Merge pull request #7 from Penumbra-Sync/cached_auth

Add cached + limited authentication and possibility to ban discord/lodestone accounts

MareSynchronosServer/MareSynchronosServer/Authentication/SecretKeyAuthenticationHandler.cs

@@ -1,9 +1,12 @@
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.Linq;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Encodings.Web;
+using System.Threading;
 using System.Threading.Tasks;
 using MareSynchronosServer.Data;
 using Microsoft.AspNetCore.Authentication;
@@ -17,6 +20,29 @@ namespace MareSynchronosServer.Authentication
     {
         private readonly MareDbContext _mareDbContext;
         public const string AuthScheme = "SecretKeyAuth";
+        private const string unauthorized = "Unauthorized";
+        public static ConcurrentDictionary<string, string> Authentications = new();
+        private static SemaphoreSlim dbLockSemaphore = new SemaphoreSlim(20);
+
+        public static void ClearUnauthorizedUsers()
+        {
+            foreach (var item in Authentications.ToArray())
+            {
+                if (item.Value == unauthorized)
+                {
+                    Authentications[item.Key] = string.Empty;
+                }
+            }
+        }
+
+        public static void RemoveAuthentication(string uid)
+        {
+            var auth = Authentications.Where(u => u.Value == uid);
+            if (auth.Any())
+            {
+                Authentications.Remove(auth.First().Key, out _);
+            }
+        }
 
         protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         {
@@ -30,13 +56,39 @@ namespace MareSynchronosServer.Authentication
 
             using var sha256 = SHA256.Create();
             var hashedHeader = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(authHeader))).Replace("-", "");
-            var uid = (await _mareDbContext.Auth.Include("User").AsNoTracking()
+
+            if (Authentications.TryGetValue(hashedHeader, out string uid))
+            {
+                if (uid == unauthorized)
+                    return AuthenticateResult.Fail("Failed Authorization");
+                else
+                    Logger.LogDebug("Found cached entry for " + uid);
+            }
+
+            if (string.IsNullOrEmpty(uid))
+            {
+                try
+                {
+                    await dbLockSemaphore.WaitAsync();
+                    uid = (await _mareDbContext.Auth.Include("User").AsNoTracking()
                         .FirstOrDefaultAsync(m => m.HashedKey == hashedHeader))?.UserUID;
+                }
+                catch { }
+                finally
+                {
+                    dbLockSemaphore.Release();
+                }
 
                 if (uid == null)
                 {
+                    Authentications[hashedHeader] = unauthorized;
                     return AuthenticateResult.Fail("Failed Authorization");
                 }
+                else
+                {
+                    Authentications[hashedHeader] = uid;
+                }
+            }
 
             var claims = new List<Claim> {
                 new Claim(ClaimTypes.NameIdentifier, uid)

MareSynchronosServer/MareSynchronosServer/CleanupService.cs

@@ -4,6 +4,7 @@ using System.IO;
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using MareSynchronosServer.Authentication;
 using MareSynchronosServer.Data;
 using MareSynchronosServer.Metrics;
 using MareSynchronosServer.Models;
@@ -15,14 +16,14 @@ using Microsoft.Extensions.Logging;
 
 namespace MareSynchronosServer
 {
-    public class FileCleanupService : IHostedService, IDisposable
+    public class CleanupService : IHostedService, IDisposable
     {
-        private readonly ILogger<FileCleanupService> _logger;
+        private readonly ILogger<CleanupService> _logger;
         private readonly IServiceProvider _services;
         private readonly IConfiguration _configuration;
         private Timer _timer;
 
-        public FileCleanupService(ILogger<FileCleanupService> logger, IServiceProvider services, IConfiguration configuration)
+        public CleanupService(ILogger<CleanupService> logger, IServiceProvider services, IConfiguration configuration)
         {
             _logger = logger;
             _services = services;
@@ -31,14 +32,14 @@ namespace MareSynchronosServer
 
         public Task StartAsync(CancellationToken cancellationToken)
         {
-            _logger.LogInformation("File Cleanup Service started");
+            _logger.LogInformation("Cleanup Service started");
 
-            _timer = new Timer(CleanUpFiles, null, TimeSpan.Zero, TimeSpan.FromMinutes(10));
+            _timer = new Timer(CleanUp, null, TimeSpan.Zero, TimeSpan.FromMinutes(10));
 
             return Task.CompletedTask;
         }
 
-        private void CleanUpFiles(object state)
+        private void CleanUp(object state)
         {
             if (!int.TryParse(_configuration["UnusedFileRetentionPeriodInDays"], out var filesOlderThanDays))
             {
@@ -73,6 +74,7 @@ namespace MareSynchronosServer
                     }
                 }
 
+                _logger.LogInformation($"Cleaning up expired lodestone authentications");
                 var lodestoneAuths = dbContext.LodeStoneAuth.Include(u => u.User).Where(a => a.StartedAt != null).ToList();
                 List<LodeStoneAuth> expiredAuths = new List<LodeStoneAuth>();
                 foreach (var auth in lodestoneAuths)
@@ -118,6 +120,9 @@ namespace MareSynchronosServer
                     }
                 }
 
+                _logger.LogInformation("Cleaning up unauthorized users");
+                SecretKeyAuthenticationHandler.ClearUnauthorizedUsers();
+
                 _logger.LogInformation($"Cleanup complete");
 
                 dbContext.SaveChanges();
@@ -136,6 +141,8 @@ namespace MareSynchronosServer
                 dbContext.Remove(lodestone);
             }
 
+            SecretKeyAuthenticationHandler.RemoveAuthentication(user.UID);
+
             var auth = dbContext.Auth.Single(a => a.UserUID == user.UID);
 
             var userFiles = dbContext.Files.Where(f => f.Uploaded && f.Uploader.UID == user.UID).ToList();

MareSynchronosServer/MareSynchronosServer/Data/MareDbContext.cs

@@ -16,6 +16,7 @@ namespace MareSynchronosServer.Data
         public DbSet<Banned> BannedUsers { get; set; }
         public DbSet<Auth> Auth { get; set; }
         public DbSet<LodeStoneAuth> LodeStoneAuth { get; set; }
+        public DbSet<BannedRegistrations> BannedRegistrations { get; set; }
 
 
         protected override void OnModelCreating(ModelBuilder modelBuilder)
@@ -32,6 +33,7 @@ namespace MareSynchronosServer.Data
             modelBuilder.Entity<ForbiddenUploadEntry>().ToTable("forbidden_upload_entries");
             modelBuilder.Entity<Banned>().ToTable("banned_users");
             modelBuilder.Entity<LodeStoneAuth>().ToTable("lodestone_auth");
+            modelBuilder.Entity<BannedRegistrations>().ToTable("banned_registrations");
         }
     }
 }

MareSynchronosServer/MareSynchronosServer/Discord/DiscordBot.cs

@@ -115,7 +115,7 @@ namespace MareSynchronosServer.Discord
             {
                 if (discordAuthedUser.User != null)
                 {
-                    FileCleanupService.PurgeUser(discordAuthedUser.User, db, configuration);
+                    CleanupService.PurgeUser(discordAuthedUser.User, db, configuration);
                 }
                 else
                 {
@@ -250,7 +250,13 @@ namespace MareSynchronosServer.Discord
 
                 var db = scope.ServiceProvider.GetService<MareDbContext>();
 
-                if (db.LodeStoneAuth.Any(a => a.DiscordId == arg.User.Id))
+                // check if discord id or lodestone id is banned
+                if (db.BannedRegistrations.Any(a => a.DiscordIdOrLodestoneAuth == arg.User.Id.ToString() || a.DiscordIdOrLodestoneAuth == hashedLodestoneId))
+                {
+                    embed.WithTitle("no");
+                    embed.WithDescription("your account is banned");
+                }
+                else if (db.LodeStoneAuth.Any(a => a.DiscordId == arg.User.Id))
                 {
                     // user already in db
                     embed.WithTitle("Registration failed");
@@ -311,7 +317,8 @@ namespace MareSynchronosServer.Discord
 
             lodestoneUrl = matches.Groups[0].ToString();
             var stringId = lodestoneUrl.Split('/', StringSplitOptions.RemoveEmptyEntries).Last();
-            if (!int.TryParse(stringId, out int lodestoneId)) {
+            if (!int.TryParse(stringId, out int lodestoneId))
+            {
                 return null;
             }
 

MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs

@@ -20,11 +20,11 @@ namespace MareSynchronosServer.Hubs
         {
             _logger.LogInformation("User " + AuthenticatedUserId + " deleted their account");
 
+
             string userid = AuthenticatedUserId;
             var userEntry = await _dbContext.Users.SingleAsync(u => u.UID == userid);
             var ownPairData = await _dbContext.ClientPairs.Where(u => u.User.UID == userid).ToListAsync();
             var auth = await _dbContext.Auth.SingleAsync(u => u.UserUID == userid);
-
             var lodestone = await _dbContext.LodeStoneAuth.SingleOrDefaultAsync(a => a.User.UID == userid);
 
             if (lodestone != null)
@@ -37,6 +37,8 @@ namespace MareSynchronosServer.Hubs
                 await Task.Delay(1000);
             }
 
+            SecretKeyAuthenticationHandler.RemoveAuthentication(userid);
+
             MareMetrics.Pairs.Dec(ownPairData.Count);
             MareMetrics.PairsPaused.Dec(ownPairData.Count(c => c.IsPaused));
 

MareSynchronosServer/MareSynchronosServer/Migrations/20220806103053_AddBannedRegistrations.Designer.cs

@@ -0,0 +1,295 @@
+// <auto-generated />
+using System;
+using MareSynchronosServer.Data;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace MareSynchronosServer.Migrations
+{
+    [DbContext(typeof(MareDbContext))]
+    [Migration("20220806103053_AddBannedRegistrations")]
+    partial class AddBannedRegistrations
+    {
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "6.0.6")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("MareSynchronosServer.Models.Auth", b =>
+                {
+                    b.Property<string>("HashedKey")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)")
+                        .HasColumnName("hashed_key");
+
+                    b.Property<string>("UserUID")
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("user_uid");
+
+                    b.HasKey("HashedKey")
+                        .HasName("pk_auth");
+
+                    b.HasIndex("UserUID")
+                        .HasDatabaseName("ix_auth_user_uid");
+
+                    b.ToTable("auth", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.Banned", b =>
+                {
+                    b.Property<string>("CharacterIdentification")
+                        .HasColumnType("text")
+                        .HasColumnName("character_identification");
+
+                    b.Property<string>("Reason")
+                        .HasColumnType("text")
+                        .HasColumnName("reason");
+
+                    b.Property<byte[]>("Timestamp")
+                        .IsConcurrencyToken()
+                        .ValueGeneratedOnAddOrUpdate()
+                        .HasColumnType("bytea")
+                        .HasColumnName("timestamp");
+
+                    b.HasKey("CharacterIdentification")
+                        .HasName("pk_banned_users");
+
+                    b.ToTable("banned_users", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.BannedRegistrations", b =>
+                {
+                    b.Property<string>("DiscordIdOrLodestoneAuth")
+                        .HasColumnType("text")
+                        .HasColumnName("discord_id_or_lodestone_auth");
+
+                    b.HasKey("DiscordIdOrLodestoneAuth")
+                        .HasName("pk_banned_registrations");
+
+                    b.ToTable("banned_registrations", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.ClientPair", b =>
+                {
+                    b.Property<string>("UserUID")
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("user_uid");
+
+                    b.Property<string>("OtherUserUID")
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("other_user_uid");
+
+                    b.Property<bool>("AllowReceivingMessages")
+                        .HasColumnType("boolean")
+                        .HasColumnName("allow_receiving_messages");
+
+                    b.Property<bool>("IsPaused")
+                        .HasColumnType("boolean")
+                        .HasColumnName("is_paused");
+
+                    b.Property<byte[]>("Timestamp")
+                        .IsConcurrencyToken()
+                        .ValueGeneratedOnAddOrUpdate()
+                        .HasColumnType("bytea")
+                        .HasColumnName("timestamp");
+
+                    b.HasKey("UserUID", "OtherUserUID")
+                        .HasName("pk_client_pairs");
+
+                    b.HasIndex("OtherUserUID")
+                        .HasDatabaseName("ix_client_pairs_other_user_uid");
+
+                    b.HasIndex("UserUID")
+                        .HasDatabaseName("ix_client_pairs_user_uid");
+
+                    b.ToTable("client_pairs", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.FileCache", b =>
+                {
+                    b.Property<string>("Hash")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)")
+                        .HasColumnName("hash");
+
+                    b.Property<byte[]>("Timestamp")
+                        .IsConcurrencyToken()
+                        .ValueGeneratedOnAddOrUpdate()
+                        .HasColumnType("bytea")
+                        .HasColumnName("timestamp");
+
+                    b.Property<bool>("Uploaded")
+                        .HasColumnType("boolean")
+                        .HasColumnName("uploaded");
+
+                    b.Property<string>("UploaderUID")
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("uploader_uid");
+
+                    b.HasKey("Hash")
+                        .HasName("pk_file_caches");
+
+                    b.HasIndex("UploaderUID")
+                        .HasDatabaseName("ix_file_caches_uploader_uid");
+
+                    b.ToTable("file_caches", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.ForbiddenUploadEntry", b =>
+                {
+                    b.Property<string>("Hash")
+                        .HasMaxLength(40)
+                        .HasColumnType("character varying(40)")
+                        .HasColumnName("hash");
+
+                    b.Property<string>("ForbiddenBy")
+                        .HasColumnType("text")
+                        .HasColumnName("forbidden_by");
+
+                    b.Property<byte[]>("Timestamp")
+                        .IsConcurrencyToken()
+                        .ValueGeneratedOnAddOrUpdate()
+                        .HasColumnType("bytea")
+                        .HasColumnName("timestamp");
+
+                    b.HasKey("Hash")
+                        .HasName("pk_forbidden_upload_entries");
+
+                    b.ToTable("forbidden_upload_entries", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.LodeStoneAuth", b =>
+                {
+                    b.Property<decimal>("DiscordId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("numeric(20,0)")
+                        .HasColumnName("discord_id");
+
+                    b.Property<string>("HashedLodestoneId")
+                        .HasColumnType("text")
+                        .HasColumnName("hashed_lodestone_id");
+
+                    b.Property<string>("LodestoneAuthString")
+                        .HasColumnType("text")
+                        .HasColumnName("lodestone_auth_string");
+
+                    b.Property<DateTime?>("StartedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("started_at");
+
+                    b.Property<string>("UserUID")
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("user_uid");
+
+                    b.HasKey("DiscordId")
+                        .HasName("pk_lodestone_auth");
+
+                    b.HasIndex("UserUID")
+                        .HasDatabaseName("ix_lodestone_auth_user_uid");
+
+                    b.ToTable("lodestone_auth", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.User", b =>
+                {
+                    b.Property<string>("UID")
+                        .HasMaxLength(10)
+                        .HasColumnType("character varying(10)")
+                        .HasColumnName("uid");
+
+                    b.Property<string>("CharacterIdentification")
+                        .HasColumnType("text")
+                        .HasColumnName("character_identification");
+
+                    b.Property<bool>("IsAdmin")
+                        .HasColumnType("boolean")
+                        .HasColumnName("is_admin");
+
+                    b.Property<bool>("IsModerator")
+                        .HasColumnType("boolean")
+                        .HasColumnName("is_moderator");
+
+                    b.Property<DateTime>("LastLoggedIn")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("last_logged_in");
+
+                    b.Property<byte[]>("Timestamp")
+                        .IsConcurrencyToken()
+                        .ValueGeneratedOnAddOrUpdate()
+                        .HasColumnType("bytea")
+                        .HasColumnName("timestamp");
+
+                    b.HasKey("UID")
+                        .HasName("pk_users");
+
+                    b.HasIndex("CharacterIdentification")
+                        .HasDatabaseName("ix_users_character_identification");
+
+                    b.ToTable("users", (string)null);
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.Auth", b =>
+                {
+                    b.HasOne("MareSynchronosServer.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserUID")
+                        .HasConstraintName("fk_auth_users_user_temp_id");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.ClientPair", b =>
+                {
+                    b.HasOne("MareSynchronosServer.Models.User", "OtherUser")
+                        .WithMany()
+                        .HasForeignKey("OtherUserUID")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired()
+                        .HasConstraintName("fk_client_pairs_users_other_user_temp_id1");
+
+                    b.HasOne("MareSynchronosServer.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserUID")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired()
+                        .HasConstraintName("fk_client_pairs_users_user_temp_id2");
+
+                    b.Navigation("OtherUser");
+
+                    b.Navigation("User");
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.FileCache", b =>
+                {
+                    b.HasOne("MareSynchronosServer.Models.User", "Uploader")
+                        .WithMany()
+                        .HasForeignKey("UploaderUID")
+                        .HasConstraintName("fk_file_caches_users_uploader_uid");
+
+                    b.Navigation("Uploader");
+                });
+
+            modelBuilder.Entity("MareSynchronosServer.Models.LodeStoneAuth", b =>
+                {
+                    b.HasOne("MareSynchronosServer.Models.User", "User")
+                        .WithMany()
+                        .HasForeignKey("UserUID")
+                        .HasConstraintName("fk_lodestone_auth_users_user_uid");
+
+                    b.Navigation("User");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

MareSynchronosServer/MareSynchronosServer/Migrations/20220806103053_AddBannedRegistrations.cs

@@ -0,0 +1,29 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace MareSynchronosServer.Migrations
+{
+    public partial class AddBannedRegistrations : Migration
+    {
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "banned_registrations",
+                columns: table => new
+                {
+                    discord_id_or_lodestone_auth = table.Column<string>(type: "text", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("pk_banned_registrations", x => x.discord_id_or_lodestone_auth);
+                });
+        }
+
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "banned_registrations");
+        }
+    }
+}

MareSynchronosServer/MareSynchronosServer/Migrations/MareDbContextModelSnapshot.cs

@@ -64,6 +64,18 @@ namespace MareSynchronosServer.Migrations
                     b.ToTable("banned_users", (string)null);
                 });
 
+            modelBuilder.Entity("MareSynchronosServer.Models.BannedRegistrations", b =>
+                {
+                    b.Property<string>("DiscordIdOrLodestoneAuth")
+                        .HasColumnType("text")
+                        .HasColumnName("discord_id_or_lodestone_auth");
+
+                    b.HasKey("DiscordIdOrLodestoneAuth")
+                        .HasName("pk_banned_registrations");
+
+                    b.ToTable("banned_registrations", (string)null);
+                });
+
             modelBuilder.Entity("MareSynchronosServer.Models.ClientPair", b =>
                 {
                     b.Property<string>("UserUID")

MareSynchronosServer/MareSynchronosServer/Models/BannedRegistrations.cs

@@ -0,0 +1,10 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace MareSynchronosServer.Models
+{
+    public class BannedRegistrations
+    {
+        [Key]
+        public string DiscordIdOrLodestoneAuth { get; set; }
+    }
+}

MareSynchronosServer/MareSynchronosServer/Startup.cs

@@ -57,7 +57,7 @@ namespace MareSynchronosServer
                 }).UseSnakeCaseNamingConvention();
             });
 
-            services.AddHostedService<FileCleanupService>();
+            services.AddHostedService<CleanupService>();
             services.AddHostedService(provider => provider.GetService<SystemInfoService>());
             services.AddHostedService<DiscordBot>();