using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Text; using System.Text.Encodings.Web; using System.Threading.Tasks; using BTCPayServer.Client; using BTCPayServer.Data; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Identity; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; namespace BTCPayServer.Security.GreenField { public class BasicAuthenticationHandler : AuthenticationHandler { private readonly IOptionsMonitor _identityOptions; private readonly SignInManager _signInManager; private readonly UserManager _userManager; public BasicAuthenticationHandler( IOptionsMonitor identityOptions, IOptionsMonitor options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, SignInManager signInManager, UserManager userManager) : base(options, logger, encoder, clock) { _identityOptions = identityOptions; _signInManager = signInManager; _userManager = userManager; } protected override async Task HandleAuthenticateAsync() { string authHeader = Context.Request.Headers["Authorization"]; if (authHeader == null || !authHeader.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase)) return AuthenticateResult.NoResult(); string password; string username; try { var encodedUsernamePassword = authHeader.Split(' ', 2, StringSplitOptions.RemoveEmptyEntries)[1]?.Trim(); var decodedUsernamePassword = Encoding.UTF8.GetString(Convert.FromBase64String(encodedUsernamePassword)).Split(':'); username = decodedUsernamePassword[0]; password = decodedUsernamePassword[1]; } catch (Exception) { return AuthenticateResult.Fail( "Basic authentication header was not in a correct format. (username:password encoded in base64)"); } var result = await _signInManager.PasswordSignInAsync(username, password, true, true); if (!result.Succeeded) return AuthenticateResult.Fail(result.ToString()); var user = await _userManager.FindByNameAsync(username); var claims = new List() { new Claim(_identityOptions.CurrentValue.ClaimsIdentity.UserIdClaimType, user.Id), new Claim(GreenFieldConstants.ClaimTypes.Permission, Permission.Create(Policies.Unrestricted).ToString()) }; claims.AddRange((await _userManager.GetRolesAsync(user)).Select(s => new Claim(_identityOptions.CurrentValue.ClaimsIdentity.RoleClaimType, s))); return AuthenticateResult.Success(new AuthenticationTicket( new ClaimsPrincipal(new ClaimsIdentity(claims, GreenFieldConstants.AuthenticationType)), GreenFieldConstants.AuthenticationType)); } } }