
+    {
+        using (Telemetry.Activities.StartActivity("MongoDbAppRepository/GetByAuthDomainAsync"))
+        {
+            var document = await
+                Collection.Find(x => x.Doc.AuthScheme!.Domain == domain)
+                    .FirstOrDefaultAsync(ct);
+
+            return (document?.ToApp(), document?.Etag);
+        }
+    }
+
     public async Task<(App? App, string? Etag)> GetAsync(string id,
         CancellationToken ct = default)
     {
@@ -131,6 +144,15 @@ await Collection.Find(x => x.ContributorIds.Contains(contributorId))
         }
     }
 
+    public async Task<bool> AnyAuthDomainAsync(
+        CancellationToken ct = default)
+    {
+        using (Telemetry.Activities.StartActivity("MongoDbAppRepository/AnyAuthDomainAsync"))
+        {
+            return await Collection.Find(x => x.Doc.AuthScheme != null).AnyAsync(ct);
+        }
+    }
+
     public async Task BatchWriteAsync(List<(string Key, CounterMap Counters)> counters,
         CancellationToken ct)
     {

diff --git a/backend/src/Notifo.Domain/Apps/UpsertAppAuthScheme.cs b/backend/src/Notifo.Domain/Apps/UpsertAppAuthScheme.cs
@@ -0,0 +1,62 @@
+// ==========================================================================
+//  Notifo.io
+// ==========================================================================
+//  Copyright (c) Sebastian Stehle
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using FluentValidation;
+using Notifo.Infrastructure.Validation;
+
+namespace Notifo.Domain.Apps;
+
+public sealed class UpsertAppAuthScheme : AppCommand
+{
+    public string Domain { get; init; }
+
+    public string DisplayName { get; init; }
+
+    public string ClientId { get; init; }
+
+    public string ClientSecret { get; init; }
+
+    public string Authority { get; init; }
+
+    public string? SignoutRedirectUrl { get; init; }
+
+    private sealed class Validator : AbstractValidator<UpsertAppAuthScheme>
+    {
+        public Validator()
+        {
+            RuleFor(x => x.Domain).NotNull().NotEmpty().Domain();
+            RuleFor(x => x.DisplayName).NotNull().NotEmpty();
+            RuleFor(x => x.ClientId).NotNull().NotEmpty();
+            RuleFor(x => x.ClientSecret).NotNull().NotEmpty();
+            RuleFor(x => x.Authority).NotNull().NotEmpty().Url();
+            RuleFor(x => x.SignoutRedirectUrl).Url();
+        }
+    }
+
+    public override ValueTask<App?> ExecuteAsync(App target, IServiceProvider serviceProvider,
+        CancellationToken ct)
+    {
+        Validate<Validator>.It(this);
+
+        var newScheme = new AppAuthScheme
+        {
+            Authority = Authority,
+            ClientId = ClientId,
+            ClientSecret = ClientSecret,
+            DisplayName = DisplayName,
+            Domain = Domain,
+            SignoutRedirectUrl = SignoutRedirectUrl,
+        };
+
+        if (!Equals(target.AuthScheme, newScheme))
+        {
+            target = target with { AuthScheme = newScheme };
+        }
+
+        return new ValueTask<App?>(target);
+    }
+}
diff --git a/backend/src/Notifo.Domain/Resources/Texts.Designer.cs b/backend/src/Notifo.Domain/Resources/Texts.Designer.cs
diff --git a/backend/src/Notifo.Domain/Resources/Texts.resx b/backend/src/Notifo.Domain/Resources/Texts.resx
@@ -186,6 +186,9 @@
   <data name="TemplateError" xml:space="preserve">
     <value>Unhandled template error.</value>
   </data>
+  <data name="ValidationDomain" xml:space="preserve">
+    <value>{PropertyName} must be a valid domain.</value>
+  </data>
   <data name="ValidationLanguage" xml:space="preserve">
     <value>{PropertyName} must be a valid language.</value>
   </data>

diff --git a/backend/src/Notifo.Domain/Utils/Validation/ValidatorExtensions.cs b/backend/src/Notifo.Domain/Utils/Validation/ValidatorExtensions.cs
@@ -33,6 +33,14 @@ public static class ValidatorExtensions
         }).WithMessage(Texts.ValidationUrl);
     }
 
+    public static IRuleBuilderOptions<T, string?> Domain<T>(this IRuleBuilder<T, string?> ruleBuilder)
+    {
+        return ruleBuilder.Must(value =>
+        {
+            return string.IsNullOrWhiteSpace(value) || Uri.CheckHostName(value) == UriHostNameType.Dns;
+        }).WithMessage(Texts.ValidationDomain);
+    }
+
     public static IRuleBuilderOptions<T, string?> Language<T>(this IRuleBuilder<T, string?> ruleBuilder)
     {
         return ruleBuilder.Must(value =>

diff --git a/backend/src/Notifo.Identity/AuthenticationBuilderExtensions.cs b/backend/src/Notifo.Identity/AuthenticationBuilderExtensions.cs
@@ -51,7 +51,11 @@ public static AuthenticationBuilder AddOidc(this AuthenticationBuilder authBuild
 
             authBuilder.AddOpenIdConnect("ExternalOidc", displayName, options =>
             {
-                options.Events = new OidcHandler(identityOptions);
+                options.Events = new OidcHandler(new OdicOptions
+                {
+                    SignoutRedirectUrl = identityOptions.OidcOnSignoutRedirectUrl
+                });
+
                 options.Authority = identityOptions.OidcAuthority;
                 options.ClientId = identityOptions.OidcClient;
                 options.ClientSecret = identityOptions.OidcSecret;

diff --git a/backend/src/Notifo.Identity/Dynamic/DynamicOpenIdConnectHandler.cs b/backend/src/Notifo.Identity/Dynamic/DynamicOpenIdConnectHandler.cs
@@ -0,0 +1,21 @@
+// ==========================================================================
+//  Notifo.io
+// ==========================================================================
+//  Copyright (c) Sebastian Stehle
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Notifo.Identity.Dynamic;
+
+public sealed class DynamicOpenIdConnectHandler : OpenIdConnectHandler
+{
+    public DynamicOpenIdConnectHandler(IOptionsMonitor<DynamicOpenIdConnectOptions> options, ILoggerFactory logger, HtmlEncoder htmlEncoder, UrlEncoder encoder)
+        : base(options, logger, htmlEncoder, encoder)
+    {
+    }
+}
diff --git a/backend/src/Notifo.Identity/Dynamic/DynamicOpenIdConnectOptions.cs b/backend/src/Notifo.Identity/Dynamic/DynamicOpenIdConnectOptions.cs
@@ -0,0 +1,14 @@
+// ==========================================================================
+//  Notifo.io
+// ==========================================================================
+//  Copyright (c) Sebastian Stehle
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+
+namespace Notifo.Identity.Dynamic;
+
+public sealed class DynamicOpenIdConnectOptions : OpenIdConnectOptions
+{
+}